Oracle Quarterly Critical Patches Issued July 16, 2019

ITS Advisory Number: 
2019-074 - UPDATED
Date(s) Issued: 
Wednesday, July 17, 2019
Date Updated: 
Tuesday, August 20, 2019
Subject: 
Oracle Quarterly Critical Patches Issued July 16, 2019
Overview: 

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

 

THREAT INTELLIGENCE: - UPDATED - August 19, 2019

Due to ongoing activities reported by trusted sources and due to an abundance of caution, we are updating his advisory to emphasize the importance of applying all updates provided by this Security Alert as soon as possible. The vulnerability specific to CVE-2019-2725 is being actively exploited in the wild. Reports confirm that at least 23 local government agencies were impacted by a ransomware attack linked to a deserialization vulnerability in Oracle WebLogic Server.

 

THREAT INTELLIGENCE: - CORRECTED - August 20, 2019

Due to ongoing activities reported by trusted sources and due to an abundance of caution, we are updating his advisory to emphasize the importance of applying all updates provided by this Security Alert as soon as possible. The vulnerability specific to CVE-2019-2725 is being actively exploited in the wild.

 

Systems Affected: 
  • Application Express, versions 5.1, 18.2

  • Diagnostic Assistant, versions prior to 2.12.36

  • Enterprise Manager for Fusion Middleware, versions 13.2, 13.3

  • Enterprise Manager for Virtualization, versions 13.1, 13.2, 13.3

  • Enterprise Manager Ops Center, versions 12.3.3, 12.4.0

  • Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3

  • JD Edwards EnterpriseOne Tools, version 9.2

  • JD Edwards World Security, versions A9.3, A9.3.1, A9.4

  • MICROS Retail XBRi Loss Prevention, versions 10.8.0 - 10.8.3

  • MICROS Retail-J, versions 12.1.0, 12.1.1, 12.1.2, 13.1

  • MySQL Enterprise Monitor, versions 4.0.9 and prior, 8.0.14 and prior

  • MySQL Server, versions 5.6.44 and prior, 5.7.26 and prior, 8.0.16 and prior

  • MySQL Workbench, versions 8.0.16 and prior

  • Oracle Agile Engineering Data Management, versions 6.2.0, 6.2.1

  • Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6

  • Oracle Application Testing Suite, versions 13.1, 13.2, 13.3

  • Oracle Banking Platform, versions 2.4.0 - 2.7.1

  • Oracle Berkeley DB, versions 12.1.6.1.23, 12.1.6.1.26, 12.1.6.1.29, 12.1.6.1.36, 12.1.6.2.23, 12.1.6.2.32

  • Oracle BI Publisher, version 11.1.1.9.0

  • Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.4.0

  • Oracle Clusterware, version 12.1.0.2.0

  • Oracle Communications Application Session Controller, versions 3.7.1, 3.8.0

  • Oracle Communications Billing and Revenue Management, versions 7.5, 12.0

  • Oracle Communications Converged Application Server, versions 5.1, 7.0, 7.1

  • Oracle Communications Converged Application Server - Service Controller, versions 6.0, 6.1

  • Oracle Communications Convergence, version 3.0.2

  • Oracle Communications Diameter Signaling Router (DSR), versions 8.0, 8.1, 8.2, 8.3

  • Oracle Communications EAGLE (Software), versions 46.5, 46.6, 46.7

  • Oracle Communications Instant Messaging Server, version 10.0.1.2.0

  • Oracle Communications Interactive Session Recorder, versions 6.0, 6.1, 6.2

  • Oracle Communications Messaging Server, versions 8.0.2, 8.1.0

  • Oracle Communications Online Mediation Controller, version 6.1

  • Oracle Communications Unified, version 8.0.0.2.0

  • Oracle Data Integrator, version 12.2.1.3.0

  • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c

  • Oracle Demantra Demand Management, version 7.3.1.5.2

  • Oracle E-Business Suite, versions 12.1.1 - 12.1.3, 12.2.3 - 12.2.8

  • Oracle Endeca Information Discovery Integrator, version 3.2.0

  • Oracle Endeca Server, version 7.7.0

  • Oracle Enterprise Manager Base Platform, versions 12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0

  • Oracle Enterprise Repository, version 12.1.3.0.0

  • Oracle Financial Services - Regulatory Reporting for Reserve Bank of India - Lombard Risk Integration Pack, version 8.0.7

  • Oracle Financial Services - Regulatory Reporting for US Federal Reserve - Lombard Risk Integration Pack, versions 8.0.4 - 8.0.7

  • Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3 - 7.3.5, 8.0.2 - 8.0.8

  • Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.4 - 8.0.7

  • Oracle Financial Services Asset Liability Management, versions 8.0.4 - 8.0.7

  • Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.4 - 8.0.7

  • Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.4 - 8.0.7

  • Oracle Financial Services Data Foundation, versions 8.0.4 - 8.0.8

  • Oracle Financial Services Data Integration Hub, versions 8.0.5 - 8.0.7

  • Oracle Financial Services Funds Transfer Pricing, versions 8.0.4 - 8.0.7

  • Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4 - 8.0.7

  • Oracle Financial Services Institutional Performance Analytics, versions 8.0.4 - 8.0.7

  • Oracle Financial Services Liquidity Risk Management, versions 8.0.1, 8.0.2, 8.0.4, 8.0.5, 8.0.6

  • Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7, 8.0.8

  • Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.2 - 8.0.7

  • Oracle Financial Services Market Risk Measurement and Management, versions 8.0.5, 8.0.6, 8.0.8

  • Oracle Financial Services Price Creation and Discovery, versions 8.0.4 - 8.0.7

  • Oracle Financial Services Profitability Management, versions 8.0.4 - 8.0.7

  • Oracle Financial Services Regulatory Reporting for European Banking Authority, versions 8.0.6, 8.0.7

  • Oracle Financial Services Regulatory Reporting for European Banking Authority - Integration Pack for Lombard Risk, versions 8.0.6, 8.0.7

  • Oracle Financial Services Regulatory Reporting for US Federal Reserve, versions 8.0.4 - 8.0.7

  • Oracle Financial Services Retail Customer Analytics, versions 8.0.4 - 8.0.6

  • Oracle Financial Services Revenue Management and Billing, versions 2.4.0.0, 2.4.0.1

  • Oracle FLEXCUBE Core Banking, versions 5.2.0, 11.6.0, 11.7.0, 11.8.0

  • Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 12.0, 12.1

  • Oracle FLEXCUBE Investor Servicing, versions 12.0.1, 12.0.3, 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0

  • Oracle FLEXCUBE Private Banking, versions 12.0.1, 12.0.3, 12.1.0

  • Oracle FLEXCUBE Universal Banking, versions 12.0.1 - 12.0.3, 12.1.0 - 12.4.0, 14.0.0 - 14.2.0

  • Oracle Global Lifecycle Management OPatchAuto, versions prior to 12.2.0.1.14

  • Oracle GraalVM Enterprise Edition, version 19.0.0

  • Oracle Hospitality Gift and Loyalty, versions 9.0.0, 9.1.0

  • Oracle Hospitality Guest Access, versions 4.2, 4.2.1

  • Oracle Hospitality Simphony, version 18.2.1

  • Oracle Hospitality Suite8, versions 8.9.6, 8.10.2, 8.11 - 8.14

  • Oracle HTTP Server, versions 12.1.3.0.0, 12.2.1.3.0

  • Oracle Hyperion Planning, version 11.1.2.4

  • Oracle Hyperion Workspace, version 11.1.2.4

  • Oracle Identity Manager, versions 11.1.2.3.0, 12.2.1.3.0

  • Oracle Insurance Allocation Manager for Enterprise Profitability, version 8.0.8

  • Oracle Insurance Calculation Engine, versions 9.7, 10.0, 10.1, 10.2

  • Oracle Insurance Data Foundation, versions 8.0.4 - 8.0.7

  • Oracle Insurance IFRS 17 Analyzer, versions 8.0.6, 8.0.7

  • Oracle Insurance Performance Insight, version 8.0.7

  • Oracle Insurance Policy Administration J2EE, versions 10.0, 10.1, 10.2, 11.0

  • Oracle Insurance Rules Palette, versions 10.0, 10.1, 10.2, 11.0

  • Oracle Java SE, versions 7u221, 8u212, 11.0.3, 12.0.1

  • Oracle Java SE Embedded, version 8u211

  • Oracle Outside In Technology, version 8.5.4

  • Oracle Retail Advanced Inventory Planning, version 15.0

  • Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0

  • Oracle Retail Financial Integration, versions 14.0, 14.1, 15.0, 16.0

  • Oracle Retail Integration Bus, versions 15.0, 16.0

  • Oracle Retail Order Broker, versions 5.2, 15.0

  • Oracle Retail Order Management System, version 5.0

  • Oracle Retail Predictive Application Server, versions 14.0.3.26, 14.1.3.37, 15.0.3.100, 16.0

  • Oracle Retail Service Backbone, version 16.0.1

  • Oracle Retail Xstore Office, versions 7.0, 7.1

  • Oracle Retail Xstore Point of Service, versions 7.0, 7.1, 15.0, 16.0, 17.0, 18.0

  • Oracle Security Service, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0

  • Oracle SOA Suite, version 12.2.1.3.0

  • Oracle Solaris, versions 10, 11.3, 11.4

  • Oracle Transportation Management, version 6.3.7

  • Oracle Utilities Advanced Spatial and Operational Analytics, version 2.7.0.1

  • Oracle Utilities Framework, versions 4.3.0.2.0 - 4.3.0.6.0, 4.4.0.0.0

  • Oracle VM VirtualBox, versions prior to 5.2.32, prior to 6.0.10

  • Oracle WebCenter Sites, version 12.2.1.3.0

  • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0

  • PeopleSoft Enterprise FIN Project Costing, version 9.2

  • PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57

  • PeopleSoft Enterprise PT PeopleTools, versions 8.55, 8.56, 8.57

  • Primavera Analytics, version 18.8

  • Primavera Gateway, versions 15.2, 16.2, 17.12, 18.8

  • Primavera Unifier, versions 16.1, 16.2, 17.7 - 17.12, 18.8

  • Services Tools Bundle, version 19.2

  • Siebel Applications, versions 19.0 and prior

  • StorageTek Tape Analytics SW Tool, version 2.3.0

  • Sun ZFS Storage Appliance Kit (AK), version 8.8.3

  • System Utilities, version 19.1

  • Tape Virtual Storage Manager GUI, version 6.2

NOTE: UPDATED - August 19, 2019

Since the release of the April 2019 Critical Patch Update, Oracle has released two Security Alerts for Oracle WebLogic Server: CVE-2019-2725 (April 29, 2019) and CVE-2019-2729 (June 18, 2019). WebLogic Server customers are strongly advised to apply the fixes contained in this Critical Patch Update, which provides the fixes for the previously-released Alerts as well as additional fixes.

 

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

   

Actions: 
  • Verify that no unauthorized system modifications have occurred on the system.

  • After appropriate testing, immediately apply patches provided by Oracle to vulnerable systems.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.