Oracle Quarterly Critical Patch Update Issued July 19, 2016

ITS Advisory Number: 
2016-121
Date(s) Issued: 
Wednesday, July 20, 2016
Subject: 
Oracle Quarterly Critical Patch Update Issued July 19, 2016
Overview: 

Multiple vulnerabilities have been discovered in Oracle products, which could allow an attacker to take complete control of an affected system. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Systems Affected: 
  • Application Express, version(s) prior to 5.0.4
  • Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2
  • Oracle Access Manager, version(s) 10.1.4.x, 11.1.1.7
  • Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
  • Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0
  • Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7.0
  • Oracle Exalogic Infrastructure, version(s) 1.x, 2.x
  • Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.0
  • Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2
  • Oracle HTTP Server, version(s) 11.1.1.9, 12.1.3.0
  • Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0
  • Oracle Portal, version(s) 11.1.1.6
  • Oracle TopLink, version(s) 12.1.3.0, 12.2.1.0, 12.2.1.1
  • Oracle WebCenter Sites, version(s) 11.1.1.8, 12.2.1.0
  • Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0
  • Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2
  • Hyperion Financial Reporting, version(s) 11.1.2.4
  • Enterprise Manager Base Platform, version(s) 12.1.0.5, 13.1.0.0
  • Enterprise Manager for Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9
  • Enterprise Manager Ops Center, version(s) 12.1.4, 12.2.2, 12.3.2
  • Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
  • Oracle Agile Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0
  • Oracle Agile PLM, version(s) 9.3.4, 9.3.5
  • Oracle Demand Planning, version(s) 12.1, 12.2
  • Oracle Transportation Management, version(s) 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1
  • PeopleSoft Enterprise FSCM, version(s) 9.1, 9.2
  • PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54, 8.55
  • JD Edwards EnterpriseOne Tools, version(s) 9.2.0.5
  • Oracle Knowledge, version(s) 8.5.x
  • Siebel Applications, version(s) 8.1.1, 8.2.2, IP2014, IP2015, IP2016
  • Oracle Fusion Applications, version(s) 11.1.2 through 11.1.10
  • Oracle Communications ASAP, version(s) 7.0, 7.2, 7.3
  • Oracle Communications Core Session Manager, version(s) 7.2.5, 7.3.5
  • Oracle Communications EAGLE Application Processor, version(s) 16.0
  • Oracle Communications Messaging Server, version(s) 6.3, 7.0, 8.0, Prior to 7.0.5.37.0 and 8.0.1.1.0
  • Oracle Communications Network Charging and Control, version(s) 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0
  • Oracle Communications Operations Monitor, version(s) prior to 3.3.92.0.0
  • Oracle Communications Policy Management, version(s) prior to 9.9.2
  • Oracle Communications Session Border Controller, version(s) 7.2.0, 7.3.0
  • Oracle Communications Unified Session Manager, version(s) 7.2.5, 7.3.5
  • Oracle Enterprise Communications Broker, version(s) Prior to PCz 2.0.0m4p1
  • Oracle Banking Platform, version(s) 2.3.0, 2.4.0, 2.4.1, 2.5.0
  • Oracle Financial Services Lending and Leasing, version(s) 14.1, 14.2
  • Oracle FLEXCUBE Direct Banking, version(s) 12.0.1, 12.0.2, 12.0.3
  • Oracle Health Sciences Clinical Development Center, version(s) 3.1.1.x, 3.1.2.x
  • Oracle Health Sciences Information Manager, version(s) 1.2.8.3, 2.0.2.3, 3.0.1.0
  • Oracle Healthcare Analytics Data Integration, version(s) 3.1.0.0.0
  • Oracle Healthcare Master Person Index, version(s) 2.0.12, 3.0.0, 4.0.1
  • Oracle Documaker, version(s) prior to 12.5
  • Oracle Insurance Calculation Engine, version(s) 9.7.1, 10.1.2, 10.2.2
  • Oracle Insurance Policy Administration J2EE, version(s) 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
  • Oracle Insurance Rules Palette, version(s) 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
  • MICROS Retail XBRi Loss Prevention, version(s) 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
  • Oracle Retail Central, Back Office, Returns Management, version(s) 13.1, 13.2, 13.3, 13.4, 14.0, 14.1, 12.0 13.0
  • Oracle Retail Integration Bus, version(s) 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
  • Oracle Retail Order Broker, version(s) 4.1, 5.1, 5.2, 15.0
  • Oracle Retail Service Backbone, version(s) 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
  • Oracle Retail Store Inventory Management, version(s) 12.0, 13.0, 13.1, 13.2, 14.0, 14.1
  • Oracle Utilities Framework, version(s) 2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0
  • Oracle Utilities Network Management System, version(s) 1.10.0.6.27, 1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12. 1.12.0.3.5
  • Oracle Utilities Work and Asset Management, version(s) 1.9.1.2.8
  • Oracle In-Memory Policy Analytics, version(s) 12.0.1
  • Oracle Policy Automation, version(s) 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 12.1.0, 12.1.1
  • Oracle Policy Automation Connector for Siebel, version(s) 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6
  • Oracle Policy Automation for Mobile Devices, version(s) 12.1.1
  • Primavera Contract Management, version(s) 14.2
  • Primavera P6 Enterprise Project Portfolio Management, version(s) 8.2, 8.3, 8.4, 15.1, 15.2, 16.1
  • Oracle Java SE, version(s) 6u115, 7u101, 8u92
  • Oracle Java SE Embedded, version(s) 8u91
  • Oracle JRockit, version(s) R28.3.10
  • 40G 10G 72/64 Ethernet Switch, version(s) 2.0.0
  • Fujitsu M10-1, M10-4, M10-4S Servers, version(s) prior to XCP 2320
  • ILOM, version(s) 3.0, 3.1, 3.2
  • Oracle Switch ES1-24, version(s) 1.3
  • Solaris, version(s) 10, 11.3
  • Solaris Cluster, version(s) 3.3, 4.3
  • SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) prior to XCP 1121
  • Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) 1.2
  • Sun Data Center InfiniBand Switch 36, version(s) prior to 2.2.2
  • Sun Network 10GE Switch 72p, version(s) 1.2
  • Sun Network QDR InfiniBand Gateway Switch, version(s) prior to 2.2.2
  • Oracle Secure Global Desktop, version(s) 4.63, 4.71, 5.2
  • Oracle VM VirtualBox, version(s) prior to 5.0.26
  • MySQL Server, version(s) 5.5.49 and prior, 5.6.30 and prior, 5.7.12 and prior
RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

Multiple vulnerabilities have been discovered in Oracle products, which could allow an attacker to take complete control of an affected system. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

Actions: 
  • After appropriate testing, apply appropriate patches provided by Oracle to vulnerable systems.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Run all software with the minimum privileges necessary to diminish the effects of a successful attack.

  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

  • Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

References: 

Oracle:

">http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html