Oracle Quarterly Critical Patches Issued July 18, 2017

ITS Advisory Number: 
2017-068
Date(s) Issued: 
Wednesday, July 19, 2017
Subject: 
Oracle Quarterly Critical Patches Issued July 18, 2017
Overview: 

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

Systems Affected: 
  • Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1

  • Oracle REST Data Services, versions prior to 3.0.10.25.02.36

  • Oracle API Gateway, version 11.1.2.4.0

  • Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0

  • Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0

  • Oracle Data Integrator, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0

  • Oracle Endeca Server, versions 7.3.0.0, 7.4.0.0, 7.5.0.0, 7.6.0.0, 7.7.0.0

  • Oracle Enterprise Data Quality, version 8.1.13.0.0

  • Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0

  • Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.1, 12.2.1.2

  • Oracle OpenSSO, versions 3.0.0.7, 3.0.0.8

  • Oracle Outside In Technology, version 8.5.3.0

  • Oracle Secure Enterprise Search, version 11.2.2.2.0

  • Oracle Service Bus, versions 11.1.1.7.0, 11.1.1.9.0

  • Oracle Traffic Director, versions 11.1.1.7.0, 11.1.1.9.0

  • Oracle Tuxedo, version 12.1.1

  • Oracle Tuxedo System and Applications Monitor, versions 11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0, 12.2.2.0.0

  • Oracle WebCenter Content, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.1, 12.2.1.2.1

  • Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2

  • Hyperion Essbase, version 12.2.1.1

  • Enterprise Manager Base Platform, versions 12.1.0, 13.1.0, 13.2.0

  • Enterprise Manager Ops Center, versions 12.2.2, 12.3.2

  • Oracle Application Testing Suite, versions 12.5.0.2, 12.5.0.3

  • Oracle Business Transaction Management, versions 11.1.x, 12.1.x

  • Oracle Configuration Manager, versions prior to 12.1.2.0.4

  • Application Management Pack for Oracle E-Business Suite, versions AMP 12.1.0.4.0, AMP 13.1.1.1.0

  • Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

  • Oracle Agile PLM, versions 9.3.5, 9.3.6

  • Oracle Transportation Management, versions 6.1, 6.2, 6.3.4.1, 6.3.5.1, 6.3.6.1, 6.3.7.1, 6.4.0, 6.4.1, 6.4.2

  • PeopleSoft Enterprise FSCM, version 9.2

  • PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55

  • PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.0

  • Siebel Applications, versions 16.0, 17.0

  • Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 6.1.4, 11.0, 11.1, 11.2

  • Oracle iLearning, version 6.2

  • Oracle Fusion Applications, versions 11.1.2 through 11.1.9

  • Oracle Communications BRM, versions 11.2.0.0.0, 11.3.0.0.0

  • Oracle Communications Convergence, versions 3.0, 3.0.1

  • Oracle Communications EAGLE LNP Application Processor, version 10.0

  • Oracle Communications Network Charging and Control, versions 4.4.1.5, 5.0.0.1, 5.0.0.2, 5.0.1.0, 5.0.2.0

  • Oracle Communications Policy Management, version 11.5

  • Oracle Communications Session Router, versions ECZ730, SCZ730, SCZ740

  • Oracle Enterprise Communications Broker, version PCZ210

  • Oracle Enterprise Session Border Controller, version ECZ7.3.0

  • Financial Services Behavior Detection Platform, versions 8.0.1, 8.0.2

  • Oracle Banking Platform, versions 2.3, 2.4, 2.4.1, 2.5

  • Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3

  • Oracle FLEXCUBE Private Banking, versions 2.0.0, 2.0.1, 2.2.0, 12.0.1

  • Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0

  • Hospitality Hotel Mobile, versions 1.01, 1.05, 1.1

  • Hospitality Property Interfaces, version 8.10.x

  • Hospitality Suite8, version 8.10.x

  • Hospitality WebSuite8 Cloud Service, versions 8.9.6, 8.10.x

  • MICROS BellaVita, version 2.7.x

  • MICROS PC Workstation 2015, versions Prior to O1302h

  • MICROS Workstation 650, versions Prior to E1500n

  • Oracle Hospitality 9700, version 4.0

  • Oracle Hospitality Cruise AffairWhere, version 2.2.05.062

  • Oracle Hospitality Cruise Dining Room Management, version 8.0.75

  • Oracle Hospitality Cruise Fleet Management, version 9.0

  • Oracle Hospitality Cruise Materials Management, version 7.30.562

  • Oracle Hospitality Cruise Shipboard Property Management System, version 8.0.0.0

  • Oracle Hospitality e7, version 4.2.1

  • Oracle Hospitality Guest Access, versions 4.2.0.0, 4.2.1.0

  • Oracle Hospitality Inventory Management, versions 8.5.1, 9.0.0

  • Oracle Hospitality Materials Control, version 8.31.4

  • Oracle Hospitality OPERA 5 Property Services, versions 5.4.0.x, 5.4.1.x, 5.4.3.x

  • Oracle Hospitality Reporting and Analytics, versions 8.5.1, 9.0.0

  • Oracle Hospitality RES 3700, version 5.5

  • Oracle Hospitality Simphony, versions 2.8, 2.9

  • Oracle Hospitality Simphony First Edition, version 1.7.1

  • Oracle Hospitality Simphony First Edition Venue Management, version 3.9

  • Oracle Hospitality Suites Management, version 3.7

  • Oracle Payment Interface, version 6.1.1

  • Oracle Retail Allocation, versions 13.3.1, 14.0.4, 14.1.3, 15.0.1, 16.0.1

  • Oracle Retail Customer Insights, versions 15.0, 16.0

  • Oracle Retail Open Commerce Platform, versions 5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1

  • Oracle Retail Warehouse Management System, versions 14.0.4, 14.1.3, 15.0.1

  • Oracle Retail Workforce Management, versions 1.60.7, 1.64.0

  • Oracle Retail Xstore Point of Service, versions 15.0.0, 15.0.1

  • Oracle Policy Automation, versions 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3

  • Primavera Gateway, versions 1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2

  • Primavera P6 Enterprise Project Portfolio Management, versions 8.3, 8.4, 15.1, 15.2, 16.1, 16.2

  • Primavera Unifier, versions 9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2

  • Java Advanced Management Console, version 2.6

  • Oracle Java SE, versions 6u151, 7u141, 8u131

  • Oracle Java SE Embedded, version 8u131

  • Oracle JRockit, version R28.3.14

  • Solaris, versions 10, 11

  • Solaris Cluster, version 4

  • Sun ZFS Storage Appliance Kit (AK), version AK 2013

  • Oracle VM VirtualBox, versions prior to 5.1.24

  • MySQL Cluster, versions 7.3.5 and prior

  • MySQL Connectors, versions 5.3.7 and prior, 6.1.10 and prior

  • MySQL Enterprise Monitor, versions 3.1.5.7958 and prior, 3.2.5.1141 and prior, 3.2.7.1204 and prior, 3.3.2.1162 and prior, 3.3.3.1199 and prior

  • MySQL Server, versions 5.5.56 and prior, 5.6.36 and prior, 5.7.18 and prior

  • Oracle Explorer, versions prior to 8.16

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

      

Actions: 
  • After appropriate testing, immediately apply the applicable patches provided by Oracle to the vulnerable system.

  • Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack.

  • Remind users not to visit websites or follow links provided by unknown or untrusted sources.

  • Inform and educate users regarding the threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

  • Apply the Principle of Least Privilege to all systems and services.