MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-014

DATE(S) ISSUED:
01/19/2016

SUBJECT:
Oracle Quarterly Critical Patches Issued January 19, 2016

OVERVIEW:

Critical patches were released by Oracle as part of its quarterly patch release program. The most severe of which could allow for remote code execution.

 

TECHNICAL SUMMARY:      

 

According to Oracle, the update provides fixes for 248 new security vulnerabilities, affecting the following products:

 

  • Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2

  • Oracle GoldenGate, version(s) 11.2, 12.1.2

  • Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0

  • Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0

  • Oracle Endeca Server, version(s) 7.3.0.0, 7.4.0.0, 7.5.0.0, 7.6.0.0

  • Oracle Fusion Middleware, version(s) 10.1.3.5, 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.2.0, 12.1.3.0, 12.2.1

  • Oracle GlassFish Server, version(s) 3.1.2

  • Oracle Identity Federation, version(s) 11.1.1.7, 11.1.2.2, 11.1.2.3

  • Oracle Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2

  • Oracle Tuxedo, version(s) 12.1.1.0

  • Oracle Web Cache, version(s) 11.1.1.7.0, 11.1.1.9.0

  • Oracle WebCenter Sites, version(s) 7.6.2, 11.1.1.8.0

  • Oracle WebLogic Portal, version(s) 10.3.6

  • Oracle WebLogic Server, version(s) 10.3.6, 12.1.2, 12.1.3, 12.2.1

  • Enterprise Manager Base Platform, version(s) 11.1.0.1, 11.2.0.4, 12.1.0.4, 12.1.0.5

  • Enterprise Manager Ops Center, version(s) prior to 12.1.4, 12.2.0, 12.2.1, 12.3.0

  • Oracle Application Testing Suite, version(s) 12.4.0.2, 12.5.0.2

  • Application Mgmt Pack for E-Business Suite, version(s) 12.1, 12.2

  • Oracle E-Business Suite, version(s) 11.5.10.2, 12.1, 12.1.1, 12.1.2, 12.1.3, 12.2, 12.2.3, 12.2.4, 12.2.5

  • Oracle Agile Engineering Data Management, version(s) 6.1.2.2, 6.1.3.0, 6.2.0.0

  • Oracle Agile PLM, version(s) 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3

  • Oracle Configurator, version(s) 11.5.10.2, 12.1, 12.2

  • PeopleSoft Enterprise HCM Global Payroll Switzerland, version(s) 9.1, 9.2

  • PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54, 8.55

  • PeopleSoft Enterprise SCM eProcurement, version(s) 9.1, 9.2

  • PeopleSoft Enterprise SCM Order Management, version(s) 9.1, 9.2

  • PeopleSoft Enterprise SCM Purchasing, version(s) 9.1, 9.2

  • JD Edwards EnterpriseOne Tools, version(s) 9.1, 9.2

  • Oracle iLearning, version(s) 11.2.0

  • Oracle Fusion Applications, version(s) 11.1.2 through 11.1.10

  • Oracle Communications Converged Application Server - Service Controller, version(s) 6.1

  • Oracle Communications EAGLE LNP Application Processor, version(s) 10.0

  • Oracle Communications Online Mediation Controller, version(s) 6.1

  • Oracle Communications Service Broker, version(s) 6.0, 6.1

  • Oracle Communications Service Broker Engineered System Edition, version(s) 6.0

  • MICROS CWDirect, version(s) 12.5, 13.0, 14.0, 15.0, 16.0, 17.0 18.0

  • Oracle Retail Open Commerce Platform Cloud Service, version(s) 3.5, 4.5, 4.7, 5.0

  • Oracle Retail Order Broker Cloud Service, version(s) 4.0, 4.1.

  • Oracle Retail Order Management System Cloud Service, version(s) 3.5, 4.5, 4.7, 5.0, 15.0

  • Oracle Retail Point-of-Service, version(s) 13.4, 14.0, 14.1

  • Oracle Java SE, version(s) 6u105, 7u91, 8u66

  • Oracle Java SE Embedded, version(s) 8u65

  • Oracle JRockit, version(s) R28.3.8

  • Oracle Switch ES1-24, version(s) prior to 1.3.1.13

  • Solaris, version(s) 10, 11

  • Solaris Cluster, version(s) 3.3, 4, 4.2

  • Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) prior to 1.2.2.13

  • Sun Network 10GE Switch 72p, version(s) prior to 1.2.2.15

  • Oracle Secure Global Desktop, version(s) 4.63, 4.71, 5.2

  • Oracle VM VirtualBox, version(s) prior to 4.0.36, prior to 4.1.44, prior to 4.2.36, prior to 4.3.36, prior to 5.0.14

  • MySQL Server, version(s) 5.5.46 and prior, 5.6.27 and prior, 5.7.9               

 

RECOMMENDATIONS:

 

We recommend the following actions be taken:

 

  • Apply appropriate update provided by Microsoft to vulnerable systems immediately after appropriate testing.

 

REFERENCES:

 

Oracle:

http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html