MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-107

DATE(S) ISSUED:
07/20/2016

SUBJECT:
Oracle Quarterly Critical Patch Update Issued July 19, 2016

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow an attacker to take complete control of an affected system. Successful exploitation of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEM AFFECTED:

  • Application Express, version(s) prior to 5.0.4
  • Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2
  • Oracle Access Manager, version(s) 10.1.4.x, 11.1.1.7
  • Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
  • Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0
  • Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7.0
  • Oracle Exalogic Infrastructure, version(s) 1.x, 2.x
  • Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.0
  • Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2
  • Oracle HTTP Server, version(s) 11.1.1.9, 12.1.3.0
  • Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0
  • Oracle Portal, version(s) 11.1.1.6
  • Oracle TopLink, version(s) 12.1.3.0, 12.2.1.0, 12.2.1.1
  • Oracle WebCenter Sites, version(s) 11.1.1.8, 12.2.1.0
  • Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0
  • Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2
  • Hyperion Financial Reporting, version(s) 11.1.2.4
  • Enterprise Manager Base Platform, version(s) 12.1.0.5, 13.1.0.0
  • Enterprise Manager for Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9
  • Enterprise Manager Ops Center, version(s) 12.1.4, 12.2.2, 12.3.2
  • Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5
  • Oracle Agile Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0
  • Oracle Agile PLM, version(s) 9.3.4, 9.3.5
  • Oracle Demand Planning, version(s) 12.1, 12.2
  • Oracle Transportation Management, version(s) 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1
  • PeopleSoft Enterprise FSCM, version(s) 9.1, 9.2
  • PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54, 8.55
  • JD Edwards EnterpriseOne Tools, version(s) 9.2.0.5
  • Oracle Knowledge, version(s) 8.5.x
  • Siebel Applications, version(s) 8.1.1, 8.2.2, IP2014, IP2015, IP2016
  • Oracle Fusion Applications, version(s) 11.1.2 through 11.1.10
  • Oracle Communications ASAP, version(s) 7.0, 7.2, 7.3
  • Oracle Communications Core Session Manager, version(s) 7.2.5, 7.3.5
  • Oracle Communications EAGLE Application Processor, version(s) 16.0
  • Oracle Communications Messaging Server, version(s) 6.3, 7.0, 8.0, Prior to 7.0.5.37.0 and 8.0.1.1.0
  • Oracle Communications Network Charging and Control, version(s) 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0
  • Oracle Communications Operations Monitor, version(s) prior to 3.3.92.0.0
  • Oracle Communications Policy Management, version(s) prior to 9.9.2
  • Oracle Communications Session Border Controller, version(s) 7.2.0, 7.3.0
  • Oracle Communications Unified Session Manager, version(s) 7.2.5, 7.3.5
  • Oracle Enterprise Communications Broker, version(s) Prior to PCz 2.0.0m4p1
  • Oracle Banking Platform, version(s) 2.3.0, 2.4.0, 2.4.1, 2.5.0
  • Oracle Financial Services Lending and Leasing, version(s) 14.1, 14.2
  • Oracle FLEXCUBE Direct Banking, version(s) 12.0.1, 12.0.2, 12.0.3
  • Oracle Health Sciences Clinical Development Center, version(s) 3.1.1.x, 3.1.2.x
  • Oracle Health Sciences Information Manager, version(s) 1.2.8.3, 2.0.2.3, 3.0.1.0
  • Oracle Healthcare Analytics Data Integration, version(s) 3.1.0.0.0
  • Oracle Healthcare Master Person Index, version(s) 2.0.12, 3.0.0, 4.0.1
  • Oracle Documaker, version(s) prior to 12.5
  • Oracle Insurance Calculation Engine, version(s) 9.7.1, 10.1.2, 10.2.2
  • Oracle Insurance Policy Administration J2EE, version(s) 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
  • Oracle Insurance Rules Palette, version(s) 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
  • MICROS Retail XBRi Loss Prevention, version(s) 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
  • Oracle Retail Central, Back Office, Returns Management, version(s) 13.1, 13.2, 13.3, 13.4, 14.0, 14.1, 12.0 13.0
  • Oracle Retail Integration Bus, version(s) 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
  • Oracle Retail Order Broker, version(s) 4.1, 5.1, 5.2, 15.0
  • Oracle Retail Service Backbone, version(s) 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
  • Oracle Retail Store Inventory Management, version(s) 12.0, 13.0, 13.1, 13.2, 14.0, 14.1
  • Oracle Utilities Framework, version(s) 2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0
  • Oracle Utilities Network Management System, version(s) 1.10.0.6.27, 1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12. 1.12.0.3.5
  • Oracle Utilities Work and Asset Management, version(s) 1.9.1.2.8
  • Oracle In-Memory Policy Analytics, version(s) 12.0.1
  • Oracle Policy Automation, version(s) 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 12.1.0, 12.1.1
  • Oracle Policy Automation Connector for Siebel, version(s) 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6
  • Oracle Policy Automation for Mobile Devices, version(s) 12.1.1
  • Primavera Contract Management, version(s) 14.2
  • Primavera P6 Enterprise Project Portfolio Management, version(s) 8.2, 8.3, 8.4, 15.1, 15.2, 16.1
  • Oracle Java SE, version(s) 6u115, 7u101, 8u92
  • Oracle Java SE Embedded, version(s) 8u91
  • Oracle JRockit, version(s) R28.3.10
  • 40G 10G 72/64 Ethernet Switch, version(s) 2.0.0
  • Fujitsu M10-1, M10-4, M10-4S Servers, version(s) prior to XCP 2320
  • ILOM, version(s) 3.0, 3.1, 3.2
  • Oracle Switch ES1-24, version(s) 1.3
  • Solaris, version(s) 10, 11.3
  • Solaris Cluster, version(s) 3.3, 4.3
  • SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) prior to XCP 1121
  • Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) 1.2
  • Sun Data Center InfiniBand Switch 36, version(s) prior to 2.2.2
  • Sun Network 10GE Switch 72p, version(s) 1.2
  • Sun Network QDR InfiniBand Gateway Switch, version(s) prior to 2.2.2
  • Oracle Secure Global Desktop, version(s) 4.63, 4.71, 5.2
  • Oracle VM VirtualBox, version(s) prior to 5.0.26
  • MySQL Server, version(s) 5.5.49 and prior, 5.6.30 and prior, 5.7.12 and prior

RISK:

Government:

  • Large and medium government entities:High
  • Small government entities: High

Businesses:

  • Large and medium business entities:High
  • Small business entities: High

Home users: Low

RECOMMENDATIONS:

  • We recommend the following actions be taken:
  • Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software with the minimum privileges necessary to diminish the effects of a successful attack.
  • Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.
  • Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.
  • REFERENCES:

    Oracle: http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html