MS-ISAC CYBERSECURITY ADVISORIES

MS-ISAC ADVISORY NUMBER:
2016-159

DATE(S) ISSUED:
10/19/2016

SUBJECT:
Oracle Quarterly Critical Patch Update Issued October 18, 2016

OVERVIEW:

Multiple vulnerabilities have been discovered in Oracle products, which could allow an attacker to take complete control of an affected system. Successful exploitation of the most severe of these vulnerabilities could result in an attacker gaining the same privileges as the logged on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

SYSTEMS AFFECTED:

· Application Express, version(s) prior to 5.0.4.0.7

· Oracle Database Server, version(s) 11.2.0.4, 12.1.0.2

· Oracle Secure Backup, version(s) prior to 10.4.0.4.0, prior to 12.1.0.2.0

· Big Data Graph, version(s) prior to 1.2

· NetBeans, version(s) 8.1

· Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0

· Oracle Big Data Discovery, version(s) 1.1.1, 1.1.3, 1.2.0

· Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.1.0.0, 12.2.1.1.0

· Oracle Data Integrator, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.2.0.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0

· Oracle Discoverer, version(s) 11.1.1.7.0

· Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9, 11.1.2.3, 11.1.2.4, 12.1.3.0, 12.2.1.0, 12.2.1.1

· Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2

· Oracle Identity Manager, version(s) -

· Oracle iPlanet Web Proxy Server, version(s) 4.0

· Oracle iPlanet Web Server, version(s) 7.0

· Oracle Outside In Technology, version(s) 8.4.0, 8.5.1, 8.5.2, 8.5.3

· Oracle Platform Security for Java, version(s) 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0

· Oracle Web Services, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0

· Oracle WebCenter Sites, version(s) 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0

· Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1

· Enterprise Manager, version(s) 12.1.4, 12.2.2, 12.3.2

· Enterprise Manager Base Platform, version(s) 12.1.0.5

· Oracle Application Testing Suite, version(s) 12.5.0.1, 12.5.0.2, 12.5.0.3

· Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6

· Oracle Advanced Supply Chain Planning, version(s) 12.2.3, 12.2.4, 12.2.5

· Oracle Agile Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0

· Oracle Agile PLM, version(s) 9.3.4, 9.3.5

· Oracle Agile Product Lifecycle Management for Process, version(s) 6.1.0.4, 6.1.1.6, 6.2.0.0

· Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7

· PeopleSoft Enterprise HCM, version(s) 9.2

· PeopleSoft Enterprise PeopleTools, version(s) 8.54, 8.55

· PeopleSoft Enterprise SCM Services Procurement, version(s) 9.1, 9.2

· JD Edwards EnterpriseOne Tools, version(s) 9.1

· JD Edwards World Security, version(s) A9.4

· Siebel Applications, version(s) 7.1, 16.1

· Oracle Commerce Guided Search, version(s) 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2

· Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.1.1, 3.1.2, 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2, 6.5.3, 11.0, 11.1, 11.2

· Oracle Commerce Platform, version(s) 10.0.3.5, 10.2.0.5, 11.2.0.1

· Oracle Commerce Service Center, version(s) 10.0.3.5, 10.2.0.5

· Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9

· Oracle Communications Policy Management, version(s) 9.7.3, 9.9.1, 10.4.1, 12.1.1 and prior

· Oracle Enterprise Communications Broker, version(s) Pcz2.0.0m4p5 and earlier

· Oracle Enterprise Session Border Controller, version(s) Ecz7.3m2p2 and earlier

· Oracle Banking Digital Experience, version(s) 15.1

· Oracle Financial Services Analytical Applications Infrastructure, version(s) 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3

· Oracle Financial Services Lending and Leasing, version(s) 14.1.0, 14.2.0

· Oracle FLEXCUBE Core Banking, version(s) 11.5.0.0.0, 11.6.0.0.0

· Oracle FLEXCUBE Enterprise Limits and Collateral Management, version(s) 12.0.0, 12.1.0

· Oracle FLEXCUBE Investor Servicing, version(s) 12.0.1

· Oracle FLEXCUBE Private Banking, version(s) 2.0.0, 2.0.1, 2.2.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0

· Oracle FLEXCUBE Universal Banking, version(s) 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.87.1, 12.87.2

· Oracle Life Sciences Data Hub, version(s) 2.x

· Oracle Hospitality OPERA 5 Property Services, version(s) 5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0, 5.5.1.0

· Oracle Insurance IStream, version(s) 4.3.2

· MICROS XBR, version(s) 7.0.2, 7.0.4

· Oracle Retail Back Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1

· Oracle Retail Central Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1

· Oracle Retail Clearance Optimization Engine, version(s) 13.2, 13.3, 13.4, 14.0

· Oracle Retail Customer Insights, version(s) 15.0

· Oracle Retail Merchandising Insights, version(s) 15.0

· Oracle Retail Returns Management, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1

· Oracle Retail Xstore Payment, version(s) 1.x

· Oracle Retail Xstore Point of Service, version(s) 5.0, 5.5, 6.0, 6.5, 7.0, 7.1

· Primavera P6 Enterprise Project Portfolio Management, version(s) 8.4, 15.x, 16.x

· Primavera P6 Professional Project Management, version(s) 8.3, 8.4, 15.x, 16.x

· Oracle Java SE, version(s) 6u121, 7u111, 8u102

· Oracle Java SE Embedded, version(s) 8u101

· Solaris, version(s) 10, 11.3

· Solaris Cluster, version(s) 3.3, 4.3

· Sun ZFS Storage Appliance Kit (AK), version(s) AK 2013

· Oracle VM VirtualBox, version(s) prior to 5.0.28, prior to 5.1.8

· Secure Global Desktop, version(s) 4.7, 5.2

· Sun Ray Operating Software, version(s) prior to 11.1.7

· Virtual Desktop Infrastructure, version(s) prior to 3.5.3

· MySQL Connector, version(s) 2.0.4 and prior, 2.1.3 and prior

· MySQL Server, version(s) 5.5.52 and prior, 5.6.33 and prior, 5.7.15 and prior

RISK:

Government:

· Large and medium government entities:High

· Small government entities:High

Businesses:

· Large and medium business entities:High

· Small business entities:High

Home users: Low

RECOMMENDATIONS:

We recommend the following actions be taken:

· Apply appropriate patches provided by Oracle to vulnerable systems immediately after appropriate testing.

· Run all software with the minimum privileges necessary to diminish the effects of a successful attack.

· Remind users not to visit un-trusted websites or follow links provided by unknown or un-trusted sources.

· Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from un-trusted sources.

REFERENCES:

Oracle:

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html