Overview

On October 16, 2018, local time, Oracle released its quarterly security advisory of the Critical Patch Update (CPU) for the third quarter. The CPU fixes 301 vulnerabilities of varying severity levels across the product families. For details about affected products and available patches, see the appendix.

For details, click the following link: https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

Vulnerability

Product Number of Vulnerabilities Remote Exploits without Auth. Highest CVSS Score
Oracle Database server 7 6 9.8
Oracle Communications Applications 14 9 9.8
Oracle Constructions and Engineering Suite 10 9 9.8
Oracle E-Business Suite 16 14 8.2
Oracle Enterprise Manager Products Suite 4 3 9.8
Oracle Financial Services Applications 2 2 8.1
Oracle Food and Beverage Applications 4 1 8.1
Oracle Fusion Middleware 65 56 9.8
Oracle Health Sciences Applications 1 1 6.1
Oracle Hospitality Applications 9 2 8.8
Oracle Hyperion 9 6 7.7
Oracle iLearning 1 1 8.2
Oracle Insurance Applications 5 5 9.8
Oracle Java SE 12 11 9.0
Oracle JD Edwards 6 6 9.8
Oracle MySQL 38 3 9.8
Oracle PeopleSoft Products 24 21 7.5
Oracle Retail Applications 31 21 9.8
Oracle Siebel CRM 3 2 9.8
Oracle Sun Systems Products 19 9 9.8
Oracle Supply Chain Products Suite 6 1 8.8
Oracle Support Tools 1 1 6.5
Oracle Virtualization 14 1 9.0

Affected Products and Versions

For details, see the appendix.

CPU

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes.

Solution

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.

Appendix

The following table lists affected products (and their versions) and related patches.

Affected Products and Versions Patch Availability Document
Application Management Pack for Oracle E-Business Suite, versions 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 E-Business Suite
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2 Enterprise Manager
Enterprise Manager for MySQL Database, version 13.2 Enterprise Manager
Enterprise Manager Ops Center, versions 12.2.2, 12.3.3 Enterprise Manager
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions Prior to XCP2352 and Prior to XCP3050 Systems
Hyperion BI+, version 11.1.2.4 Fusion Middleware
Hyperion Common Events, version 11.1.2.4 Fusion Middleware
Hyperion Data Relationship Management, version 11.1.2.4.345 Fusion Middleware
Hyperion Essbase Administration Services, version 11.1.2.4 Fusion Middleware
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3 Oracle Construction and Engineering Suite
JD Edwards EnterpriseOne Orchestrator, version 9.2 JD Edwards
JD Edwards EnterpriseOne Tools, version 9.2 JD Edwards
MICROS Lucas, version 2.9.5 Retail Applications
MICROS PC Workstation 2015, versions Prior to BIOS 01.3.0.2i MICROS PC Workstation
MICROS Relate CRM Software, versions 10.8, 11.4 Retail Applications
MICROS Retail-J, versions 12.1.2, 13.0.0 Retail Applications
MICROS XBRi, versions 10.5.0, 10.6.0, 10.7.0, 10.8.1, 10.8.2, 10.8.3 Retail Applications
MySQL Connectors, versions 8.0.12 and prior MySQL
MySQL Enterprise Monitor, versions 3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior MySQL
MySQL Server, versions 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior MySQL
Oracle Adaptive Access Manager, versions 11.1.1.7.0, 11.1.2.3.0 Fusion Middleware
Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1 Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6 Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0 Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0 Fusion Middleware
Oracle Banking Platform, versions 2.5.0, 2.6.0, 2.6.1, 2.6.2 Oracle Banking Platform
Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Big Data Discovery, version 1.6.0 Fusion Middleware
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Fusion Middleware
Oracle Communications Application Session Controller, versions Prior to 3.7.1M0 Oracle Communications Application Session Controller
Oracle Communications Instant Messaging Server, versions prior to 10.0.1 Oracle Communications Instant Messaging Server
Oracle Communications Messaging Server, versions prior to 8.0.2 Oracle Communications Convergence
Oracle Communications MetaSolv Solution, version 6.3.0 Oracle Communications MetaSolv Solution
Oracle Communications Performance Intelligence Center (PIC) Software, versions prior to 10.2.1 Oracle Communications Performance Intelligence Center (PIC) Software
Oracle Communications User Data Repository, versions prior to 12.2.0 Oracle Communications User Data Repository
Oracle Configuration Manager, versions 12.1.2.0.2, 12.1.2.0.5 Enterprise Manager
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c Database
Oracle Demantra Demand Management, versions 7.3.5, 12.2 Oracle Supply Chain Products
Oracle Directory Server Enterprise Edition, version 11.1.1.7 Fusion Middleware
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 E-Business Suite
Oracle Endeca Information Discovery Integrator, versions 3.1.0, 3.2.0 Fusion Middleware
Oracle Endeca Information Discovery Studio, versions 3.1.0, 3.2.0 Fusion Middleware
Oracle Endeca Server, versions 7.6.1, 7.7.0 Fusion Middleware
Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0 Fusion Middleware
Oracle Fusion Middleware MapViewer, versions 12.1.3.0, 12.2.1.3 Fusion Middleware
Oracle GlassFish Server, version 3.1.2 Fusion Middleware
Oracle GoldenGate, versions 12.1.2.1.0, 12.2.0.2.0, 12.3.0.1.0 Oracle GoldenGate
Oracle GoldenGate for Big Data, versions 12.2.0.1, 12.3.1.1, 12.3.2.1 Fusion Middleware
Oracle Healthcare Translational Research, version 3.1.0 Health Sciences
Oracle Hospitality Cruise Fleet Management, version 9.0 Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Cruise Shipboard Property Management System, version 8.0 Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality Gift and Loyalty, version 9.0 Oracle Hospitality Gift and Loyalty
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1 Oracle Hospitality Guest Access
Oracle Hospitality Materials Control, version 18.1 Oracle Hospitality Materials Control
Oracle Hospitality Reporting and Analytics, version 9.0 Oracle Hospitality Reporting and Analytics
Oracle HTTP Server, version 12.2.1.3 Fusion Middleware
Oracle Identity Analytics, version 11.1.1.5.8 Fusion Middleware
Oracle Identity Management Suite, versions 11.1.2.3.0, 12.2.1.3.0 Fusion Middleware
Oracle Identity Manager, versions 11.1.2.3.0, 12.2.1.3.0 Fusion Middleware
Oracle iLearning, versions 6.1, 6.2 iLearning
Oracle Insurance Calculation Engine, versions 10.1.1, 10.2.1 Oracle Insurance Applications
Oracle Insurance Rules Palette, versions 10.0, 10.1, 10.2, 11.0, 11.1 Oracle Insurance Applications
Oracle Java SE, versions 6u201, 7u191, 8u182, 11 Java SE
Oracle Java SE Embedded, versions 8u18, 8u181 Java SE
Oracle JRockit, version R28.3.19 Java SE
Oracle Outside In Technology, version 8.5.3 Fusion Middleware
Oracle Real-Time Decision Server, version 3.2.1 Fusion Middleware
Oracle Retail Allocation, versions 15.0, 16.0 Retail Applications
Oracle Retail Assortment Planning, versions 14.1, 15.0, 16.0 Retail Applications
Oracle Retail Back Office, versions 13.3, 13.4, 14, 14.1 Retail Applications
Oracle Retail Central Office, version 14.1 Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0 Retail Applications
Oracle Retail Extract Transform and Load, versions 13.0, 13.1, 13.2 Retail Applications
Oracle Retail Financial Integration, versions 13.2, 14.0, 14.1, 15.0, 16.0 Retail Applications
Oracle Retail Integration Bus, version 14.1.2 Retail Applications
Oracle Retail Invoice Matching, versions 15.0, 16.0 Retail Applications
Oracle Retail Open Commerce Platform, versions 5.3, 6.0, 6.0.1 Retail Applications
Oracle Retail Order Broker, versions 5.0, 5.1, 5.2, 15.0, 16.0 Retail Applications
Oracle Retail Point-of-Service, versions 13.4, 14.0, 14.1 Retail Applications
Oracle Retail Predictive Application Server, versions 14.0, 14.1, 15.0, 16.0 Retail Applications
Oracle Retail Returns Management, version 14.1 Retail Applications
Oracle Retail Sales Audit, versions 15.0, 16.0 Retail Applications
Oracle Retail Xstore Point of Service, versions 6.5.12, 7.0.7, 7.1.7, 15.0.2, 16.0.4, 17.0.2 Retail Applications
Oracle Service Bus, versions 12.1.3.0.0, 12.2.1.3.0 Fusion Middleware
Oracle Transportation Management, version 6.3.7 Oracle Supply Chain Products
Oracle Tuxedo, version 12.1.1.0 Fusion Middleware
Oracle Virtual Directory, versions 11.1.1.7.0, 11.1.1.9.0 Fusion Middleware
Oracle VM VirtualBox, versions prior to 5.2.20 Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0 Fusion Middleware
Oracle WebCenter Sites, versions 11.1.1.8.0, 12.2.1.3.0 Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.3, prior to Docker 12.2.1.3.20180913 Fusion Middleware
OSS Support Tools, versions prior to 18.4 Support Tools
PeopleSoft Enterprise Interaction Hub, version 9.1.0.0 PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57 PeopleSoft
Primavera Gateway, versions 15.2, 16.2, 17.12 Oracle Construction and Engineering Suite
Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.1, 15.2, 16.1, 16.2, 18.8, 17.7 – 17.12 Oracle Construction and Engineering Suite
Primavera Unifier, versions 15.1, 15.2, 16.1, 16.2, 17.1-17.12, 18.1-18.8 Oracle Construction and Engineering Suite
Siebel Applications, versions 18.7, 18.8, 18.9 Siebel
Solaris, versions 10, 11.3, 11.4 Systems
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, versions prior to XCP 1123 Systems
Spatial, versions 2.0, 2.1, 2.2 Oracle Big Data Graph

 

Statement

This advisory is only used to describe a potential risk. NSFOCUS does not provide any commitment or promise on this advisory. NSFOCUS and the author will not bear any liability for any direct and/or indirect consequences and losses caused by transmitting and/or using this advisory. NSFOCUS reserves all the rights to modify and interpret this advisory. Please include this statement paragraph when reproducing or transferring this advisory. Do not modify this advisory, add/delete any information to/from it, or use this advisory for commercial purposes without permission from NSFOCUS.

About NSFOCUS

NSFOCUS IB is a wholly owned subsidiary of NSFOCUS, an enterprise application and network security provider, with operations in the Americas, Europe, the Middle East, Southeast Asia and Japan. NSFOCUS IB has a proven track record of combatting the increasingly complex cyber threat landscape through the construction and implementation of multi-layered defense systems. The company’s Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide unified, multi-layer protection from advanced cyber threats.

For more information about NSFOCUS, please visit:

Home

NSFOCUS, NSFOCUS IB, and NSFOCUS, INC. are trademarks or registered trademarks of NSFOCUS, Inc. All other names and trademarks are property of their respective firms.

Leave a Reply

Your email address will not be published. Required fields are marked *