Number: AV17-048
Date: 19 April 2017
Purpose
The purpose of this advisory is to bring attention to the following critical patch updates released for Oracle.
Assessment
Oracle has issued a Critical Patch Update (CPU) which addresses 299 new security fixes across multiple Oracle products and versions.
Products affected:
- Automatic Service Request (ASR), version(s) prior to 5.7
- Enterprise Manager Base Platform, version(s) 12.1.0, 13.1.0, 13.2.0
- JD Edwards EnterpriseOne Tools, version(s) 9.2
- MICROS Lucas, version(s) 2.9.5.1, 2.9.5.2, 2.9.5.3, 2.9.5.4, 2.9.5.5
- MICROS Relate CRM Software, version(s) 10.0, 10.5, 10.8, 11.0, 11.1, 11.4, 15.0
- MICROS XBR, version(s) 10.0.1, 10.5.0, 10.6.0, 10.7.7, 10.8.0, 10.8.1
- MICROS Xstore Payment, version(s) 5.5, 6.0, 6.5, 7.0, 7.1, 15.0, 16.0
- MySQL Cluster, version(s) 7.2.27 and prior, 7.3.16 and prior, 7.4.14 and prior, 7.5.5 and prior
- MySQL Connectors, version(s) 2.1.5 and prior, 5.1.41 and prior
- MySQL Enterprise Backup, version(s) 3.12.3 and prior, 4.0.3 and prior
- MySQL Enterprise Monitor, version(s) 3.1.6.8003 and prior, 3.2.1182 and prior, 3.3.2.1162 and prior
- MySQL Server, version(s) 5.5.54 and prior, 5.6.35 and prior, 5.7.17 and prior, 5.7.11 to 5.7.17
- MySQL Workbench, version(s) 6.3.8 and prior
- Oracle Advanced Support Gateway, version(s) prior to 7.2
- Oracle API Gateway, version(s) 11.1.2.4.0
- Oracle Berkeley DB, version(s) prior to 6.2.32
- Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 6.1.4, 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2, 11.0, 11.1, 11.2
- Oracle Communications ASAP, version(s) 7.0, 7.2, 7.3
- Oracle Communications Network Integrity, version(s) 7.2.4, 7.3.0
- Oracle Communications Policy Management, version(s) 12.2
- Oracle Communications Security Gateway, version(s) 3.0.0
- Oracle Communications Service Broker Engineered System Edition, version(s) 6.0, 6.1
- Oracle Communications Session Border Controller, version(s) SCZ7.3.0, SCZ7.4.0
- Oracle Database Server, version(s) 11.2.0.4, 12.1.0.2
- Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
- Oracle Financial Services Analytical Applications Infrastructure, version(s) 7.3.3, 7.3.4, 7.3.5
- Oracle Financial Services Asset Liability Management, version(s) 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4
- Oracle Financial Services Basel Regulatory Capital Basic, version(s) 6.1.2, 6.1.3, 8.0.2, 8.0.3
- Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, version(s) 6.1.2, 6.1.3, 8.0.2, 8.0.3
- Oracle Financial Services Data Foundation, version(s) 8.0.1, 8.0.2, 8.0.3, 8.0.4
- Oracle Financial Services Data Integration Hub, version(s) 8.0.1, 8.0.2, 8.0.3, 8.0.4
- Oracle Financial Services Enterprise Financial Performance Analytics, version(s) 8.0.0 to 8.0.4
- Oracle Financial Services Funds Transfer Pricing, version(s) 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4
- Oracle Financial Services Hedge Management and IFRS Valuations, version(s) 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4
- Oracle Financial Services Institutional Performance Analytics, version(s) 8.0.0 to 8.0.4
- Oracle Financial Services Liquidity Risk Management, version(s) 8.0.1, 8.0.2, 8.0.4
- Oracle Financial Services Loan Loss Forecasting and Provisioning, version(s) 1.5.0, 1.5.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4
- Oracle Financial Services Pricing Management/Transfer Pricing Component, version(s) 8.0.0 to 8.0.4
- Oracle Financial Services Profitability Management, version(s) 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4
- Oracle Financial Services Reconciliation Framework, version(s) 8.0.0, 8.0.1, 8.0.2
- Oracle Financial Services Retail Customer Analytics, version(s) 8.0.0 to 8.0.3
- Oracle Financial Services Retail Performance Analytics, version(s) 8.0.0 to 8.0.4
- Oracle FLEXCUBE Direct Banking, version(s) 12.0.2, 12.0.3
- Oracle FLEXCUBE Enterprise Limits and Collateral Management, version(s) 12.0.0, 12.0.1, 12.1.0
- Oracle FLEXCUBE Investor Servicing, version(s) 12.0.1, 12.0.2, 12.0.3, 12.0.4, 12.1.0, 12.2.0, 12.3.0
- Oracle FLEXCUBE Private Banking, version(s) 2.0.0, 2.0.1, 2.2.0.1, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0
- Oracle FLEXCUBE Universal Banking, version(s) 11.3.0, 11.4.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
- Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
- Oracle Fusion Middleware MapViewer, version(s) 11.1.1.9, 12.2.1.1, 12.2.1.2
- Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.0, 12.2.1.1
- Oracle GlassFish Server, version(s) 3.1.2
- Oracle Healthcare Master Person Index, version(s) 3.0.0.x and 4.0.1.x, prior to and 2.0.1.x
- Oracle Hospitality OPERA 5 Property Services, version(s) 5.4.0.x, 5.4.1.x, 5.4.2.x, 5.4.3.x, 5.5.0.x, 5.5.1.x
- Oracle Hyperion Essbase, version(s) 11.1.2.2
- Oracle Identity Manager, version(s) 11.1.2.3.0
- Oracle Insurance Data Foundation, version(s) 8.0.1, 8.0.2, 8.0.3, 8.0.4
- Oracle Insurance Istream, version(s) 4.3.2 and prior
- Oracle Java SE Embedded, version(s) 8u121
- Oracle Java SE, version(s) 6u141, 7u131, 8u121
- Oracle JRockit, version(s) R28.3.13
- Oracle Real-Time Scheduler, version(s) 2.2.0.3.13, 2.3.0.0, 2.3.0.1
- Oracle Retail Advanced Inventory Planning, version(s) 14.1, 15.0
- Oracle Retail Advanced Science Engine, version(s) 14.1
- Oracle Retail Analytic Parameter Calculator - RO, version(s) 15.0
- Oracle Retail Analytics, version(s) 14.0, 14.1, 15.0, 16.0
- Oracle Retail Assortment Planning, version(s) 14.1.3, 15.0.1, 16.0.0
- Oracle Retail Back Office, version(s) 14.1
- Oracle Retail Category Management Planning & Optimization, version(s) 15.0
- Oracle Retail Category Management, version(s) 13.2, 13.3, 14.0, 14.1
- Oracle Retail Customer Insights, version(s) 15.0
- Oracle Retail Customer Management and Segmentation Foundation, version(s) 15.0
- Oracle Retail Demand Forecasting, version(s) 14.1.3, 15.0.2
- Oracle Retail Invoice Matching, version(s) 12.0, 13.0, 13.1, 13.2, 14.0, 14.1
- Oracle Retail Item Planning, version(s) 14.1.3, 15.0.2
- Oracle Retail Macro Space Optimization, version(s) 15.0.2
- Oracle Retail Merchandise Financial Planning, version(s) 14.1.3, 15.0.2
- Oracle Retail Merchandising Insights, version(s) 15.0
- Oracle Retail Open Commerce Platform, version(s) 4.0, 5.0, 5.1, 5.3, 6.0, 6.1, 15.0, 16.0
- Oracle Retail Order Broker, version(s) 5.1, 5.2, 15.0, 16.0
- Oracle Retail Point-of-Service, version(s) 14.1.3
- Oracle Retail Predictive Application Server, version(s) 13.1, 13.2, 13.3, 13.3.3, 13.4, 13.4.3, 14.0, 14.0.3, 14.1, 14.1.3, 15.0, 15.0.2, 16.0.0
- Oracle Retail Regular Price Optimization, version(s) 14.1.3, 15.0.2
- Oracle Retail Replenishment Optimization, version(s) 14.1.3, 15.0.2
- Oracle Retail Returns Management, version(s) 14.1
- Oracle Retail Size Profile Optimization, version(s) 14.1.3, 15.0.2
- Oracle Retail Store Inventory, version(s) 14.1, 15.0, 16.0
- Oracle Retail Warehouse Management System, version(s) 13.2, 14.0, 15.0
- Oracle Retail XBRi Loss Prevention, version(s) 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
- Oracle Retail Xstore Point of Service, version(s) 5.5, 6.0, 6.5, 7.0, 7.1, 15.0, 16.0
- Oracle Secure Backup, version(s) prior to 12.1.0.3.0
- Oracle Service Bus, version(s) 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0
- Oracle Social Network, version(s) prior to 11.1.12.0.0 (17019101)
- Oracle SuperCluster Specific Software, version(s) 2.3.8, 2.3.13
- Oracle Trace File Analyzer (TFA), version(s) prior to 12.1.2.8.4
- Oracle Transportation Manager, version(s) 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1, 6.4.2
- Oracle Utilities Customer Self Service, version(s) 2.1.0.2.0
- Oracle Utilities Framework, version(s) 2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0, 4.3.0.3.0
- Oracle Utilities Work and Asset Management, version(s) 1.9.1.2.11
- Oracle VM VirtualBox, version(s) prior to 5.0.38, prior to 5.1.20
- Oracle WebCenter Content, version(s) 11.1.1.7, 11.1.1.9, 12.2.1.0, 12.2.1.1, 12.2.1.2
- Oracle WebCenter Sites, version(s) 11.1.1.8.0, 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0
- Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1, 12.2.1.2
- OSS Support Tools, version(s) prior to RDA 8.15.17.3.14
- PeopleSoft Enterprise CS Campus Community, version(s) 9.2
- PeopleSoft Enterprise FIN Receivables, version(s) 9.2
- PeopleSoft Enterprise FSCM, version(s) 9.1
- PeopleSoft Enterprise PeopleTools, version(s) 8.54, 8.55
- PeopleSoft Enterprise SCM eBill Payment, version(s) 9.2
- PeopleSoft Enterprise SCM eSupplier Connection, version(s) 9.2
- PeopleSoft Enterprise SCM Purchasing, version(s) 9.2
- PeopleSoft Enterprise SCM Service Procurement, version(s) 9.2
- PeopleSoft Enterprise SCM Strategic Sourcing, version(s) 9.2
- Primavera Gateway, version(s) 1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2
- Primavera P6 Enterprise Project Portfolio Management, version(s) 8.3, 8.4, 15.1, 15.2, 16.1, 16.2
- Primavera Unifier, version(s) 9.13, 9.14, 10.0, 10.1, 15.1, 15.2
- Secure Global Desktop, version(s) 4.71, 5.2, 5.3
- Siebel Applications, version(s) 6.1, 6.2, 7.0, 7.1
- Solaris Cluster, version(s) 4.3
- Solaris, version(s) 10, 11.3
- StorageTek Tape Analytics SW Tool, version(s) prior to 2.2.1
- Sun ZFS Storage Appliance Kit (AK), version(s) AK 2013
CVE References:
CVE-2004-2761, CVE-2012-0920, CVE-2012-1007, CVE-2012-5881, CVE-2012-5882, CVE-2012-5883, CVE-2013-1982, CVE-2013-1983, CVE-2013-1984, CVE-2013-1985, CVE-2013-1986, CVE-2013-1987, CVE-2013-1995, CVE-2013-1998, CVE-2013-2002, CVE-2013-2003, CVE-2013-2005, CVE-2013-2566, CVE-2013-5209, CVE-2014-0114, CVE-2014-3571, CVE-2014-3596, CVE-2015-0204, CVE-2015-0286, CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1791, CVE-2015-1792, CVE-2015-3195, CVE-2015-3236, CVE-2015-3237, CVE-2015-4852, CVE-2015-5252, CVE-2015-5351, CVE-2015-7501, CVE-2015-7940, CVE-2016-0635, CVE-2016-0706, CVE-2016-0714, CVE-2016-0729, CVE-2016-0762, CVE-2016-0763, CVE-2016-1181, CVE-2016-1182, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, CVE-2016-2176, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-2510, CVE-2016-3092, CVE-2016-3504, CVE-2016-3506, CVE-2016-3607, CVE-2016-3674, CVE-2016-3739, CVE-2016-4430, CVE-2016-4431, CVE-2016-4433, CVE-2016-4436, CVE-2016-4802, CVE-2016-5018, CVE-2016-5019, CVE-2016-5407, CVE-2016-5419, CVE-2016-5420, CVE-2016-5421, CVE-2016-5551, CVE-2016-6288, CVE-2016-6289, CVE-2016-6290, CVE-2016-6291, CVE-2016-6292, CVE-2016-6294, CVE-2016-6295, CVE-2016-6296, CVE-2016-6297, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, CVE-2016-6794, CVE-2016-6796, CVE-2016-6797, CVE-2016-6816, CVE-2016-6817, CVE-2016-7052, CVE-2016-7055, CVE-2016-8615, CVE-2016-8616, CVE-2016-8617, CVE-2016-8618, CVE-2016-8619, CVE-2016-8620, CVE-2016-8621, CVE-2016-8622, CVE-2016-8623, CVE-2016-8624, CVE-2016-8625, CVE-2016-8735, CVE-2016-8743, CVE-2017-3230, CVE-2017-3232, CVE-2017-3233, CVE-2017-3234, CVE-2017-3237, CVE-2017-3254, CVE-2017-3288, CVE-2017-3302, CVE-2017-3304, CVE-2017-3305, CVE-2017-3306, CVE-2017-3307, CVE-2017-3308, CVE-2017-3309, CVE-2017-3329, CVE-2017-3331, CVE-2017-3337, CVE-2017-3342, CVE-2017-3345, CVE-2017-3347, CVE-2017-3355, CVE-2017-3356, CVE-2017-3393, CVE-2017-3432, CVE-2017-3434, CVE-2017-3450, CVE-2017-3451, CVE-2017-3452, CVE-2017-3453, CVE-2017-3454, CVE-2017-3455, CVE-2017-3456, CVE-2017-3457, CVE-2017-3458, CVE-2017-3459, CVE-2017-3460, CVE-2017-3461, CVE-2017-3462, CVE-2017-3463, CVE-2017-3464, CVE-2017-3465, CVE-2017-3467, CVE-2017-3468, CVE-2017-3469, CVE-2017-3470, CVE-2017-3471, CVE-2017-3472, CVE-2017-3473, CVE-2017-3474, CVE-2017-3475, CVE-2017-3476, CVE-2017-3477, CVE-2017-3478, CVE-2017-3479, CVE-2017-3480, CVE-2017-3481, CVE-2017-3482, CVE-2017-3483, CVE-2017-3484, CVE-2017-3485, CVE-2017-3486, CVE-2017-3487, CVE-2017-3488, CVE-2017-3489, CVE-2017-3490, CVE-2017-3491, CVE-2017-3492, CVE-2017-3493, CVE-2017-3494, CVE-2017-3495, CVE-2017-3496, CVE-2017-3497, CVE-2017-3498, CVE-2017-3499, CVE-2017-3500, CVE-2017-3501, CVE-2017-3502, CVE-2017-3503, CVE-2017-3504, CVE-2017-3505, CVE-2017-3506, CVE-2017-3507, CVE-2017-3508, CVE-2017-3509, CVE-2017-3510, CVE-2017-3511, CVE-2017-3512, CVE-2017-3513, CVE-2017-3514, CVE-2017-3515, CVE-2017-3516, CVE-2017-3517, CVE-2017-3518, CVE-2017-3519, CVE-2017-3520, CVE-2017-3521, CVE-2017-3522, CVE-2017-3524, CVE-2017-3525, CVE-2017-3526, CVE-2017-3527, CVE-2017-3528, CVE-2017-3530, CVE-2017-3531, CVE-2017-3532, CVE-2017-3533, CVE-2017-3534, CVE-2017-3535, CVE-2017-3536, CVE-2017-3537, CVE-2017-3538, CVE-2017-3539, CVE-2017-3540, CVE-2017-3541, CVE-2017-3542, CVE-2017-3543, CVE-2017-3544, CVE-2017-3545, CVE-2017-3546, CVE-2017-3547, CVE-2017-3548, CVE-2017-3549, CVE-2017-3550, CVE-2017-3551, CVE-2017-3552, CVE-2017-3553, CVE-2017-3554, CVE-2017-3555, CVE-2017-3556, CVE-2017-3557, CVE-2017-3558, CVE-2017-3559, CVE-2017-3560, CVE-2017-3561, CVE-2017-3563, CVE-2017-3564, CVE-2017-3565, CVE-2017-3567, CVE-2017-3568, CVE-2017-3569, CVE-2017-3570, CVE-2017-3571, CVE-2017-3572, CVE-2017-3573, CVE-2017-3574, CVE-2017-3575, CVE-2017-3576, CVE-2017-3577, CVE-2017-3578, CVE-2017-3579, CVE-2017-3580, CVE-2017-3581, CVE-2017-3582, CVE-2017-3583, CVE-2017-3584, CVE-2017-3585, CVE-2017-3586, CVE-2017-3587, CVE-2017-3589, CVE-2017-3590, CVE-2017-3591, CVE-2017-3592, CVE-2017-3593, CVE-2017-3594, CVE-2017-3595, CVE-2017-3596, CVE-2017-3597, CVE-2017-3598, CVE-2017-3599, CVE-2017-3600, CVE-2017-3601, CVE-2017-3602, CVE-2017-3603, CVE-2017-3604, CVE-2017-3605, CVE-2017-3606, CVE-2017-3607, CVE-2017-3608, CVE-2017-3609, CVE-2017-3610, CVE-2017-3611, CVE-2017-3612, CVE-2017-3613, CVE-2017-3614, CVE-2017-3615, CVE-2017-3616, CVE-2017-3617, CVE-2017-3618, CVE-2017-3619, CVE-2017-3620, CVE-2017-3621, CVE-2017-3622, CVE-2017-3623, CVE-2017-3625, CVE-2017-3626, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732, CVE-2017-5638
Suggested Action
CCIRC recommends that system administrators identify their affected assets and potential interdependencies with their organization’s critical services, and follow their patch management process accordingly.
References:
http://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html