Number: AV18-065
Date: 18 April 2018
Purpose
The purpose of this advisory is to bring attention to the quarterly updates released for Oracle.
Assessment
Oracle has issued a Critical Patch Update Advisory which addresses multiple new security fixes across multiple Oracle products and versions.
Affected Product Versions:
- Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0
- Enterprise Manager for MySQL Database, version 12.1.0.4
- Enterprise Manager for Virtualization, version 13.2
- Enterprise Manager Ops Center, versions 12.2.2, 12.3.3
- Hardware Management Pack, versions prior to 2.4.3
- Instantis EnterpriseTrack, versions 17.1, 17.2
- Integrated Lights Out Manager (ILOM), versions 3.x, 4.x
- JD Edwards EnterpriseOne Tools, version 9.2.2
- JD Edwards World Security, versions A9.2, A9.3, A9.4
- Management Pack for Oracle GoldenGate, version 11.2.1.0.13
- MICROS Handheld Terminal, versions Prior to Fusion 2.03.0.0.021R
- MICROS Lucas, version 2.9.5
- MySQL Cluster, versions 7.2.27 and prior, 7.3.16 and prior, 7.4.14 and prior, 7.5.5 and prior
- MySQL Enterprise Monitor, versions 3.3.7.3306 and prior, 3.4.5.4248 and prior, 4.0.2.5168 and prior
- MySQL Server, versions 5.5.59 and prior, 5.6.39 and prior, 5.7.21 and prior
- Oracle Access Manager, versions 10.1.4.3.0, 11.1.2.3.0, 12.2.1.3.0
- Oracle Adaptive Access Manager, version 11.1.2.3.0
- Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1
- Oracle Agile PLM Framework, version 9.3.6
- Oracle Agile Product Lifecycle Management for Process, versions 6.1.1.6, 6.2.0.0, 6.2.1.0
- Oracle Application Testing Suite, versions 12.5.0.3, 13.1.0.1, 13.2.0.1
- Oracle Banking Corporate Lending, versions 12.3.0, 12.4.0, 12.5.0, 14.0.0
- Oracle Banking Enterprise Collections, version 2.6
- Oracle Banking Enterprise Originations, version 2.6
- Oracle Banking Enterprise Product Manufacturing, version 2.6
- Oracle Banking Payments, versions 12.3.0, 12.4.0, 12.5.0, 14.0.0
- Oracle Banking Platform, versions 2.4, 2.5, 2.6
- Oracle Big Data Discovery, version 1.6.0
- Oracle Business Intelligence Data Warehouse Administration Console, version 11.1.1.6.4
- Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
- Oracle Communications Calendar Server, version 8.x
- Oracle Communications Contacts Server, version 8.x
- Oracle Communications EAGLE LNP Application Processor, versions 10.1.0.0.0 and prior
- Oracle Communications Messaging Server, version 8.x
- Oracle Communications MetaSolv Solution, version 6.3.0
- Oracle Communications Network Charging and Control, versions 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0
- Oracle Communications Network Intelligence, version 7.3.x
- Oracle Communications Order and Service Management, versions 7.2.4.3.0, 7.3.0.1.x, 7.3.1.0.7, 7.3.5.0.x
- Oracle Communications Unified Inventory Management, version 7.x
- Oracle Data Visualization Desktop, version 12.2.4.1.1
- Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1.0.0
- Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
- Oracle Endeca Information Discovery Integrator, versions 3.1, 3.2
- Oracle Endeca Information Discovery Studio, versions 7.6.1.0.0, 7.7.0.0.0
- Oracle Endeca Server, version 7.7
- Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0
- Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.x, 8.0.x
- Oracle Financial Services Basel Regulatory Capital Basic, version 8.0.x
- Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, version 8.0.x
- Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4, 8.0.5
- Oracle Financial Services Market Risk Measurement and Management, version 8.0.5
- Oracle FLEXCUBE Core Banking, versions 11.5.0, 11.6.0, 11.7.0
- Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 12.3.0, 14.0.0
- Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0
- Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
- Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0
- Oracle Fusion Applications , versions 11.1.2 through 11.1.9
- Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.3, 12.1.3.0, 12.2.1.2, 12.2.1.3
- Oracle Fusion Middleware MapViewer, versions 11.1.1.7.0, 11.1.1.9.0
- Oracle GoldenGate, version 12.2.0.1
- Oracle GoldenGate Veridata, versions 11.2.0.1.2, 12.1.3.0.0
- Oracle Hospitality Cruise Fleet Management System, version 9.x
- Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
- Oracle Hospitality Reporting and Analytics, version 9.0
- Oracle Hospitality Simphony, versions 2.7, 2.8, 2.9, 2.10
- Oracle Hospitality Simphony First Edition, versions 1.6, 1.7
- Oracle Hospitality Suite8, version 8.x
- Oracle HTTP Server, versions 12.1.3, 12.2.1.2
- Oracle Java SE, versions 6u181, 7u161, 7u171, 8u152, 8u162, 10
- Oracle Java SE Embedded, versions 8u152, 8u161
- Oracle JRockit, version R28.3.17
- Oracle Managed File Transfer, versions 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
- Oracle Mobile Security Suite, version 3.0.1
- Oracle Outside In Technology, version 8.5.3
- Oracle Retail Advanced Inventory Planning, versions 13.2, 13.4, 14.1, 15.0
- Oracle Retail Back Office, versions 13.4.9, 14.0.4, 14.1.3
- Oracle Retail Central Office, versions 13.4.9, 14.0.4, 14.1.3
- Oracle Retail Customer Engagement, version 16.0
- Oracle Retail EFTLink, versions 1.1.125, 15.0.2, 16.0.3
- Oracle Retail Insights, versions 14.0, 14.1, 15.0, 16.0
- Oracle Retail Integration Bus, version 13.2
- Oracle Retail Invoice Matching, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0
- Oracle Retail Merchandising System, version 16.0
- Oracle Retail Order Broker, versions 5.0, 5.1, 5.2, 15.0, 16.0
- Oracle Retail Order Management System, versions 4.0, 4.5, 4.7, 5.0
- Oracle Retail Point-of-Service, versions 13.3.8, 13.4.9, 14.0.4, 14.1.3
- Oracle Retail Predictive Application Server, versions 13.4.3, 14.0.3, 14.1.3
- Oracle Retail Price Management, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1, 15.0, 16.0
- Oracle Retail Returns Management, versions 2.3.8, 2.4.9, 14.0.4, 14.1.3
- Oracle Retail Store Inventory Management, versions 12.0.12, 13.0.7, 13.1.9, 13.2.9, 14.0.4, 14.1.3, 15.0.2, 16.0.1
- Oracle Retail Xstore Point of Service, versions 6.0, 6.0.12, 6.5, 6.5.12, 7.0, 7.0.7, 7.1, 7.1.7, 15.0, 15.0.2, 16.0, 16.0.3
- Oracle Secure Global Desktop (SGD), version 5.3
- Oracle Security Service, versions 12.1.3.0.0, 12.2.1.2.0
- Oracle Transportation Management, versions 6.2, 6.4.3
- Oracle Tuxedo, version 12.1.1.0.0
- Oracle Utilities Framework, versions 2.2.0, 4.2.0, 4.3.0
- Oracle VM VirtualBox, versions prior to 5.1.36, prior to 5.2.10
- Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
- Oracle WebCenter Portal, versions 12.2.1.2.0, 12.2.1.3.0
- Oracle WebCenter Sites, versions 11.1.1.8.0, 12.2.1.2.0, 12.2.1.3.0
- Oracle WebLogic Portal, version 10.3.6.0.0
- Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
- OSS Support Tools, versions prior to 18.2
- PeopleSoft Enterprise HCM, version 9.2
- PeopleSoft Enterprise HCM Shared Components, version 9.2
- PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55, 8.56
- PeopleSoft Enterprise PRTL Interaction Hub, version 9.1
- PeopleSoft Enterprise PT PeopleTools, versions 8.54, 8.55, 8.56
- Primavera P6 Enterprise Project Portfolio Management, versions 16.2, 17.1 – 17.12
- Primavera Unifier, versions 16.x, 17.x
- Real-Time Decisions (RTD) Solutions, version 3.2.0.0.0
- Siebel Applications, version 17.0
- Solaris, versions 10, 11.3
- Solaris Cluster, version 4.3
- Sun ZFS Storage Appliance Kit (AK), versions prior to 8.7.17
CVE References: CVE-2013-1768, CVE-2014-0054, CVE-2015-7501, CVE-2015-7940, CVE-2016-0635, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-3092, CVE-2016-3506, CVE-2016-5007, CVE-2016-5019, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, CVE-2016-6814, CVE-2016-7052, CVE-2016-8745, CVE-2016-9878, CVE-2017-1039, CVE-2017-1040, CVE-2017-1261, CVE-2017-1307, CVE-2017-1308, CVE-2017-1509, CVE-2017-1570, CVE-2017-1756, CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738, CVE-2017-5645, CVE-2017-5662, CVE-2017-5664, CVE-2017-5715, CVE-2017-5753, CVE-2017-5754, CVE-2017-7525, CVE-2017-7674, CVE-2017-7805, CVE-2017-9798, CVE-2018-0739, CVE-2018-2563, CVE-2018-2572, CVE-2018-2587, CVE-2018-2628, CVE-2018-2718, CVE-2018-2737, CVE-2018-2738, CVE-2018-2739, CVE-2018-2742, CVE-2018-2746, CVE-2018-2747, CVE-2018-2748, CVE-2018-2749, CVE-2018-2750, CVE-2018-2752, CVE-2018-2753, CVE-2018-2754, CVE-2018-2755, CVE-2018-2756, CVE-2018-2758, CVE-2018-2759, CVE-2018-2760, CVE-2018-2761, CVE-2018-2762, CVE-2018-2763, CVE-2018-2764, CVE-2018-2765, CVE-2018-2766, CVE-2018-2768, CVE-2018-2769, CVE-2018-2770, CVE-2018-2771, CVE-2018-2772, CVE-2018-2773, CVE-2018-2774, CVE-2018-2775, CVE-2018-2776, CVE-2018-2777, CVE-2018-2778, CVE-2018-2779, CVE-2018-2780, CVE-2018-2781, CVE-2018-2782, CVE-2018-2783, CVE-2018-2784, CVE-2018-2785, CVE-2018-2786, CVE-2018-2787, CVE-2018-2788, CVE-2018-2789, CVE-2018-2790, CVE-2018-2791, CVE-2018-2792, CVE-2018-2793, CVE-2018-2794, CVE-2018-2795, CVE-2018-2796, CVE-2018-2797, CVE-2018-2798, CVE-2018-2799, CVE-2018-2800, CVE-2018-2801, CVE-2018-2802, CVE-2018-2803, CVE-2018-2804, CVE-2018-2805, CVE-2018-2806, CVE-2018-2807, CVE-2018-2808, CVE-2018-2809, CVE-2018-2810, CVE-2018-2811, CVE-2018-2812, CVE-2018-2813, CVE-2018-2814, CVE-2018-2815, CVE-2018-2816, CVE-2018-2817, CVE-2018-2818, CVE-2018-2819, CVE-2018-2820, CVE-2018-2821, CVE-2018-2822, CVE-2018-2823, CVE-2018-2824, CVE-2018-2825, CVE-2018-2826, CVE-2018-2827, CVE-2018-2828, CVE-2018-2829, CVE-2018-2830, CVE-2018-2831, CVE-2018-2832, CVE-2018-2833, CVE-2018-2834, CVE-2018-2835, CVE-2018-2836, CVE-2018-2837, CVE-2018-2838, CVE-2018-2839, CVE-2018-2840, CVE-2018-2841, CVE-2018-2842, CVE-2018-2843, CVE-2018-2844, CVE-2018-2845, CVE-2018-2846, CVE-2018-2847, CVE-2018-2848, CVE-2018-2849, CVE-2018-2850, CVE-2018-2851, CVE-2018-2852, CVE-2018-2853, CVE-2018-2854, CVE-2018-2855, CVE-2018-2856, CVE-2018-2857, CVE-2018-2858, CVE-2018-2859, CVE-2018-2860, CVE-2018-2861, CVE-2018-2862, CVE-2018-2863, CVE-2018-2864, CVE-2018-2865, CVE-2018-2866, CVE-2018-2867, CVE-2018-2868, CVE-2018-2869, CVE-2018-2870, CVE-2018-2871, CVE-2018-2872, CVE-2018-2873, CVE-2018-2874, CVE-2018-2876, CVE-2018-2877, CVE-2018-2878, CVE-2018-2879, CVE-2018-7489
Suggested Action
CCIRC recommends that system administrators identify their affected assets and potential interdependencies with their organization’s critical services, and follow their patch management process accordingly.
References:
http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html