Oracle Critical Patch update Advisory – October 2016

Number: AV16-166
Date: 19 October 2016

Purpose

The purpose of this advisory is to bring attention to the following critical patch updates released for Oracle.

Assessment

Oracle has issued a Critical Patch Update (CPU) which addresses 253 new security fixes across multiple Oracle products and versions.

Products affected:

• Application Express, version(s) prior to 5.0.4.0.7
• Oracle Database Server, version(s) 11.2.0.4, 12.1.0.2
• Oracle Secure Backup, version(s) prior to 10.4.0.4.0, prior to 12.1.0.2.0
• Big Data Graph, version(s) prior to 1.2
• NetBeans, version(s) 8.1
• Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
• Oracle Big Data Discovery, version(s) 1.1.1, 1.1.3, 1.2.0
• Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.1.0.0, 12.2.1.1.0
• Oracle Data Integrator, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.2.0.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
• Oracle Discoverer, version(s) 11.1.1.7.0
• Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9, 11.1.2.3, 11.1.2.4, 12.1.3.0, 12.2.1.0, 12.2.1.1
• Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2
• Oracle Identity Manager, version(s) -
• Oracle iPlanet Web Proxy Server, version(s) 4.0
• Oracle iPlanet Web Server, version(s) 7.0
• Oracle Outside In Technology, version(s) 8.4.0, 8.5.1, 8.5.2, 8.5.3
• Oracle Platform Security for Java, version(s) 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
• Oracle Web Services, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0
• Oracle WebCenter Sites, version(s) 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0
• Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1
• Enterprise Manager, version(s) 12.1.4, 12.2.2, 12.3.2
• Enterprise Manager Base Platform, version(s) 12.1.0.5
• Oracle Application Testing Suite, version(s) 12.5.0.1, 12.5.0.2, 12.5.0.3
• Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
• Oracle Advanced Supply Chain Planning, version(s) 12.2.3, 12.2.4, 12.2.5
• Oracle Agile Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0
• Oracle Agile PLM, version(s) 9.3.4, 9.3.5
• Oracle Agile Product Lifecycle Management for Process, version(s) 6.1.0.4, 6.1.1.6, 6.2.0.0
• Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
• PeopleSoft Enterprise HCM, version(s) 9.2
• PeopleSoft Enterprise PeopleTools, version(s) 8.54, 8.55
• PeopleSoft Enterprise SCM Services Procurement, version(s) 9.1, 9.2
• JD Edwards EnterpriseOne Tools, version(s) 9.1
• JD Edwards World Security, version(s) A9.4
• Siebel Applications, version(s) 7.1, 16.1
• Oracle Commerce Guided Search, version(s) 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2
• Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.1.1, 3.1.2, 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2, 11.0, 11.1, 11.2
• Oracle Commerce Platform, version(s) 10.0.3.5, 10.2.0.5, 11.2.0.1
• Oracle Commerce Service Center, version(s) 10.0.3.5, 10.2.0.5
• Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
• Oracle Communications Policy Management, version(s) 9.7.3, 9.9.1, 10.4.1, 12.1.1 and prior
• Oracle Enterprise Communications Broker, version(s) Pcz2.0.0m4p5 and earlier
• Oracle Enterprise Session Border Controller, version(s) Ecz7.3m2p2 and earlier
• Oracle Banking Digital Experience, version(s) 15.1
• Oracle Financial Services Analytical Applications Infrastructure, version(s) 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3
• Oracle Financial Services Lending and Leasing, version(s) 14.1.0, 14.2.0
• Oracle FLEXCUBE Core Banking, version(s) 11.5.0.0.0, 11.6.0.0.0
• Oracle FLEXCUBE Enterprise Limits and Collateral Management, version(s) 12.0.0, 12.1.0
• Oracle FLEXCUBE Investor Servicing, version(s) 12.0.1
• Oracle FLEXCUBE Private Banking, version(s) 2.0.0, 2.0.1, 2.2.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0
• Oracle FLEXCUBE Universal Banking, version(s) 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.87.1, 12.87.2
• Oracle Life Sciences Data Hub, version(s) 2.x
• Oracle Hospitality OPERA 5 Property Services, version(s) 5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0, 5.5.1.0
• Oracle Insurance IStream, version(s) 4.3.2
• MICROS XBR, version(s) 7.0.2, 7.0.4
• Oracle Retail Back Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
• Oracle Retail Central Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
• Oracle Retail Clearance Optimization Engine, version(s) 13.2, 13.3, 13.4, 14.0
• Oracle Retail Customer Insights, version(s) 15.0
• Oracle Retail Merchandising Insights, version(s) 15.0
• Oracle Retail Returns Management, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
• Oracle Retail Xstore Payment, version(s) 1.x
• Oracle Retail Xstore Point of Service, version(s) 5.0, 5.5, 6.0, 6.5, 7.0, 7.1
• Primavera P6 Enterprise Project Portfolio Management, version(s) 8.4, 15.x, 16.x
• Primavera P6 Professional Project Management, version(s) 8.3, 8.4, 15.x, 16.x
• Oracle Java SE, version(s) 6u121, 7u111, 8u102
• Oracle Java SE Embedded, version(s) 8u101
• Solaris, version(s) 10, 11.3
• Solaris Cluster, version(s) 3.3, 4.3
• Sun ZFS Storage Appliance Kit (AK), version(s) AK 2013
• Oracle VM VirtualBox, version(s) prior to 5.0.28, prior to 5.1.8
• Secure Global Desktop, version(s) 4.7, 5.2
• Sun Ray Operating Software, version(s) prior to 11.1.7
• Virtual Desktop Infrastructure, version(s) prior to 3.5.3
• MySQL Connector, version(s) 2.0.4 and prior, 2.1.3 and prior
• MySQL Server, version(s) 5.5.52 and prior, 5.6.33 and prior, 5.7.15 and prior

Suggested Action

CCIRC recommends that system administrators identify their affected assets and potential interdependencies with their organization’s critical services, and follow their patch management process accordingly.

References:

http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html