Number: AV17-156
Date: 18 October 2017
Purpose
The purpose of this advisory is to bring attention to the quarterly updates released for Oracle.
Assessment
Oracle has issued a Critical Patch Update which addresses multiple new security fixes across multiple Oracle products and versions.
Affected Product Versions:
- Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2340 and prior to XCP3030
- Java Advanced Management Console, version 2.7
- JD Edwards EnterpriseOne Tools, version 9.2
- JD Edwards World Security, versions A9.1, A9.2, A9.3, A9.4
- Management Pack for Oracle GoldenGate, version 11.2.1.0.12
- MICROS Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.7, 10.8.0, 10.8.1
- MySQL Connectors, versions 6.9.9 and prior
- MySQL Enterprise Monitor, versions 3.2.8.2223 and prior, 3.3.4.3247 and prior, 3.4.2.4181 and prior
- MySQL Server, versions 5.5.57 and prior, 5.6.37 and prior, 5.7.19 and prior
- Oracle Access Manager, version 11.1.2.3.0
- Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0
- Oracle Agile PLM, versions 9.3.5, 9.3.6
- Oracle API Gateway, version 11.1.2.4.0
- Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
- Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
- Oracle Business Process Management Suite, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0
- Oracle Communications Billing and Revenue Management, version 7.5
- Oracle Communications Diameter Signaling Router (DSR), version 7.x
- Oracle Communications EAGLE LNP Application Processor, version 10.x
- Oracle Communications Messaging Server, version 8.x
- Oracle Communications Order and Service Management, versions 7.2.4.x.x, 7.3.0.x.x, 7.3.1.x.x, 7.3.5.x.x
- Oracle Communications Policy Management, versions 11.5, 12.x
- Oracle Communications Services Gatekeeper, versions 5.1, 6.0
- Oracle Communications Unified Session Manager, version SCz 7.x
- Oracle Communications User Data Repository, version 10.x
- Oracle Communications WebRTC Session Controller, versions 7.0, 7.1, 7.2
- Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1
- Oracle Directory Server Enterprise Edition, version 11.1.1.7.0
- Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
- Oracle Endeca Information Discovery Integrator, versions 2.4, 3.0, 3.1, 3.2
- Oracle Engineering Data Management, versions 6.1.3.0, 6.2.2.0
- Oracle Enterprise Manager Ops Center, versions 12.2.2, 12.3.2
- Oracle FLEXCUBE Universal Banking, versions 11.3, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0
- Oracle Fusion Applications, versions 11.1.2 through 11.1.9
- Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.1, 12.2.1.2, 12.2.1.3
- Oracle GlassFish Server, versions 3.0.1, 3.1.2
- Oracle Healthcare Master Person Index, version 4.x
- Oracle Hospitality Cruise AffairWhere, versions 2.2.5.0, 2.2.6.0, 2.2.7.0
- Oracle Hospitality Cruise Fleet Management, version 9.0.2.0
- Oracle Hospitality Cruise Materials Management, version 7.30.564.0
- Oracle Hospitality Cruise Shipboard Property Management System, version 8.0.2.0
- Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
- Oracle Hospitality Hotel Mobile, version 1.1
- Oracle Hospitality OPERA 5 Property Services, versions 5.4.2.x through 5.5.1.x
- Oracle Hospitality Reporting and Analytics, versions 8.5.1, 9.0.0
- Oracle Hospitality Simphony, versions 2.6, 2.7, 2.8, 2.9
- Oracle Hospitality Suite8, versions 8.10.1, 8.10.2
- Oracle HTTP Server, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0
- Oracle Hyperion BI+, version 11.1.2.4
- Oracle Hyperion Financial Reporting, version 11.1.2
- Oracle Identity Manager, version 11.1.2.3.0
- Oracle Identity Manager Connector, version 9.1.1.5.0
- Oracle Integrated Lights Out Manager (ILOM), versions prior to 3.2.6
- Oracle iPlanet Web Server, version 7.0
- Oracle Java SE, versions 6u161, 7u151, 8u144, 9
- Oracle Java SE Embedded, version 8u144
- Oracle JDeveloper, versions 12.1.3.0.0, 12.2.1.2.0
- Oracle JRockit, version R28.3.15
- Oracle Managed File Transfer, versions 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0
- Oracle Outside In Technology, version 8.5.3.0
- Oracle Retail Back Office, versions 13.2, 13.3, 13.4, 14.0, 14.1
- Oracle Retail Clearance Optimization Engine, version 13.4
- Oracle Retail Convenience and Fuel POS Software, version 2.1.132
- Oracle Retail Markdown Optimization, versions 13.4, 14.0
- Oracle Retail Point-of-Service, versions 6.0.x, 6.5.x, 7.0.x, 7.1.x, 15.0.x, 16.0.0
- Oracle Retail Store Inventory Management, versions 13.2.9, 14.0.4, 14.1.3, 15.0.1, 16.0.1
- Oracle Retail Xstore Point of Service, versions 6.0.11, 6.5.11, 7.0.6, 7.1.6, 15.0.1
- Oracle Secure Global Desktop (SGD), version 5.3
- Oracle SOA Suite, version 11.1.1.7.0
- Oracle Transportation Management, versions 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.1, 6.4.2
- Oracle Virtual Directory, versions 11.1.1.7.0, 11.1.1.9.0
- Oracle VM VirtualBox, versions prior to 5.1.30
- Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
- Oracle WebCenter Sites, versions 11.1.1.8.0, 12.2.1.2.0
- Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.1.0, 12.2.1.2.0
- PeopleSoft Enterprise FSCM, version 9.2
- PeopleSoft Enterprise HCM, version 9.2
- PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55, 8.56
- PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.00
- PeopleSoft Enterprise PT PeopleTools, versions 8.54, 8.55, 8.56
- PeopleSoft Enterprise SCM eProcurement, versions 9.1.00, 9.2.00
- Primavera Unifier, versions 9.13, 9.14, 10.x, 15.x, 16.x
- Siebel Applications, versions 16.0, 17.0
- Solaris Cluster, versions 3.3, 4.3
- SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, versions prior to XCP 1123
- SPARC M7, T7, S7 based Servers, versions prior to 9.7.6.b
- Sun ZFS Storage Appliance Kit (AK), version AK 2013
- Tekelec HLR Router, version 4.x
CVE References:
CVE-2003-1418, CVE-2013-1903, CVE-2014-0062, CVE-2014-0107, CVE-2014-0114, CVE-2014-0224, CVE-2014-3538, CVE-2014-3707, CVE-2014-4345, CVE-2014-8714, CVE-2015-0235, CVE-2015-2808, CVE-2015-3253, CVE-2015-5254, CVE-2015-7501, CVE-2015-7940, CVE-2016-0635, CVE-2016-0714, CVE-2016-10165, CVE-2016-1181, CVE-2016-2107, CVE-2016-2183, CVE-2016-2381, CVE-2016-2834, CVE-2016-3092, CVE-2016-3506, CVE-2016-5019, CVE-2016-6304, CVE-2016-6814, CVE-2016-7052, CVE-2016-7431, CVE-2016-8735, CVE-2016-9841, CVE-2017-10014, CVE-2017-10026, CVE-2017-10033, CVE-2017-10034, CVE-2017-10037, CVE-2017-10050, CVE-2017-10051, CVE-2017-10054, CVE-2017-10055, CVE-2017-10060, CVE-2017-10065, CVE-2017-10066, CVE-2017-10077, CVE-2017-10099, CVE-2017-10152, CVE-2017-10153, CVE-2017-10154, CVE-2017-10155, CVE-2017-10158, CVE-2017-10159, CVE-2017-10161, CVE-2017-10162, CVE-2017-10163, CVE-2017-10164, CVE-2017-10165, CVE-2017-10166, CVE-2017-10167, CVE-2017-10190, CVE-2017-10194, CVE-2017-10197, CVE-2017-10203, CVE-2017-10227, CVE-2017-10259, CVE-2017-10260, CVE-2017-10261, CVE-2017-10263, CVE-2017-10264, CVE-2017-10265, CVE-2017-10268, CVE-2017-10270, CVE-2017-10271, CVE-2017-10274, CVE-2017-10275, CVE-2017-10276, CVE-2017-10277, CVE-2017-10279, CVE-2017-10280, CVE-2017-10281, CVE-2017-10283, CVE-2017-10284, CVE-2017-10285, CVE-2017-10286, CVE-2017-10287, CVE-2017-10292, CVE-2017-10293, CVE-2017-10294, CVE-2017-10295, CVE-2017-10296, CVE-2017-10299, CVE-2017-10300, CVE-2017-10302, CVE-2017-10303, CVE-2017-10304, CVE-2017-10306, CVE-2017-10308, CVE-2017-10309, CVE-2017-10310, CVE-2017-10311, CVE-2017-10312, CVE-2017-10313, CVE-2017-10314, CVE-2017-10315, CVE-2017-10316, CVE-2017-10317, CVE-2017-10318, CVE-2017-10319, CVE-2017-10320, CVE-2017-10321, CVE-2017-10322, CVE-2017-10323, CVE-2017-10324, CVE-2017-10325, CVE-2017-10326, CVE-2017-10327, CVE-2017-10328, CVE-2017-10329, CVE-2017-10330, CVE-2017-10331, CVE-2017-10332, CVE-2017-10333, CVE-2017-10334, CVE-2017-10335, CVE-2017-10336, CVE-2017-10337, CVE-2017-10338, CVE-2017-10339, CVE-2017-10340, CVE-2017-10341, CVE-2017-10342, CVE-2017-10343, CVE-2017-10344, CVE-2017-10345, CVE-2017-10346, CVE-2017-10347, CVE-2017-10348, CVE-2017-10349, CVE-2017-10350, CVE-2017-10351, CVE-2017-10352, CVE-2017-10353, CVE-2017-10354, CVE-2017-10355, CVE-2017-10356, CVE-2017-10357, CVE-2017-10358, CVE-2017-10359, CVE-2017-10360, CVE-2017-10361, CVE-2017-10362, CVE-2017-10363, CVE-2017-10364, CVE-2017-10365, CVE-2017-10366, CVE-2017-10367, CVE-2017-10368, CVE-2017-10369, CVE-2017-10370, CVE-2017-10372, CVE-2017-10373, CVE-2017-10375, CVE-2017-10378, CVE-2017-10379, CVE-2017-10380, CVE-2017-10381, CVE-2017-10382, CVE-2017-10383, CVE-2017-10384, CVE-2017-10385, CVE-2017-10386, CVE-2017-10387, CVE-2017-10388, CVE-2017-10389, CVE-2017-10391, CVE-2017-10392, CVE-2017-10393, CVE-2017-10394, CVE-2017-10395, CVE-2017-10396, CVE-2017-10397, CVE-2017-10398, CVE-2017-10399, CVE-2017-10400, CVE-2017-10401, CVE-2017-10402, CVE-2017-10403, CVE-2017-10404, CVE-2017-10405, CVE-2017-10406, CVE-2017-10407, CVE-2017-10408, CVE-2017-10409, CVE-2017-10410, CVE-2017-10411, CVE-2017-10412, CVE-201,7-10413, CVE-2017-10414, CVE-2017-10415, CVE-2017-10416, CVE-2017-10417, CVE-2017-10418, CVE-2017-10419, CVE-2017-10420, CVE-2017-10421, CVE-2017-10422, CVE-2017-10423, CVE-2017-10424, CVE-2017-10425, CVE-2017-10426, CVE-2017-10427, CVE-2017-10428, CVE-2017-3167, CVE-2017-3444, CVE-2017-3445, CVE-2017-3446, CVE-2017-3588, CVE-2017-3731, CVE-2017-3732, CVE-2017-3733, CVE-2017-5461, CVE-2017-5662, CVE-2017-5664
Suggested action
CCIRC recommends that system administrators identify their affected assets and potential interdependencies with their organization’s critical services, and follow their patch management process accordingly.
References
http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html