Number: AV18-012
Date: 17 January 2018
Purpose
The purpose of this advisory is to bring attention to the quarterly updates released for Oracle.
Assessment
Oracle has issued a Critical Patch Update which addresses multiple new security fixes across multiple Oracle products and versions.
Affected Product Versions:
- Agile Material and Equipment Management for Pharmaceuticals, versions 9.3.3, 9.3.4
- Application Express, versions prior to 5.1.4.00.08
- Converged Commerce, version 16.0.1
- Hyperion BI+, version 11.1.2.4
- Hyperion Data Relationship Management, version 11.1.2.4.330
- Integrated Lights Out Manager (ILOM), versions 3.x, 4.x
- Java Advanced Management Console, version 2.8
- Java ME SDK, version 8.3
- JD Edwards EnterpriseOne Tools, version 9.2
- MICROS Handheld Terminal, versions Prior to BSP 02.13.0701 (070116)
- MICROS Relate CRM Software, versions 10.8.x, 11.4.x, 15.0.x
- MICROS Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
- MySQL Connectors, versions 5.3.9 and prior, 6.9.9 and prior, 6.10.4 and prior
- MySQL Enterprise Monitor, versions 3.3.6.3293 and prior, 3.4.4.4226 and prior, 4.0.0.5135 and prior
- MySQL Server, versions 5.5.58 and prior, 5.6.38 and prior, 5.7.20 and prior
- Oracle Access Manager, versions 10.1.4.3.0, 11.1.2.3.0
- Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1
- Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6
- Oracle Agile PLM MCAD Connector, versions 3.3, 3.4, 3.5, 3.6
- Oracle Argus Safety, versions 7.x, 8.0.x, 8.1
- Oracle Autovue for Agile Product Lifecycle Management, versions 21.0.0, 21.0.1
- Oracle Banking Corporate Lending, versions 12.3.0, 12.4.0
- Oracle Banking Payments, versions 12.3.0, 12.4.0
- Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
- Oracle Communications Application Session Controller, version 3.x
- Oracle Communications BRM - Elastic Charging Engine, version 7.5
- Oracle Communications Convergent Charging Controller, version 6.0
- Oracle Communications Network Charging and Control, version 6.0
- Oracle Communications Order and Service Management, versions 7.2.4.1.x, 7.2.4.2.x, 7.3.0.1.x, 7.3.0.x.x
- Oracle Communications Services Gatekeeper, versions 5.1, 6.0
- Oracle Communications Unified Inventory Management, versions 7.2.4.2.x, 7.3
- Oracle Communications User Data Repository, versions 10.x, 12.x
- Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1
- Oracle Directory Server Enterprise Edition, version 11.1.1.7.0
- Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
- Oracle Endeca Information Discovery Integrator, versions 3.1.0, 3.2.0
- Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.5.x, 8.0.x
- Oracle Financial Services Analytical Applications Reconciliation Framework, version 8.0.x
- Oracle Financial Services Asset Liability Management, versions 6.1.x, 8.0.x
- Oracle Financial Services Balance Sheet Planning, version 8.0.x
- Oracle Financial Services Funds Transfer Pricing, versions 6.1.x, 8.0.x
- Oracle Financial Services Hedge Management and IFRS Valuations, version 8.0.x
- Oracle Financial Services Liquidity Risk Management, version 8.0.x
- Oracle Financial Services Loan Loss Forecasting and Provisioning, version 8.0.x
- Oracle Financial Services Market Risk, version 8.0.x
- Oracle Financial Services Market Risk Measurement and Management, version 8.0.5
- Oracle Financial Services Price Creation and Discovery, version 8.0.5
- Oracle Financial Services Profitability Management, versions 6.1.x, 8.0.x
- Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3
- Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 11.5.0, 11.6.0, 11.7.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0
- Oracle Fusion Applications, versions 11.1.2 through 11.1.9
- Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.3, 12.1.3.0, 12.2.1.2, 12.2.1.3
- Oracle Health Sciences Empirica Inspections, version 1.0.1.1
- Oracle Health Sciences Empirica Signal, version 8.0.1.0
- Oracle Hospitality Cruise Dining Room Management, version 8.0.78
- Oracle Hospitality Cruise Fleet Management, version 9.0.4.0
- Oracle Hospitality Cruise Shipboard Property Management System, version 7.3.874
- Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1
- Oracle Hospitality Labor Management, versions 8.5.1, 9.0.0
- Oracle Hospitality Reporting and Analytics, versions 8.5.1, 9.0.0
- Oracle Hospitality Simphony, versions 2.7, 2.8, 2.9
- Oracle HTTP Server, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
- Oracle Hyperion Planning, version 11.1.2.4.007
- Oracle Identity Manager, version 11.1.2.3.0
- Oracle Identity Manager Connector, versions 9.0.4.20.6, 9.0.4.21.0, 9.0.4.25.4
- Oracle Internet Directory, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0
- Oracle iPlanet Web Server, version 7.0Oracle Java SE, versions 6u171, 7u161, 8u152, 9.0.1
- Oracle Java SE Embedded, version 8u151
- Oracle JDeveloper, versions 11.1.1.2.4, 11.1.1.7.0, 11.1.1.7.1, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.2.0
- Oracle JRockit, version R28.3.16
- Oracle Mobile Security Suite, version 3.0.1
- Oracle Retail Assortment Planning, versions 14.1.3, 15.0.3, 16.0.1
- Oracle Retail Convenience and Fuel POS Software, version 2.1.132
- Oracle Retail Customer Management and Segmentation Foundation, versions 10.8.x, 11.4.x, 15.0.x, 16.0.x
- Oracle Retail Fiscal Management, version 14.1
- Oracle Retail Merchandising System, version 16.0
- Oracle Retail Workforce Management, versions 1.60.7, 1.64.0
- Oracle Secure Global Desktop (SGD), version 5.3
- Oracle Transportation Management, versions 6.2.11, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.1, 6.4.2, 6.4.3
- Oracle Tuxedo System and Applications Monitor, version 12.1.3.0.0
- Oracle VM VirtualBox, versions prior to 5.1.32, prior to 5.2.6
- Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
- Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
- Oracle WebCenter Sites, version 11.1.1.8.0
- Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0
- Oracle X86 Servers, versions SW 1.x, SW 2.x
- OSS Support Tools, versions prior to 2.11.33
- PeopleSoft Enterprise FIN Supply Chain Portal Pack Argentina, version 9.1
- PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil, version 9.1
- PeopleSoft Enterprise FSCM, version 9.2
- PeopleSoft Enterprise HCM Human Resources, versions 9.1, 9.2
- PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55, 8.56
- PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.00
- PeopleSoft Enterprise SCM eProcurement, versions 9.1, 9.2
- PeopleSoft Enterprise SCM Purchasing, version 9.2
- Primavera Unifier, versions 10.x, 15.x, 16.x, 17.x
- Siebel Applications, versions 16.0, 17.0
- Solaris, versions 10, 11.3
- Sun ZFS Storage Appliance Kit (AK), versions prior to 8.7.13
CVE References: CVE-2013-2566, CVE-2014-0114, CVE-2014-7817, CVE-2014-9402, CVE-2015-0293, CVE-2015-1472, CVE-2015-2808, CVE-2015-3195, CVE-2015-3253, CVE-2015-4852, CVE-2015-7501, CVE-2015-7547, CVE-2015-7940, CVE-2016-0635, CVE-2016-0703, CVE-2016-0704, CVE-2016-0800, CVE-2016-1181, CVE-2016-1182, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2109, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-2518, CVE-2016-2550, CVE-2016-4449, CVE-2016-5385, CVE-2016-5387, CVE-2016-6302, CVE-2016-6303, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, CVE-2016-6814, CVE-2016-7052, CVE-2016-7055, CVE-2016-7977, CVE-2016-8735, CVE-2016-9878, CVE-2017-0781, CVE-2017-0782, CVE-2017-0783, CVE-2017-0785, CVE-2017-3730, CVE-2017-3731, CVE-2017-3732, CVE-2017-3733, CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738, CVE-2017-5461, CVE-2017-5645, CVE-2017-5664, CVE-2017-5715, CVE-2017-9072, CVE-2017-9798, CVE-2017-10068, CVE-2017-10262, CVE-2017-10273, CVE-2017-10282, CVE-2017-10301, CVE-2017-10352, CVE-2017-12617, CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2018-2560, CVE-2018-2561, CVE-2018-2562, CVE-2018-2564, CVE-2018-2565, CVE-2018-2566, CVE-2018-2567, CVE-2018-2568, CVE-2018-2569, CVE-2018-2570, CVE-2018-2571, CVE-2018-2573, CVE-2018-2574, CVE-2018-2575, CVE-2018-2576, CVE-2018-2577, CVE-2018-2578, CVE-2018-2579, CVE-2018-2580, CVE-2018-2581, CVE-2018-2582, CVE-2018-2583, CVE-2018-2584, CVE-2018-2585, CVE-2018-2586, CVE-2018-2588, CVE-2018-2589, CVE-2018-2590, CVE-2018-2591, CVE-2018-2592, CVE-2018-2593, CVE-2018-2594, CVE-2018-2595, CVE-2018-2596, CVE-2018-2597, CVE-2018-2599, CVE-2018-2600, CVE-2018-2601, CVE-2018-2602, CVE-2018-2603, CVE-2018-2604, CVE-2018-2605, CVE-2018-2606, CVE-2018-2607, CVE-2018-2608, CVE-2018-2609, CVE-2018-2610, CVE-2018-2611, CVE-2018-2612, CVE-2018-2613, CVE-2018-2614, CVE-2018-2615, CVE-2018-2616, CVE-2018-2617, CVE-2018-2618, CVE-2018-2619, CVE-2018-2620, CVE-2018-2621, CVE-2018-2622, CVE-2018-2623, CVE-2018-2624, CVE-2018-2625, CVE-2018-2626, CVE-2018-2627, CVE-2018-2629, CVE-2018-2630, CVE-2018-2631, CVE-2018-2632, CVE-2018-2633, CVE-2018-2634, CVE-2018-2635, CVE-2018-2636, CVE-2018-2637, CVE-2018-2638, CVE-2018-2639, CVE-2018-2640, CVE-2018-2641, CVE-2018-2642, CVE-2018-2643, CVE-2018-2644, CVE-2018-2645, CVE-2018-2646, CVE-2018-2647, CVE-2018-2648, CVE-2018-2649, CVE-2018-2650, CVE-2018-2651, CVE-2018-2652, CVE-2018-2653, CVE-2018-2654, CVE-2018-2655, CVE-2018-2656, CVE-2018-2657, CVE-2018-2658, CVE-2018-2659, CVE-2018-2660, CVE-2018-2661, CVE-2018-2662, CVE-2018-2663, CVE-2018-2664, CVE-2018-2665, CVE-2018-2666, CVE-2018-2667, CVE-2018-2668, CVE-2018-2669, CVE-2018-2670, CVE-2018-2671, CVE-2018-2672, CVE-2018-2673, CVE-2018-2674, CVE-2018-2675, CVE-2018-2676, CVE-2018-2677, CVE-2018-2678, CVE-2018-2679, CVE-2018-2680, CVE-2018-2681, CVE-2018-2682, CVE-2018-2683, CVE-2018-2684, CVE-2018-2685, CVE-2018-2686, CVE-2018-2687, CVE-2018-2688, CVE-2018-2689, CVE-2018-2690, CVE-2018-2691, CVE-2018-2692, CVE-2018-2693, CVE-2018-2694, CVE-2018-2695, CVE-2018-2696, CVE-2018-2697, CVE-2018-2698, CVE-2018-2699, CVE-2018-2700, CVE-2018-2701, CVE-2018-2702, CVE-2018-2703, CVE-2018-2704, CVE-2018-2705, CVE-2018-2706, CVE-2018-2707, CVE-2018-2708, CVE-2018-2709, CVE-2018-2710, CVE-2018-2711, CVE-2018-2712, CVE-2018-2713, CVE-2018-2714, CVE-2018-2715, CVE-2018-2716, CVE-2018-2717, CVE-2018-2719, CVE-2018-2720, CVE-2018-2721, CVE-2018-2722, CVE-2018-2723, CVE-2018-2724, CVE-2018-2725, CVE-2018-2726, CVE-2018-2727, CVE-2018-2728, CVE-2018-2729, CVE-2018-2730, CVE-2018-2731, CVE-2018-2732, CVE-2018-2733
Suggested Action
CCIRC recommends that system administrators identify their affected assets and potential interdependencies with their organization’s critical services, and follow their patch management process accordingly.
References:
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html