Oracle July 2017 Critical Patch Update Multiple Vulnerabilities

by CIRT Team

Description: Oracle has released advance notification regarding the July 2017 Critical Patch Update (CPU) to be released on July 18, 2017. The update addresses 315 vulnerabilities affecting the following software:

•     Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1
•     Oracle REST Data Services, versions prior to 3.0.10.25.02.36
•     Oracle API Gateway, version 11.1.2.4.0
•     Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
•     Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.0, 12.2.1.2.0
•     Oracle Data Integrator, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
•     Oracle Endeca Server, versions 7.3.0.0, 7.4.0.0, 7.5.0.0, 7.6.0.0, 7.7.0.0
•     Oracle Enterprise Data Quality, version 8.1.13.0.0
•     Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0
•     Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.1, 12.2.1.2
•     Oracle OpenSSO, versions 3.0.0.7, 3.0.0.8
•     Oracle Outside In Technology, version 8.5.3.0
•     Oracle Secure Enterprise Search, version 11.2.2.2.0
•     Oracle Service Bus, versions 11.1.1.7.0, 11.1.1.9.0
•     Oracle Traffic Director, versions 11.1.1.7.0, 11.1.1.9.0
•     Oracle Tuxedo, version 12.1.1
•     Oracle Tuxedo System and Applications Monitor, versions 11.1.1.2.0, 11.1.1.2.1, 11.1.1.2.2, 12.1.1.1.0, 12.1.3.0.0, 12.2.2.0.0
•     Oracle WebCenter Content, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.1.1, 12.2.1.2.1
•     Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.1, 12.2.1.2
•     Hyperion Essbase, version 12.2.1.1
•     Enterprise Manager Base Platform, versions 12.1.0, 13.1.0, 13.2.0
•     Enterprise Manager Ops Center, versions 12.2.2, 12.3.2
•     Oracle Application Testing Suite, versions 12.5.0.2, 12.5.0.3
•     Oracle Business Transaction Management, versions 11.1.x, 12.1.x
•     Oracle Configuration Manager, versions prior to 12.1.2.0.4
•     Application Management Pack for Oracle E-Business Suite, versions AMP 12.1.0.4.0, AMP 13.1.1.1.0
•     Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
•     Oracle Agile PLM, versions 9.3.5, 9.3.6
•     Oracle Transportation Management, versions 6.1, 6.2, 6.3.4.1, 6.3.5.1, 6.3.6.1, 6.3.7.1, 6.4.0, 6.4.1, 6.4.2
•     PeopleSoft Enterprise FSCM, version 9.2
•     PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55
•     PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.0
•     Siebel Applications, versions 16.0, 17.0
•     Oracle Commerce Guided Search / Oracle Commerce Experience Manager, versions 6.1.4, 11.0, 11.1, 11.2
•     Oracle iLearning, version 6.2
•     Oracle Fusion Applications, versions 11.1.2 through 11.1.9
•     Oracle Communications BRM, versions 11.2.0.0.0, 11.3.0.0.0
•     Oracle Communications Convergence, versions 3.0, 3.0.1
•     Oracle Communications EAGLE LNP Application Processor, version 10.0
•     Oracle Communications Network Charging and Control, versions 4.4.1.5, 5.0.0.1, 5.0.0.2, 5.0.1.0, 5.0.2.0
•     Oracle Communications Policy Management, version 11.5
•     Oracle Communications Session Router, versions ECZ730, SCZ730, SCZ740
•     Oracle Enterprise Communications Broker, version PCZ210
•     Oracle Enterprise Session Border Controller, version ECZ7.3.0
•     Financial Services Behavior Detection Platform, versions 8.0.1, 8.0.2
•     Oracle Banking Platform, versions 2.3, 2.4, 2.4.1, 2.5
•     Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3
•     Oracle FLEXCUBE Private Banking, versions 2.0.0, 2.0.1, 2.2.0, 12.0.1
•     Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0
•     Hospitality Hotel Mobile, versions 1.01, 1.05, 1.1
•     Hospitality Property Interfaces, version 8.10.x
•     Hospitality Suite8, version 8.10.x
•     Hospitality WebSuite8 Cloud Service, versions 8.9.6, 8.10.x
•     MICROS BellaVita, version 2.7.x
•     MICROS PC Workstation 2015, versions Prior to O1302h
•     MICROS Workstation 650, versions Prior to E1500n
•     Oracle Hospitality 9700, version 4.0
•     Oracle Hospitality Cruise AffairWhere, version 2.2.05.062
•     Oracle Hospitality Cruise Dining Room Management, version 8.0.75
•     Oracle Hospitality Cruise Fleet Management, version 9.0
•     Oracle Hospitality Cruise Materials Management, version 7.30.562
•     Oracle Hospitality Cruise Shipboard Property Management System, version 8.0.0.0
•     Oracle Hospitality e7, version 4.2.1
•     Oracle Hospitality Guest Access, versions 4.2.0.0, 4.2.1.0
•     Oracle Hospitality Inventory Management, versions 8.5.1, 9.0.0
•     Oracle Hospitality Materials Control, version 8.31.4
•     Oracle Hospitality OPERA 5 Property Services, versions 5.4.0.x, 5.4.1.x, 5.4.3.x
•     Oracle Hospitality Reporting and Analytics, versions 8.5.1, 9.0.0
•     Oracle Hospitality RES 3700, version 5.5
•     Oracle Hospitality Simphony, versions 2.8, 2.9
•     Oracle Hospitality Simphony First Edition, version 1.7.1
•     Oracle Hospitality Simphony First Edition Venue Management, version 3.9
•     Oracle Hospitality Suites Management, version 3.7
•     Oracle Payment Interface, version 6.1.1
•     Oracle Retail Allocation, versions 13.3.1, 14.0.4, 14.1.3, 15.0.1, 16.0.1
•     Oracle Retail Customer Insights, versions 15.0, 16.0
•     Oracle Retail Open Commerce Platform, versions 5.0, 5.1, 5.2, 5.3, 6.0, 6.1, 15.0, 15.1
•     Oracle Retail Warehouse Management System, versions 14.0.4, 14.1.3, 15.0.1
•     Oracle Retail Workforce Management, versions 1.60.7, 1.64.0
•     Oracle Retail Xstore Point of Service, versions 15.0.0, 15.0.1
•     Oracle Policy Automation, versions 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3
•     Primavera Gateway, versions 1.0, 1.1, 14.2, 15.1, 15.2, 16.1, 16.2
•     Primavera P6 Enterprise Project Portfolio Management, versions 8.3, 8.4, 15.1, 15.2, 16.1, 16.2
•     Primavera Unifier, versions 9.13, 9.14, 10.1, 10.2, 15.1, 15.2, 16.1, 16.2
•     Java Advanced Management Console, version 2.6
•     Oracle Java SE, versions 6u151, 7u141, 8u131
•     Oracle Java SE Embedded, version 8u131
•     Oracle JRockit, version R28.3.14
•     Solaris, versions 10, 11
•     Solaris Cluster, version 4
•     Sun ZFS Storage Appliance Kit (AK), version AK 2013
•     Oracle VM VirtualBox, versions prior to 5.1.24
•     MySQL Cluster, versions 7.3.5 and prior
•     MySQL Connectors, versions 5.3.7 and prior, 6.1.10 and prior
•     MySQL Enterprise Monitor, versions 3.1.5.7958 and prior, 3.2.5.1141 and prior, 3.2.7.1204 and prior, 3.3.2.1162 and prior, 3.3.3.1199 and prior
•     MySQL Server, versions 5.5.56 and prior, 5.6.36 and prior, 5.7.18 and prior
•     Oracle Explorer, versions prior to 8.16

Impact: Exploiting the most severe of these vulnerabilities may potentially compromise the database server or the host operating system.

Mitigation: The vendor planned to release updates to address these issues on July 18, 2017. Please see the references for more information.

Reference URL’s:

• http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
• http://www.securityfocus.com/bid/99579/info

CIRT Team