As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Java SE

Product: Oracle Java SE

Component(s): RMI, Libraries, 2D

Patch Number: 13079846

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols to compromise Java SE. Successful attacks can have a variety of detrimental effects.

Successful attacks can result in:

• Attacker takeover of Java SE

• Ability to cause hangs or complete crashes of Java SE

• Unauthorized complete manipulation of Java accessible data, including access, write, delete and modify.

Solaris

Product: Oracle Solaris

Component(s): IPS Package Manager, SunSSH, File Locking Services

Patch Number: 11.3.36.10.0

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity, and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols (including logon access) to compromise Oracle Solaris.

Successful attacks can result in:

• Unauthorized read access to Solaris file systems

• Partial Denial of Service (DoS)

• Unauthorized complete manipulation of Solaris accessible data, including access, write, delete and modify

SOA

Product: Oracle SOA Suite

Component(s): Fabric Layer

Patch Number: 29625018

Vulnerability Details:

This patch update corrects vulnerabilities that allow unauthorized read access to a subset of Oracle SOA as well as grant an unauthenticated attacker with network access, via HTTP, the ability to compromise Oracle SOA.

Successful attacks can result in:

• Unauthorized Read access to Oracle SOA data

• Unauthenticated Attacker can compromise Oracle SOA

Weblogic

Product: Oracle Weblogic Server

Component(s): WLS Core Components, EJB Container, WLS Core Components

Patch Number: 27820719

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through HTTP and T3 to compromise Oracle Weblogic Server.

Successful attacks can result in:

• A takeover of Oracle WebLogic Server

BI Publisher (formerly XML Publisher)

Product: BI Publisher, version 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0

Subcomponent(s): BI Publisher Security

Patch Number: 29492717 

Vulnerability Details:

Easily exploitable vulnerability allows unauthenticated, high or low attacker with network access via HTTP to compromise BI Publisher. This vulnerability may impact additional products.

Successful Attacks can result in:

• Unauthorized access to critical data or complete access to all BI Publisher accessible data

• Unauthorized access to critical data or complete access to all BI Publisher accessible data

• Unauthorized update, insert or delete access to some of BI Publisher accessible data.

• Unauthorized read access to a subset of BI Publisher accessible data

Oracle HTTP Server (OHS)

Product: Oracle HTTP Server, version 12.2.1.3.0

Subcomponent(s): Web Listener (curl)

Patch Number: 29407043

Vulnerability Details:

The supported version affected is 12.2.1.3.0. An easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server.

Successful attacks can result in:

• Takeover of Oracle HTTP Server

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.