Oracle Releases Quarterly Security Patch Updates - January 2020
As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.
We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.
For assistance with applying these patches, contact us.
Oracle Identity Manager (OIM)
Product: Oracle Identity Management
Subcomponent(s): Advanced Console
Patch Number: 30338509
Vulnerability Details: Supported versions affected are 11.1.2.3.0 and 12.2.1.3.0. An easily exploitable vulnerability allows a low privileged attacker with network access via HTTP to compromise Identity Manager.
Successful attacks can result in:
Unauthorized update, insert or delete access to some of Identity Manager’s accessible data
Unauthorized read access to a subset of Identity Manager accessible data
WebLogic Server
Product: Oracle Weblogic Server
Subcomponent(s): WLS Core Components, Application Container - Java EE, Console
Patch Number: 30463097 - Estimated Availability January 31, 2020
Vulnerability Details: Easily exploitable vulnerabilities that allow an unauthenticated attacker with network access via IIOP or T3 to compromise Oracle WebLogic Server. Easily exploitable vulnerabilities that allow a high privileged attacker with network access via HTTP or a logon to the infrastructure where Weblogic Server executes to compromise Oracle WebLogic Server. Some vulnerabilities require human interaction, and while these the vulnerability is in Oracle Weblogic Server attacks might significantly impact additional products.
Successful attacks can result in:
Takeover of Weblogic Server
Unauthorized access to critical data or complete access to all accessible data
Unauthorized update, insert, or delete access to Weblogic accessible data
Unauthorized read access to subset of Weblogic accessible data
Unauthorized ability to cause partial denial of service
Java SE
Product: Java SE
Subcomponent(s): Serialization, Security, Networking, Libraries
Patch Number: 13079846
Vulnerability Details:
This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity, and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols to compromise Java SE. Successful attacks can have a variety of detrimental effects.
Successful attacks can result in:
Attacker takeover of Java SE
Unauthorized complete manipulation of Java accessible data, including access, write, delete, and modify
Unauthorized ability to cause a partial denial of service (partial DOS) of Java SE
Unauthenticated attacker with network access via Kerberos to compromise Java SE
Oracle HTTP Server
Product: Oracle Fusion Middleware
Subcomponent(s): OSSL Module, Web Listener
Patch Number: 30654519
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle HTTP Server and allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server.
Successful attacks can result in:
Partial DOS of the HTTP Server
Unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data as well as unauthorized read access to a subset of Oracle HTTP Server accessible data
Oracle Solaris
Product: Oracle Solaris 11
Subcomponent(s): Consolidation Infrastructure,Filesystem,Kernel,X Window System,SMB Server
Patch Number: 30681152, 30681156
Vulnerability Details: Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Easily exploitable vulnerability allows unauthenticated attacker with network access via SMB to compromise Oracle Solaris
Successful attacks can result in:
Takeover of Oracle Solaris
Unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris
Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris.
Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris
BI Publisher
Product: Oracle Business Intelligence Enterprise Edition
Subcomponent(s): Analytics Server and Analytics Web General (OpenSSL)
Patch Number: 30677050
Vulnerability Details:
Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Business Intelligence Enterprise Edition.
Successful attacks can result in:
Unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.
In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.