Oracle Releases Quarterly Security Patch Updates - July 2020
As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.
We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.
For assistance with applying these patches, contact us.
Oracle BI Publisher 11.1.1.9.0
Subcomponent(s): Mobile Service, Layout Templates
Patch Number: 31525202
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle BI Publisher and significantly impacts additional products.
Successful attacks can result in:
Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert, or delete access to some of Oracle BI Publisher accessible data.
Oracle BI Publisher 12.2.1.3.0
Subcomponent(s): Mobile Service, Layout Templates, BI Publisher Security
Patch Number: 31525202, 31178889
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle BI Publisher and significantly impacts additional products.
Successful attacks can result in:
Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert, or delete access to some of Oracle BI Publisher accessible data.
Oracle Solaris
Subcomponent(s): Kernel, Operating System Image, Packaging Scripts,libsuri, Device Driver Utility,
Patch Number: 11.4.23.69.3
Vulnerability Details:
Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.
Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle Solaris.
Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle ZFS Storage Appliance Kit.
Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.
Successful attacks can result in:
Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris
Unauthorized read access to a subset of Oracle Solaris accessible data
Takeover of Oracle ZFS Storage Appliance Kit
Unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data
Takeover of Oracle Solaris
Oracle Unified Directory 11.1.2.3.0
Subcomponent(s): Security
Patch Number: 31541461
Vulnerability Details: Easily exploitable vulnerability allows high privileged attackers with network access via HTTP to compromise Oracle Unified Directory. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Unified Directory, attacks may significantly impact additional products.
Successful attacks can result in:
Unauthorized creation, deletion or modification access to critical data or all Oracle Unified Directory accessible data
Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Unified Directory
WebLogic Server 10.3.6
Subcomponent(s): Security Service, Core, Console, Log4j, Web Container, Web Services
Patch Number: Patchset: 31178492, ADR Patch: 31241365
Vulnerability Details: Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via HTTP, HTTPS, IIOP, or T3 to compromise Oracle WebLogic Server. Some attacks require human interaction and this variety of attack may significantly impact other products despite the vulnerability being in WebLogic Server. Attackers exploiting these vulnerabilities have confidentiality, integrity and availability impacts.
Successful attacks can result in:
Takeover of WebLogic Server
Unauthorized creation, deletion or modification access to all Oracle WebLogic Server accessible data
Unauthorized read access to a subset of Oracle WebLogic Server accessible data.
Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)
Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data
WebLogic Server 12.2.1.3
Subcomponent(s): Centralized Thirdparty Jars (jackson-databind), Security Service, Core, Centralized Thirdparty Jars (Log4j), Console (Log4j), Web Container, Sample apps, Web Services
Patch Number: Patchset: 31535411, ADR Patch: 31544340
Vulnerability Details: Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via HTTP, HTTPS, IIOP, T3 to compromise Oracle WebLogic Server. Attackers exploiting these vulnerabilities can cause the system to have confidentiality, integrity and availability impacts. Attacks exist that require human interaction however for these attacks despite the vulnerability being in WebLogic Server the attack could significantly impact other available products. Difficult to exploit vulnerabilities that require human interaction which allows an unauthenticated attacker via HTTP to compromise WebLogic Server. Vulnerabilities of this type also have confidentiality, integrity, and availability impacts.
Successful attacks can result in:
Takeover of Oracle WebLogic Server
Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data
Unauthorized read access to a subset of Oracle WebLogic Server accessible data
Unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data
Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)
Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data
Java SE 7
Subcomponent(s): Libraries, 2D, JAXP, JSSE
Patch Number: 13079846
Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Attacks of these varieties have confidentiality, integrity and availability impacts.
Successful attacks can result in:
Takeover of Java SE, Java SE Embedded
Unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data
Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data
Unauthorized ability to cause a partial denial of service (partial DOS)
Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data
Java SE 8
Subcomponent(s): Libraries, 2D, JAXP, JSSE
Patch Number: 18143322
Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products. Attacks of these varieties have confidentiality, integrity and availability impacts.
Successful attacks can result in:
Takeover of Java SE, Java SE Embedded
Unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data
Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data
Unauthorized ability to cause a partial denial of service (partial DOS)
Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data
In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.