Oracle Releases Quarterly Security Patch Updates - October 2020
As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.
We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.
For assistance with applying these patches, contact us.
Java SE 7
Subcomponent(s): Hotspot, JNDI, Libraries, Serialization
Patch Number: 13079846
Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker, others do not.
Successful attacks can result in:
unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data
unauthorized read access to a subset of Java SE, Java SE Embedded accessible data
unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded
Java SE 8
Subcomponent(s): Hotspot, JNDI, Libraries, Serialization
Patch Number: 18143322
Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker, others do not.
Successful attacks can result in:
unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data
unauthorized read access to a subset of Java SE, Java SE Embedded accessible data
unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded
WebLogic Server 12.2.1.3
Subcomponent(s): Centralized Thirdparty Jars, Console, Core, Web Services, jQuery
Patch Number: Patchset 31961038
Vulnerability Details: Easily exploitable vulnerabilities allow for both unauthenticated and highly privileged attackers with network access via HTTP, IIOP, or T3 to compromise Oracle WebLogic Server. Some successful attacks would require human interaction from someone other than the attacker to be successful. While the vulnerabilities are in Weblogic Server, attacks might significantly impact additional products. There is also a difficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks would require human interaction from a person other than the attacker for this vulnerability.
Successful attacks can result in:
takeover of Oracle WebLogic Server
unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data
unauthorized creation, insert, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as
unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data
WebLogic Server 10.3.6
Subcomponent(s): Console, Core, jQuery, Apache Log4j
Patch Number: Patchset: 31641257
Vulnerability Details: Easily exploitable vulnerabilities allow for both unauthenticated and highly privileged attackers with network access via HTTP, IIOP, or T3 to compromise Oracle WebLogic Server. Some successful attacks would require human interaction from someone other than the attacker to be successful. While the vulnerabilities are in Weblogic Server, attacks might significantly impact additional products. There is also a difficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks would require human interaction from a person other than the attacker for this vulnerability. There is another difficult to exploit vulnerability that allows for an unauthenticated attacker with network access via SMTPS to compromise Oracle WebLogic Server.
Successful attacks can result in:
takeover of Oracle WebLogic Server
unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data
unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data
unauthorized read access to a subset of Oracle WebLogic Server accessible data
Oracle Access Manager 11.1.2.3.0
Subcomponent(s): Web Server Plugin (RSA BSafe)
Patch Number: 31710235
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Access Manager
Successful attacks can result in:
Takeover of Oracle Access Manager
Oracle BI Publisher 12.2.1.3.0
Subcomponent(s): E-Business Suite - XDO, BI Publisher Security, Mobile Service, BI Publisher Security (jQuery)
Patch Number: 31690029
Vulnerability Details: Easily exploitable vulnerability allows low privileged users with network access via HTTP to compromise BI Publisher. Attacks may significantly impact additional products. Some successful attacks require human interaction from a person other than the attacker.
Successful attacks can result in:
Complete access to all BI Publisher accessible data
Unauthorized update, insert, and/or delete access to some BI Publisher accessible data
Unauthorized read access to a subset of BI Publisher accessible data
Oracle BI Publisher 11.1.1.9.0
Subcomponent(s): E-Business Suite - XDO, BI Publisher Security, Mobile Service
Patch Number: 31943269
Vulnerability Details: Easily exploitable vulnerability allows low privileged users with network access via HTTP to compromise BI Publisher. Attacks may significantly impact additional products. Some successful attacks require human interaction from a person other than the attacker.
Successful attacks can result in:
Complete access to all BI Publisher accessible data
Unauthorized update, insert, and/or delete access to some BI Publisher accessible data
Unauthorized read access to a subset of BI Publisher accessible data
Oracle Solaris 11.4
Subcomponent(s): Pluggable authentication module, Kernel, Filesystem, Utility
Patch Number: 11.4.26.75.4
Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Easily exploitable vulnerability allows low privileged attackers with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Difficult to exploit vulnerability allows low privileged attackers with network access via SSH to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Solaris, attacks may significantly impact additional products.
Successful attacks can result in:
the takeover of Oracle Solaris
unauthorized access to critical data or complete access to all Oracle Solaris accessible data
unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris
unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris
unauthorized update, insert or delete access to some of Oracle Solaris accessible data
In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.