HUBCITYMEDIA

View Original

Oracle Releases Quarterly Security Patch Updates - October 2020

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us

See this content in the original post

Java SE 7

Subcomponent(s): Hotspot, JNDI, Libraries, Serialization

 Patch Number: 13079846

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker, others do not.

 Successful attacks can result in:

  • unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

  • unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

  • unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded

Java SE 8

Subcomponent(s): Hotspot, JNDI, Libraries, Serialization

 Patch Number: 18143322

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker, others do not.

 Successful attacks can result in:

  • unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

  • unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

  • unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded

WebLogic Server 12.2.1.3

Subcomponent(s): Centralized Thirdparty Jars, Console, Core, Web Services, jQuery

 Patch Number: Patchset 31961038

 Vulnerability Details: Easily exploitable vulnerabilities allow for both unauthenticated and highly privileged attackers with network access via HTTP, IIOP, or T3  to compromise Oracle WebLogic Server.  Some successful attacks would require human interaction from someone other than the attacker to be successful.  While the vulnerabilities are in Weblogic Server, attacks might significantly impact additional products. There is also a difficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks would require human interaction from a person other than the attacker for this vulnerability.

 Successful attacks can result in:

  • takeover of Oracle WebLogic Server

  • unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

  • unauthorized creation, insert, deletion or modification access to critical data or all Oracle WebLogic Server accessible data as 

  • unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

WebLogic Server 10.3.6

Subcomponent(s): Console, Core, jQuery, Apache Log4j

 Patch Number: Patchset: 31641257

 Vulnerability Details: Easily exploitable vulnerabilities allow for both unauthenticated and highly privileged attackers with network access via HTTP, IIOP, or T3  to compromise Oracle WebLogic Server.  Some successful attacks would require human interaction from someone other than the attacker to be successful.  While the vulnerabilities are in Weblogic Server, attacks might significantly impact additional products. There is also a difficult to exploit vulnerability that allows an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks would require human interaction from a person other than the attacker for this vulnerability.  There is another difficult to exploit vulnerability that allows for an unauthenticated attacker with network access via SMTPS to compromise Oracle WebLogic Server.

 Successful attacks can result in:

  • takeover of Oracle WebLogic Server

  • unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

  • unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

  • unauthorized read access to a subset of Oracle WebLogic Server accessible data

Oracle Access Manager 11.1.2.3.0

Subcomponent(s): Web Server Plugin (RSA BSafe)

 Patch Number: 31710235 

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Access Manager

 Successful attacks can result in:

  • Takeover of Oracle Access Manager

Oracle BI Publisher 12.2.1.3.0

Subcomponent(s): E-Business Suite - XDO, BI Publisher Security, Mobile Service, BI Publisher Security (jQuery)

 Patch Number: 31690029

 Vulnerability Details: Easily exploitable vulnerability allows low privileged users with network access via HTTP to compromise BI Publisher. Attacks may significantly impact additional products. Some successful attacks require human interaction from a person other than the attacker.

 Successful attacks can result in:

  • Complete access to all BI Publisher accessible data

  • Unauthorized update, insert, and/or delete access to some BI Publisher accessible data

  • Unauthorized read access to a subset of BI Publisher accessible data

Oracle BI Publisher 11.1.1.9.0

Subcomponent(s): E-Business Suite - XDO, BI Publisher Security, Mobile Service

 Patch Number: 31943269

 Vulnerability Details: Easily exploitable vulnerability allows low privileged users with network access via HTTP to compromise BI Publisher. Attacks may significantly impact additional products. Some successful attacks require human interaction from a person other than the attacker.

 Successful attacks can result in:

  • Complete access to all BI Publisher accessible data

  • Unauthorized update, insert, and/or delete access to some BI Publisher accessible data

  • Unauthorized read access to a subset of BI Publisher accessible data

Oracle Solaris 11.4

Subcomponent(s): Pluggable authentication module, Kernel, Filesystem, Utility

 Patch Number: 11.4.26.75.4

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products.  Easily exploitable vulnerability allows low privileged attackers with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker. Difficult to exploit vulnerability allows low privileged attackers with network access via SSH to compromise Oracle Solaris. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Solaris, attacks may significantly impact additional products.

 Successful attacks can result in:

  • the takeover of Oracle Solaris

  • unauthorized access to critical data or complete access to all Oracle Solaris accessible data 

  • unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris

  • unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris

  • unauthorized update, insert or delete access to some of Oracle Solaris accessible data

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.