As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Java SE

Component: Oracle Java SE 7

Sub-Component(s): Hotspot, JDNI, JSSE, Sound, Deployment(libpng), Security, Networking

Patch Number: 13079846

Vulnerability Details:

This Critical Patch Update contains 12 new security fixes for Oracle Java SE. These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. Some vulnerabilities are easily exploitable, and most allow an unauthenticated attacker with network access, via multiple protocols, the ability to compromise Java. Some vulnerabilities require human interaction from a person other than the attacker and while the vulnerabilities are in Java SE, attacks may significantly impact additional products.

Successful attacks can result in:

• Partial Denial of Service of Java SE

• Unauthorized update, insert or delete access to some of Java SE

• Takeover of Java SE

WebLogic Server

Component: Oracle WebLogic Server (version 10.3.6.0)

Sub-Component: WLS Core, sample apps (Spring Framework), WLS Web Services, Console

Patch Number: 28343311

Vulnerability Details:

Easily exploitable vulnerabilities allow an unauthenticated attacker with network access via HTTP or T3 to compromise Oracle WebLogic Server. Successful exploitation of these vulnerabilities can result in takeover of Oracle WebLogic Server.

Oracle HTTP Server

Component: Oracle HTTP Server (version 12.2.1.3)

Sub-Component: Web Listener (curl)

Patch Number:  28281599

Vulnerability Details:

This difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle HTTP Server.

Oracle Identity Manager

Component: Oracle Identity Manager (versions 11.1.2.3.0 and 12.2.3.1.0)

Sub-Component: Installer (jackson-databind)

Patch Number: 28768324

Vulnerability Details:

This critical patch contains an important fix to a recently discovered vulnerability in Oracle Identity Manager. The vulnerability allows an attacker with HTTP access to the network to compromise OIM. Attacks can allow unauthorized read-access to a subset of Oracle Identity Manager accessible data, as well as the ability to cause partial denial of service of Oracle Identity Manager.

BI Publisher

Component: BI Publisher (versions 11.1.1.7.0, 11.1.1.9.0)

Sub-Component: BI Publisher Security (Apache Log4j)

Patch Number: 28632415 and 28632479 respectively

Vulnerability Details:

This critical patch contains a fix to an exploitable vulnerability. This issue allows an attacker to compromise Oracle Business Intelligence Publisher though the network via HTTP access. A successful attack would result in the takeover of Oracle Business Intelligence Publisher.

JRockit

Component: JRockit (version R28.3)

Sub-Components: Scripting, JNDI, JSEE, Sound

Patch Number: 28414796

Vulnerability Details: JNDI

This critical patch contains a fix to difficult to exploit vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Jrockit. Some attacks require human interaction from a person other than the attacker. Attacks may significantly impact additional products.

Successful attacks can result in:

• Takeover of JRockit

• Partial denial of service to JRockit

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.