Firma Oracle wydała kwartalny biuletyn bezpieczeństwa, aktualizacja zawiera poprawki do 334 luk.

Najniebezpieczniejsze, załatane podatności to m.in.:

CVE-2018-7489 – umożliwia nieuwierzytelnione, zdalne wykonywanie kodu na serwerze na którym działa aplikacja, korzystająca z FasterXML jackson-databind. Podatność można wykorzystać, wysyłając złośliwie spreparowane dane w formacie JSON.

CVE-2018-1275 – atakujący mógł wysłać spreparowaną wiadomość do aplikacji opartej na Spring Framework, która mogła skutkować zdalnym wykonaniem kodu.

Produkty których dotyczy poprawka to:

Affected Products and Versions Patch Availability Document
Agile Recipe Management for Pharmaceuticals, version 9.3.4 Oracle Supply Chain Products
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.x Enterprise Manager
Enterprise Manager for Fusion Middleware, versions 12.1.0.5, 13.2.x Enterprise Manager
Enterprise Manager for MySQL Database, versions 13.2.2.0.0 and prior Enterprise Manager
Enterprise Manager for Oracle Database, versions 12.1.0.8, 13.2.2 Enterprise Manager
Enterprise Manager for Peoplesoft, versions 13.1.1.1, 13.2.1.1 Enterprise Manager
Enterprise Manager for Virtualization, versions 13.2.2, 13.2.3 Enterprise Manager
Enterprise Manager Ops Center, versions 12.2.2, 12.3.3 Enterprise Manager
FMW Platform, versions 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Hardware Management Pack, version 11.3 Systems
Hyperion Data Relationship Management, version 11.1.2.4.330 Fusion Middleware
Hyperion Financial Reporting, version 11.1.2 Fusion Middleware
JD Edwards EnterpriseOne Tools, version 9.2 JD Edwards
JD Edwards World Security, versions A9.3, A9.3.1, A9.4 JD Edwards
MICROS 700 Series Tablet, versions Prior to BIOS 0.00.13ORC, Prior to BIOS 0.01.25ORC MICROS 700 Series Tablet
MICROS Handheld Terminal, versions 2018, Android 4.4.4 Security Patch Bulletin prior to February 1 MICROS Handheld Terminal
MICROS Kitchen Display Controller, versions Prior to BIOS 0.00.16ORC MICROS Kitchen Display System Hardware
MICROS Lucas, versions 2.9.5.3, 2.9.5.4, 2.9.5.5, 2.9.5.6 Retail Applications
MICROS Relate CRM Software, versions 10.8.x, 11.4.x Retail Applications
MICROS Retail-J, versions 10.2.x, 11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x Retail Applications
MICROS Workstation 6, versions prior to BIOS 1.3.1.0, prior to BIOS 1.5.2.0, prior to BIOS 2.3.1.0 MICROS Workstation
MICROS XBR, versions 7.0.2, 7.0.4 Retail Applications
MySQL Client, versions 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior MySQL
MySQL Connectors, versions 5.3.10 and prior, 8.0.11 and prior MySQL
MySQL Enterprise Monitor, versions 3.4.7.4297 and prior, 4.0.4.5235 and prior, 8.0.0.8131 and prior MySQL
MySQL Server, versions 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior MySQL
MySQL Workbench, versions 6.3.10 and prior, 8.0.11 and prior MySQL
Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1 Oracle Supply Chain Products
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6 Oracle Supply Chain Products
Oracle Agile PLM MCAD Connector, versions 3.3, 3.4, 3.5, 3.6 Oracle Supply Chain Products
Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0 Oracle Supply Chain Products
Oracle API Gateway, version 11.1.2.4.0 Fusion Middleware
Oracle Application Testing Suite, version 10.1 Enterprise Manager
Oracle AutoVue VueLink Integration, versions 21.0.0, 21.0.1 Oracle Supply Chain Products
Oracle Banking Corporate Lending, versions 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0 Oracle Financial Services Applications
Oracle Banking Payments, versions 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0 Oracle Financial Services Applications
Oracle Banking Platform, versions 2.6.0, 2.6.1, 2.6.2 Oracle Banking Platform
Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Oracle Business Process Management Suite, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Oracle Communications Diameter Signaling Router (DSR), versions 7.x, 8.x Oracle Communications Diameter Signaling Router
Oracle Communications EAGLE LNP Application Processor, version 10.x Oracle Communications EAGLE LNP Application Processor
Oracle Communications Interactive Session Recorder, versions 5.x, 6.x Oracle Communications Interactive Session Recorder
Oracle Communications Messaging Server, version 3.x Oracle Communications Convergence
Oracle Communications Network Charging and Control, versions 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0 Oracle Communications Network Charging and Control
Oracle Communications Policy Management, version 12.x Oracle Communications Policy Management
Oracle Communications Session Border Controller, versions ECz7.x, ECz8.x Oracle Communications Session Border Controller
Oracle Communications User Data Repository, versions 10.x, 12.x Oracle Communications User Data Repository
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1, 18.2 Database
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 E-Business Suite
Oracle Endeca Information Discovery Studio, versions 3.1, 3.2 Fusion Middleware
Oracle Enterprise Data Quality, version 12.2.1.3.0 Fusion Middleware
Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0 Fusion Middleware
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3.x, 8.0.x Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Behavior Detection Platform, version 8.0.x Oracle Financial Services Behavior Detection Platform
Oracle Financial Services Funds Transfer Pricing, versions 6.1.1, 8.0.x Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4, 8.0.5 Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.4, 8.0.5 Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Profitability Management, versions 6.1.1, 8.0.x Oracle Financial Services Profitability Management
Oracle Financial Services Revenue Management and Billing, versions 2.3.0.2.0, 2.4.0.0.0, 2.4.0.1.0, 2.5.0.1.0, 2.5.0.2.0, 2.5.0.3.0 Oracle Financial Services Revenue Management and Billing
Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 12.3.0, 14.0.0, 14.1.0 Oracle Financial Services Applications
Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0 Oracle Financial Services Applications
Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0 Oracle Financial Services Applications
Oracle Fusion Middleware, versions 12.2.1.2, 12.2.1.3 Fusion Middleware
Oracle Fusion Middleware MapViewer, versions 12.2.1.2, 12.2.1.3 Fusion Middleware
Oracle Global Lifecycle Management OPatchAuto, version All Oracle Global Lifecycle Management OPatchAuto
Oracle Hospitality Cruise Fleet Management System, version 9.x Oracle Hospitality Cruise Fleet Management
Oracle Hospitality Cruise Shipboard Property Management System, version 8.x Oracle Hospitality Cruise Shipboard Property Management System
Oracle Hospitality Gift and Loyalty, version 9.0.0 Oracle Hospitality Gift and Loyalty
Oracle Hospitality OPERA 5 Property Services, version 5.5.x Oracle Hospitality OPERA 5 Property Services
Oracle Hospitality Reporting and Analytics, version 9.0.0 Oracle Hospitality Reporting and Analytics
Oracle Hospitality Simphony, versions 2.8, 2.9, 2.10 Oracle Hospitality Simphony
Oracle iLearning, version 6.2 iLearning
Oracle Insurance Policy Administration, versions 10.0, 10.1, 10.2, 11.0 Oracle Insurance Applications
Oracle Internet Directory, version 11.1.1.9.0 Fusion Middleware
Oracle Java SE, versions 6u191, 7u181, 8u172, 10.0.1 Java SE
Oracle Java SE Embedded, version 8u171 Java SE
Oracle JDeveloper, versions 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Oracle JRockit, version R28.3.18 Java SE
Oracle Outside In Technology, version 8.5.3 Fusion Middleware
Oracle Policy Automation, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10 Oracle Policy Automation
Oracle Policy Automation Connector for Siebel, version 10.4.6 Oracle Policy Automation
Oracle Policy Automation for Mobile Devices, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10 Oracle Policy Automation
Oracle Retail Back Office, versions 14.0, 14.1 Retail Applications
Oracle Retail Bulk Data Integration, version 16.0 Retail Applications
Oracle Retail Central Office, versions 14.0, 14.1 Retail Applications
Oracle Retail Clearance Optimization Engine, version 14.0.5 Retail Applications
Oracle Retail Convenience and Fuel POS Software, version 2.1.132 Retail Applications
Oracle Retail Customer Management and Segmentation Foundation, versions 16.x, 17.x Retail Applications
Oracle Retail Financial Integration, versions 13.2.x, 14.0.x, 14.1.x, 15.0.x, 16.0.x Retail Applications
Oracle Retail Integration Bus, versions 12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.0 14.1.0, 14.0.x, 14.1.x, 15.0, 15.0.x, 16.0, 16.0.x Retail Applications
Oracle Retail Order Broker, versions 5.2, 15.0, 16.0 Retail Applications
Oracle Retail Point-of-Sale, versions 14.0, 14.1 Retail Applications
Oracle Retail Point-of-Service, versions 14.0, 14.1 Retail Applications
Oracle Retail Predictive Application Server, version 15.0.3 Retail Applications
Oracle Retail Returns Management, versions 14.0, 14.1 Retail Applications
Oracle Retail Service Backbone, versions 14.0.x, 14.1.x, 15.0.x, 16.0.x Retail Applications
Oracle Retail Service Layer, versions 12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.x Retail Applications
Oracle Secure Global Desktop, versions 5.3, 5.4 Virtualization
Oracle SOA Suite, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Oracle SuperCluster Specific Software, versions prior to 2.5.0 Systems
Oracle Transportation Management, versions 6.2, 6.3.7, 6.4.1 Oracle Supply Chain Products
Oracle Tuxedo, versions 12.1.1, 12.1.3, 12.2.2 Fusion Middleware
Oracle Utilities Framework, version 4.3.x Oracle Utilities Applications
Oracle Utilities Network Management System, versions 1.12.x, 2.3.x Oracle Utilities Applications
Oracle Utilities Work and Asset Management, version 1.9.1.2.12 Oracle Utilities Applications
Oracle VM VirtualBox, versions prior to 5.2.16 Virtualization
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0 Fusion Middleware
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3 Fusion Middleware
OSS Support Tools, versions prior to 18.3 Support Tools
PeopleSoft Enterprise CS Financial Aid, versions 9.0, 9.2 PeopleSoft
PeopleSoft Enterprise FIN Install, version 9.2 PeopleSoft
PeopleSoft Enterprise HCM Human Resources, version 9.2 PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56 PeopleSoft
PeopleSoft HRMS, version 9.2 PeopleSoft
Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.x, 16.x, 17.x Oracle Construction and Engineering Suite
Primavera Unifier, versions 16.x, 17.x, 18.x Oracle Construction and Engineering Suite
Siebel Applications, version 18.0 Siebel
Solaris, versions 10, 11.2, 11.3 Systems
Solaris Cluster, versions 3.3, 4.3 Systems
Sun ZFS Storage Appliance Kit (AK), versions prior to 8.7.20 Systems
Tape Library ACSLS, versions Prior to ACSLS 8.4.0-3 Systems

CERT PSE zachęca administratorów do zapoznania się z Oracle Critical Patch Update Advisory – July 2018 i zastosowania niezbędnych aktualizacji.