SK-CERT Bezpečnostné varovanie V20190717-01

17. júla 2019

Dôležitosť	Kritická
Klasifikácia	Neutajované/TLP WHITE
CVSS Skóre	9.8

Identifikátor

Kritické zraniteľnosti v Oracle produktoch

Popis

Spoločnosť Oracle vydala súbor bezpečnostných aktualizácií, ktoré opravujú 322 zraniteľností v ich produktovom portfóliu.
Najzávažnejšie sú kritické zraniteľnosti v produktoch patriacich do produktových rodín Oracle Communications, Primavera, Financial Services a JD Edwards. Kritické bezpečnostné zraniteľnosti by vzdialený, neautentifikovaný útočník mohol zneužiť na získanie úplnej kontroly nad zasiahnutými systémami.
Bližšie informácie o bezpečnostných záplatách sú dostupné po prihlásení na oficiálnej webovej stránke Oracle.

Dátum prvého zverejnenia varovania

16.07.2019

CVE

CVE-2014-0114, CVE-2015-0226, CVE-2015-0227, CVE-2015-9251, CVE-2016-0701, CVE-2016-1000031, CVE-2016-1181, CVE-2016-1182, CVE-2016-2183, CVE-2016-3473, CVE-2016-5007, CVE-2016-6306, CVE-2016-6497, CVE-2016-6814, CVE-2016-7103, CVE-2016-8610, CVE-2016-8735, CVE-2016-9572, CVE-2016-9878, CVE-2017-14735, CVE-2017-15095, CVE-2017-3164, CVE-2017-3735, CVE-2017-3736, CVE-2017-3737, CVE-2017-3738, CVE-2017-5645, CVE-2017-5647, CVE-2017-5664, CVE-2017-5715, CVE-2017-7525, CVE-2018-0732, CVE-2018-0733, CVE-2018-0734, CVE-2018-0735, CVE-2018-0737, CVE-2018-0739, CVE-2018-1000120, CVE-2018-1000121, CVE-2018-1000122, CVE-2018-1000180, CVE-2018-1000301, CVE-2018-1000613, CVE-2018-1000873, CVE-2018-11039, CVE-2018-11040, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057, CVE-2018-11058, CVE-2018-11307, CVE-2018-11775, CVE-2018-11784, CVE-2018-12022, CVE-2018-12023, CVE-2018-1257, CVE-2018-1258, CVE-2018-1270, CVE-2018-1271, CVE-2018-1272, CVE-2018-1275, CVE-2018-1304, CVE-2018-1305, CVE-2018-14719, CVE-2018-14720, CVE-2018-14721, CVE-2018-15756, CVE-2018-15769, CVE-2018-16890, CVE-2018-17189, CVE-2018-17197, CVE-2018-17199, CVE-2018-17960, CVE-2018-18311, CVE-2018-19360, CVE-2018-19361, CVE-2018-19362, CVE-2018-2883, CVE-2018-3111, CVE-2018-3315, CVE-2018-3316, CVE-2018-5407, CVE-2018-7489, CVE-2018-8013, CVE-2018-8034, CVE-2018-8039, CVE-2018-9861, CVE-2019-0190, CVE-2019-0192, CVE-2019-0196, CVE-2019-0197, CVE-2019-0199, CVE-2019-0211, CVE-2019-0215, CVE-2019-0217, CVE-2019-0220, CVE-2019-0222, CVE-2019-0232, CVE-2019-11358, CVE-2019-12086, CVE-2019-12814, CVE-2019-1543, CVE-2019-1559, CVE-2019-2484, CVE-2019-2561, CVE-2019-2569, CVE-2019-2599, CVE-2019-2666, CVE-2019-2668, CVE-2019-2672, CVE-2019-2725, CVE-2019-2727, CVE-2019-2728, CVE-2019-2729, CVE-2019-2730, CVE-2019-2731, CVE-2019-2732, CVE-2019-2733, CVE-2019-2735, CVE-2019-2736, CVE-2019-2737, CVE-2019-2738, CVE-2019-2739, CVE-2019-2740, CVE-2019-2741, CVE-2019-2742, CVE-2019-2743, CVE-2019-2744, CVE-2019-2745, CVE-2019-2746, CVE-2019-2747, CVE-2019-2748, CVE-2019-2749, CVE-2019-2750, CVE-2019-2751, CVE-2019-2752, CVE-2019-2753, CVE-2019-2754, CVE-2019-2755, CVE-2019-2756, CVE-2019-2757, CVE-2019-2758, CVE-2019-2759, CVE-2019-2760, CVE-2019-2761, CVE-2019-2762, CVE-2019-2763, CVE-2019-2764, CVE-2019-2766, CVE-2019-2767, CVE-2019-2768, CVE-2019-2769, CVE-2019-2770, CVE-2019-2771, CVE-2019-2772, CVE-2019-2773, CVE-2019-2774, CVE-2019-2775, CVE-2019-2776, CVE-2019-2777, CVE-2019-2778, CVE-2019-2779, CVE-2019-2780, CVE-2019-2781, CVE-2019-2782, CVE-2019-2783, CVE-2019-2784, CVE-2019-2785, CVE-2019-2786, CVE-2019-2787, CVE-2019-2788, CVE-2019-2789, CVE-2019-2790, CVE-2019-2791, CVE-2019-2792, CVE-2019-2793, CVE-2019-2794, CVE-2019-2795, CVE-2019-2796, CVE-2019-2797, CVE-2019-2798, CVE-2019-2799, CVE-2019-2800, CVE-2019-2801, CVE-2019-2802, CVE-2019-2803, CVE-2019-2804, CVE-2019-2805, CVE-2019-2807, CVE-2019-2808, CVE-2019-2809, CVE-2019-2810, CVE-2019-2811, CVE-2019-2812, CVE-2019-2813, CVE-2019-2814, CVE-2019-2815, CVE-2019-2816, CVE-2019-2817, CVE-2019-2818, CVE-2019-2819, CVE-2019-2820, CVE-2019-2821, CVE-2019-2822, CVE-2019-2823, CVE-2019-2824, CVE-2019-2825, CVE-2019-2826, CVE-2019-2827, CVE-2019-2828, CVE-2019-2829, CVE-2019-2830, CVE-2019-2831, CVE-2019-2832, CVE-2019-2833, CVE-2019-2834, CVE-2019-2835, CVE-2019-2836, CVE-2019-2837, CVE-2019-2838, CVE-2019-2839, CVE-2019-2840, CVE-2019-2841, CVE-2019-2842, CVE-2019-2843, CVE-2019-2844, CVE-2019-2845, CVE-2019-2846, CVE-2019-2847, CVE-2019-2848, CVE-2019-2850, CVE-2019-2852, CVE-2019-2853, CVE-2019-2854, CVE-2019-2855, CVE-2019-2856, CVE-2019-2857, CVE-2019-2858, CVE-2019-2859, CVE-2019-2860, CVE-2019-2861, CVE-2019-2862, CVE-2019-2863, CVE-2019-2864, CVE-2019-2865, CVE-2019-2866, CVE-2019-2867, CVE-2019-2868, CVE-2019-2869, CVE-2019-2870, CVE-2019-2871, CVE-2019-2873, CVE-2019-2874, CVE-2019-2875, CVE-2019-2876, CVE-2019-2877, CVE-2019-2878, CVE-2019-2879, CVE-2019-3822, CVE-2019-3823, CVE-2019-5597, CVE-2019-5598, CVE-2019-6129, CVE-2019-7317

CVE

–

Zasiahnuté systémy

Application Express, verzie 5.1, 18.2
Diagnostic Assistant, verzie prior to 2.12.36
Enterprise Manager Base Platform, verzie 12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
Enterprise Manager for Fusion Middleware, verzie 13.2, 13.3
Enterprise Manager for Virtualization, verzie 13.1, 13.2, 13.3
Enterprise Manager Ops Center, verzie 12.3.3, 12.4.0
Instantis EnterpriseTrack, verzie 17.1, 17.2, 17.3
JD Edwards EnterpriseOne Tools, verzia 9.2
JD Edwards World Security, verzie A9.3, A9.3.1, A9.4
MICROS Retail XBRi Loss Prevention, verzie 10.8.0 – 10.8.3
MICROS Retail-J, verzie 12.1.0, 12.1.1, 12.1.2, 13.1
MySQL Enterprise Monitor, verzie 4.0.9 and prior, 8.0.14 and prior
MySQL Server, verzie 5.6.44 and prior, 5.7.26 and prior, 8.0.16 and prior
MySQL Workbench, verzie 8.0.16 and prior
Oracle Agile Engineering Data Management, verzie 6.2.0, 6.2.1
Oracle Agile PLM, verzie 9.3.3, 9.3.4, 9.3.5, 9.3.6
Oracle Application Testing Suite, verzie 13.1, 13.2, 13.3
Oracle Banking Platform, verzie 2.4.0 – 2.7.1
Oracle Berkeley DB, verzie 12.1.6.1.23, 12.1.6.1.26, 12.1.6.1.29, 12.1.6.1.36, 12.1.6.2.23, 12.1.6.2.32
Oracle BI Publisher, verzia 11.1.1.9.0
Oracle Business Intelligence Enterprise Edition, verzie 11.1.1.9.0, 12.2.1.4.0
Oracle Clusterware, verzia 12.1.0.2.0
Oracle Communications Application Session Controller, verzie 3.7.1, 3.8.0
Oracle Communications Billing and Revenue Management, verzie 7.5, 12.0
Oracle Communications Converged Application Server, verzie 5.1, 7.0, 7.1
Oracle Communications Converged Application Server – Service Controller, verzie 6.0, 6.1
Oracle Communications Convergence, verzia 3.0.2
Oracle Communications Diameter Signaling Router (DSR), verzie 8.0, 8.1, 8.2, 8.3
Oracle Communications EAGLE (Software), verzie 46.5, 46.6, 46.7
Oracle Communications Instant Messaging Server, verzia 10.0.1.2.0
Oracle Communications Interactive Session Recorder, verzie 6.0, 6.1, 6.2
Oracle Communications Messaging Server, verzie 8.0.2, 8.1.0
Oracle Communications Online Mediation Controller, verzia 6.1
Oracle Communications Unified, verzia 8.0.0.2.0
Oracle Data Integrator, verzia 12.2.1.3.0
Oracle Database Server, verzie 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c
Oracle Demantra Demand Management, verzia 7.3.1.5.2
Oracle E-Business Suite, verzie 12.1.1 – 12.1.3, 12.2.3 – 12.2.8
Oracle Endeca Information Discovery Integrator, verzia 3.2.0
Oracle Endeca Server, verzia 7.7.0
Oracle Enterprise Manager Base Platform, verzie 12.1.0.5.0, 13.2.0.0.0, 13.3.0.0.0
Oracle Enterprise Repository, verzia 12.1.3.0.0
Oracle Financial Services – Regulatory Reporting for Reserve Bank of India – Lombard Risk Integration Pack, verzia 8.0.7
Oracle Financial Services – Regulatory Reporting for US Federal Reserve – Lombard Risk Integration Pack, verzie 8.0.4 – 8.0.7
Oracle Financial Services Analytical Applications Infrastructure, verzie 7.3.3 – 7.3.5, 8.0.2 – 8.0.8
Oracle Financial Services Analytical Applications Reconciliation Framework, verzie 8.0.4 – 8.0.7
Oracle Financial Services Asset Liability Management, verzie 8.0.4 – 8.0.7
Oracle Financial Services Basel Regulatory Capital Basic, verzie 8.0.4 – 8.0.7
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, verzie 8.0.4 – 8.0.7
Oracle Financial Services Data Foundation, verzie 8.0.4 – 8.0.8
Oracle Financial Services Data Integration Hub, verzie 8.0.5 – 8.0.7
Oracle Financial Services Funds Transfer Pricing, verzie 8.0.4 – 8.0.7
Oracle Financial Services Hedge Management and IFRS Valuations, verzie 8.0.4 – 8.0.7
Oracle Financial Services Institutional Performance Analytics, verzie 8.0.4 – 8.0.7
Oracle Financial Services Liquidity Risk Management, verzie 8.0.1, 8.0.2, 8.0.4, 8.0.5, 8.0.6
Oracle Financial Services Liquidity Risk Measurement and Management, verzie 8.0.7, 8.0.8
Oracle Financial Services Loan Loss Forecasting and Provisioning, verzie 8.0.2 – 8.0.7
Oracle Financial Services Market Risk Measurement and Management, verzie 8.0.5, 8.0.6, 8.0.8
Oracle Financial Services Price Creation and Discovery, verzie 8.0.4 – 8.0.7
Oracle Financial Services Profitability Management, verzie 8.0.4 – 8.0.7
Oracle Financial Services Regulatory Reporting for European Banking Authority, verzie 8.0.6, 8.0.7
Oracle Financial Services Regulatory Reporting for European Banking Authority – Integration Pack for Lombard Risk, verzie 8.0.6, 8.0.7
Oracle Financial Services Regulatory Reporting for US Federal Reserve, verzie 8.0.4 – 8.0.7
Oracle Financial Services Retail Customer Analytics, verzie 8.0.4 – 8.0.6
Oracle Financial Services Revenue Management and Billing, verzie 2.4.0.0, 2.4.0.1
Oracle FLEXCUBE Core Banking, verzie 5.2.0, 11.6.0, 11.7.0, 11.8.0
Oracle FLEXCUBE Enterprise Limits and Collateral Management, verzie 12.0, 12.1
Oracle FLEXCUBE Investor Servicing, verzie 12.0.1, 12.0.3, 12.0.4, 12.1.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0
Oracle FLEXCUBE Private Banking, verzie 12.0.1, 12.0.3, 12.1.0
Oracle FLEXCUBE Universal Banking, verzie 12.0.1 – 12.0.3, 12.1.0 – 12.4.0, 14.0.0 – 14.2.0
Oracle Global Lifecycle Management OPatchAuto, verzie prior to 12.2.0.1.14
Oracle GraalVM Enterprise Edition, verzia 19.0.0
Oracle Hospitality Gift and Loyalty, verzie 9.0.0, 9.1.0
Oracle Hospitality Guest Access, verzie 4.2, 4.2.1
Oracle Hospitality Simphony, verzia 18.2.1
Oracle Hospitality Suite8, verzie 8.9.6, 8.10.2, 8.11 – 8.14
Oracle HTTP Server, verzie 12.1.3.0.0, 12.2.1.3.0
Oracle Hyperion Planning, verzia 11.1.2.4
Oracle Hyperion Workspace, verzia 11.1.2.4
Oracle Identity Manager, verzie 11.1.2.3.0, 12.2.1.3.0
Oracle Insurance Allocation Manager for Enterprise Profitability, verzia 8.0.8
Oracle Insurance Calculation Engine, verzie 9.7, 10.0, 10.1, 10.2
Oracle Insurance Data Foundation, verzie 8.0.4 – 8.0.7
Oracle Insurance IFRS 17 Analyzer, verzie 8.0.6, 8.0.7
Oracle Insurance Performance Insight, verzia 8.0.7
Oracle Insurance Policy Administration J2EE, verzie 10.0, 10.1, 10.2, 11.0
Oracle Insurance Rules Palette, verzie 10.0, 10.1, 10.2, 11.0
Oracle Java SE, verzie 7u221, 8u212, 11.0.3, 12.0.1
Oracle Java SE Embedded, verzia 8u211
Oracle Outside In Technology, verzia 8.5.4
Oracle Retail Advanced Inventory Planning, verzia 15.0
Oracle Retail Customer Management and Segmentation Foundation, verzie 16.0, 17.0, 18.0
Oracle Retail Financial Integration, verzie 14.0, 14.1, 15.0, 16.0
Oracle Retail Integration Bus, verzie 15.0, 16.0
Oracle Retail Order Broker, verzie 5.2, 15.0
Oracle Retail Order Management System, verzia 5.0
Oracle Retail Predictive Application Server, verzie 14.0.3.26, 14.1.3.37, 15.0.3.100, 16.0
Oracle Retail Service Backbone, verzia 16.0.1
Oracle Retail Xstore Office, verzie 7.0, 7.1
Oracle Retail Xstore Point of Service, verzie 7.0, 7.1, 15.0, 16.0, 17.0, 18.0
Oracle Security Service, verzie 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0
Oracle SOA Suite, verzia 12.2.1.3.0
Oracle Solaris, verzie 10, 11.3, 11.4
Oracle Transportation Management, verzia 6.3.7
Oracle Utilities Advanced Spatial and Operational Analytics, verzia 2.7.0.1
Oracle Utilities Framework, verzie 4.3.0.2.0 – 4.3.0.6.0, 4.4.0.0.0
Oracle VM VirtualBox, verzie prior to 5.2.32, prior to 6.0.10
Oracle WebCenter Sites, verzia 12.2.1.3.0
Oracle WebLogic Server, verzie 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
PeopleSoft Enterprise FIN Project Costing, verzia 9.2
PeopleSoft Enterprise PeopleTools, verzie 8.55, 8.56, 8.57
PeopleSoft Enterprise PT PeopleTools, verzie 8.55, 8.56, 8.57
Primavera Analytics, verzia 18.8
Primavera Gateway, verzie 15.2, 16.2, 17.12, 18.8
Primavera Unifier, verzie 16.1, 16.2, 17.7 – 17.12, 18.8
Services Tools Bundle, verzia 19.2
Siebel Applications, verzie 19.0 and prior
StorageTek Tape Analytics SW Tool, verzia 2.3.0
Sun ZFS Storage Appliance Kit (AK), verzia 8.8.3
System Utilities, verzia 19.1
Tape Virtual Storage Manager GUI, verzia 6.2

Následky

Vykonanie škodlivého kódu a úplné narušenie dôvernosti, integrity a dostupnosti systému
Zneprístupnenie služby
Eskalácia privilégií
Neoprávnený prístup k citlivým údajom

Odporúčania

Administrátorom odporúčame bezodkladne vykonať aktualizáciu zasiahnutých systémov.
Po odstránení zraniteľností, ktoré mohli spôsobiť vzdialené vykonanie kódu, je dobrou praxou kontrola systému a zmena všetkých hesiel a kľúčov na dotknutom systéme a aj na iných systémoch, kde sa používalo rovnaké heslo či kľúč. nedôveryhodné webové stránky.

Zdroje

https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html
https://www.cisecurity.org/advisory/oracle-quarterly-critical-patches-issued-july-16-2019_2019-073/
https://www.infosecurity-magazine.com/news/oracle-to-release-critical-patch/

« Späť na zoznam

SK-CERT Bezpečnostné varovanie V20190717-01

SK-CERT Bezpečnostné varovanie V20240419-04

SK-CERT Bezpečnostné varovanie V20240419-03

SK-CERT Bezpečnostné varovanie V20240419-02