SK-CERT Bezpečnostné varovanie V20201023-01
| Dôležitosť | Kritická |
| Klasifikácia | Neutajované/TLP WHITE |
| CVSS Skóre |
9.8 |
| Identifikátor |
| Oracle produkty – viacero zraniteľností |
| Popis |
| Spoločnosť Oracle vydala bezpečnostné aktualizácie na svoje portfólio produktov, ktoré opravujú viacero bezpečnostných zraniteľností, medzi ktorými sú aj kritické zraniteľnosti. Najzávažnejšie zraniteľnosti by vzdialený neautentifikovaný útočník mohol zneužiť na vykonanie škodlivého kódu a úplné narušenie dôvernosti, integrity a dostupnosti systému. |
| Dátum prvého zverejnenia varovania |
| 20.10.2020 (posledná aktualizácia 22.10.2020) |
| CVE |
| CVE-2020-14735, CVE-2020-14740, CVE-2020-14741, CVE-2020-14742, CVE-2020-14744, CVE-2020-14745, CVE-2020-14752, CVE-2020-14758, CVE-2020-14759, CVE-2020-14762, CVE-2020-14763, CVE-2020-14764, CVE-2020-14767, CVE-2020-14768, CVE-2020-14770, CVE-2020-14772, CVE-2020-14774, CVE-2020-14778, CVE-2020-14780, CVE-2020-14781, CVE-2020-14783, CVE-2020-14784, CVE-2020-14787, CVE-2020-14788, CVE-2020-14790, CVE-2020-14792, CVE-2020-14796, CVE-2020-14797, CVE-2020-14798, CVE-2020-14808, CVE-2020-14815, CVE-2020-14816, CVE-2020-14817, CVE-2020-14819, CVE-2020-14820, CVE-2020-14822, CVE-2020-14823, CVE-2020-14825, CVE-2020-14826, CVE-2020-14828, CVE-2020-14831, CVE-2020-14833, CVE-2020-14834, CVE-2020-14835, CVE-2020-14840, CVE-2020-14841, CVE-2020-14842, CVE-2020-14843, CVE-2020-14849, CVE-2020-14850, CVE-2020-14851, CVE-2020-14854, CVE-2020-14855, CVE-2020-14856, CVE-2020-14857, CVE-2020-14859, CVE-2020-14861, CVE-2020-14862, CVE-2020-14863, CVE-2020-14864, CVE-2020-14867, CVE-2020-14871, CVE-2020-14872, CVE-2020-14875, CVE-2020-14876, CVE-2020-14879, CVE-2020-14880, CVE-2020-14881, CVE-2020-14882, CVE-2020-14883, CVE-2020-14884, CVE-2020-14885, CVE-2020-14886, CVE-2020-14889, CVE-2020-14890, CVE-2020-14892, CVE-2020-14893, CVE-2020-14897, CVE-2020-14898, CVE-2020-14899, CVE-2020-14900, CVE-2020-14901 |
| IOC |
| – |
| Zasiahnuté systémy |
| Application Performance Management (APM) verzie 13.3.0.0, 13.4.0.0 Big Data Spatial and Graph verzie prior to 3.0 Enterprise Manager Base Platform verzie 13.2.1.0, 13.3.0.0, 13.4.0.0 Enterprise Manager for Peoplesoft verzie 13.4.1.1 Enterprise Manager for Storage Management verzie 13.3.0.0, 13.4.0.0 Enterprise Manager Ops Center verzie 12.4.0.0 Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers verzie prior to XCP2362, prior to XCP3090 Fujitsu M12-1, M12-2, M12-2S Servers verzie prior to XCP3090 Hyperion Analytic Provider Services verzie 11.1.2.4 Hyperion BI+ verzie 11.1.2.4 Hyperion Essbase verzie 11.1.2.4 Hyperion Infrastructure Technology verzie 11.1.2.4 Hyperion Lifecycle Management verzie 11.1.2.4 Hyperion Planning verzie 11.1.2.4 Identity Manager Connector verzie 9.0 Instantis EnterpriseTrack verzie 17.1, 17.2, 17.3 Management Pack for Oracle GoldenGate verzie 12.2.1.2.0 MySQL Cluster verzie 7.3.30 and prior, 7.4.29 and prior, 7.5.19 and prior, 7.6.15 and prior, 8.0.21 and prior MySQL Enterprise Monitor verzie 8.0.21 and prior MySQL Server verzie 5.6.49 and prior, 5.7.31 and prior, 8.0.21 and prior MySQL Workbench verzie 8.0.21 and prior Oracle Access Manager verzie 11.1.2.3.0 Oracle Agile PLM verzie 9.3.3, 9.3.5, 9.3.6 Oracle Agile Product Lifecycle Management for Process verzie 6.2.0.0 Oracle Application Express verzie prior to 20.2 Oracle Application Testing Suite verzie 13.3.0.1 Oracle Banking Corporate Lending verzie 12.3.0, 14.0.0-14.4.0 Oracle Banking Digital Experience verzie 18.1, 18.2, 18.3, 19.1, 19.2, 20.1 Oracle Banking Payments verzie 14.1.0-14.4.0 Oracle Banking Platform verzie 2.4.0-2.10.0 Oracle BI Publisher verzie 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Oracle Business Intelligence Enterprise Edition verzie 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Oracle Business Process Management Suite verzie 12.2.1.3.0, 12.2.1.4.0 Oracle Communications Application Session Controller verzie 3.8m0, 3.9m0p1 Oracle Communications Billing and Revenue Management verzie 7.5.0.23.0, 12.0.0.2.0, 12.0.0.3.0 Oracle Communications BRM – Elastic Charging Engine verzie 11.3.0.9.0, 12.0.0.3.0 Oracle Communications Diameter Signaling Router (DSR) verzie 8.0.0.0-8.4.0.5, [IDIH] 8.0.0-8.2.2 Oracle Communications EAGLE Software verzie 46.6.0-46.8.2 Oracle Communications Element Manager verzie 8.2.0-8.2.2 Oracle Communications Evolved Communications Application Server verzie 7.1 Oracle Communications Messaging Server verzie 8.1 Oracle Communications Offline Mediation Controller verzie 12.0.0.3.0 Oracle Communications Services Gatekeeper verzie 7 Oracle Communications Session Border Controller verzie 8.2-8.4 Oracle Communications Session Report Manager verzie 8.2.0-8.2.2 Oracle Communications Session Route Manager verzie 8.2.0-8.2.2 Oracle Communications Unified Inventory Management verzie 7.3.0, 7.4.0 Oracle Communications WebRTC Session Controller verzie 7.2 Oracle Data Integrator verzie 11.1.1.9.0, 12.2.1.3.0 Oracle Database Server verzie 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c Oracle E-Business Suite verzie 12.1.1-12.1.3, 12.2.3-12.2.10 Oracle Endeca Information Discovery Integrator verzie 3.2.0 Oracle Endeca Information Discovery Studio verzie 3.2.0 Oracle Enterprise Repository verzie 11.1.1.7.0 Oracle Enterprise Session Border Controller verzie 8.4 Oracle Financial Services Analytical Applications Infrastructure verzie 8.0.6-8.1.0 Oracle Financial Services Analytical Applications Reconciliation Framework verzie 8.0.6-8.0.8, 8.1.0 Oracle Financial Services Asset Liability Management verzie 8.0.6, 8.0.7, 8.1.0 Oracle Financial Services Balance Sheet Planning verzie 8.0.8 Oracle Financial Services Basel Regulatory Capital Basic verzie 8.0.6-8.0.8, 8.1.0 Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach verzie 8.0.6-8.0.8, 8.1.0 Oracle Financial Services Data Foundation verzie 8.0.6-8.1.0 Oracle Financial Services Data Governance for US Regulatory Reporting verzie 8.0.6-8.0.9 Oracle Financial Services Data Integration Hub verzie 8.0.6, 8.0.7, 8.1.0 Oracle Financial Services Funds Transfer Pricing verzie 8.0.6, 8.0.7, 8.1.0 Oracle Financial Services Hedge Management and IFRS Valuations verzie 8.0.6-8.0.8, 8.1.0 Oracle Financial Services Institutional Performance Analytics verzie 8.0.6, 8.0.7, 8.1.0, 8.7.0 Oracle Financial Services Liquidity Risk Management verzie 8.0.6 Oracle Financial Services Liquidity Risk Measurement and Management verzie 8.0.7, 8.0.8, 8.1.0 Oracle Financial Services Loan Loss Forecasting and Provisioning verzie 8.0.6-8.0.8, 8.1.0 Oracle Financial Services Market Risk Measurement and Management verzie 8.0.6, 8.0.8, 8.1.0 Oracle Financial Services Price Creation and Discovery verzie 8.0.6, 8.0.7 Oracle Financial Services Profitability Management verzie 8.0.6, 8.0.7, 8.1.0 Oracle Financial Services Regulatory Reporting for European Banking Authority verzie 8.0.6-8.1.0 Oracle Financial Services Regulatory Reporting for US Federal Reserve verzie 8.0.6-8.0.9 Oracle Financial Services Regulatory Reporting with AgileREPORTER verzie 8.0.9.2.0 Oracle Financial Services Retail Customer Analytics verzie 8.0.6 Oracle FLEXCUBE Core Banking verzie 5.2.0, 11.5.0-11.7.0 Oracle FLEXCUBE Direct Banking verzie 12.0.1, 12.0.2, 12.0.3 Oracle FLEXCUBE Private Banking verzie 12.0.0, 12.1.0 Oracle FLEXCUBE Universal Banking verzie 12.3.0, 14.0.0-14.4.0 Oracle GoldenGate Application Adapters verzie 12.3.2.1.0, 19.1.0.0.0 Oracle GraalVM Enterprise Edition verzie 19.3.3, 20.2.0 Oracle Health Sciences Empirica Signal verzie 9.0 Oracle Healthcare Data Repository verzie 7.0.1 Oracle Healthcare Foundation verzie 7.1.1, 7.2.0, 7.2.1, 7.3.0 Oracle Hospitality Guest Access verzie 4.2.0, 4.2.1 Oracle Hospitality Materials Control verzie 18.1 Oracle Hospitality OPERA 5 Property Services verzie 5.5, 5.6 Oracle Hospitality Reporting and Analytics verzie 9.1.0 Oracle Hospitality RES 3700 verzie 5.7 Oracle Hospitality Simphony verzie 18.1, 18.2, 19.1.0-19.1.2 Oracle Hospitality Suite8 verzie 8.10.2, 8.11-8.14 Oracle HTTP Server verzie 12.2.1.3.0, 12.2.1.4.0 Oracle Insurance Accounting Analyzer verzie 8.0.9 Oracle Insurance Allocation Manager for Enterprise Profitability verzie 8.0.8, 8.1.0 Oracle Insurance Data Foundation verzie 8.0.6-8.1.0 Oracle Insurance Insbridge Rating and Underwriting verzie 5.0.0.0-5.6.0.0, 5.6.1.0 Oracle Insurance Policy Administration J2EE verzie 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26, 11.2.2.0 Oracle Insurance Rules Palette verzie 10.2.0.37, 10.2.4.12, 11.0.2.25, 11.1.0.15, 11.2.0.26 Oracle Java SE verzie 7u271, 8u261, 11.0.8, 15 Oracle Java SE Embedded verzie 8u261 Oracle JDeveloper verzie 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Oracle Managed File Transfer verzie 12.2.1.3.0, 12.2.1.4.0 Oracle Outside In Technology verzie 8.5.4, 8.5.5 Oracle Policy Automation verzie 12.2.0-12.2.20 Oracle Policy Automation Connector for Siebel verzie 10.4.6 Oracle Policy Automation for Mobile Devices verzie 12.2.0-12.2.20 Oracle REST Data Services verzie 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c, [Standalone ORDS] prior to 20.2.1 Oracle Retail Advanced Inventory Planning verzie 14.1 Oracle Retail Assortment Planning verzie 15.0.3.0, 16.0.3.0 Oracle Retail Back Office verzie 14.0, 14.1 Oracle Retail Bulk Data Integration verzie 15.0.3.0, 16.0.3.0 Oracle Retail Central Office verzie 14.0, 14.1 Oracle Retail Customer Management and Segmentation Foundation verzie 18.0, 19.0 Oracle Retail Integration Bus verzie 14.1, 15.0, 16.0 Oracle Retail Order Broker verzie 15.0, 16.0, 18.0, 19.0, 19.1, 19.2, 19.3 Oracle Retail Point-of-Service verzie 14.0, 14.1 Oracle Retail Predictive Application Server verzie 14.1.3.0, 15.0.3.0, 16.0.3.0 Oracle Retail Price Management verzie 14.0.4, 14.1.3.0, 15.0.3.0, 16.0.3.0 Oracle Retail Returns Management verzie 14.0, 14.1 Oracle Retail Service Backbone verzie 14.1, 15.0, 16.0 Oracle Retail Xstore Point of Service verzie 15.0.3, 16.0.5, 17.0.3, 18.0.2, 19.0.1 Oracle Solaris verzie 10, 11 Oracle TimesTen In-Memory Database verzie prior to 11.2.2.8.49, prior to 18.1.3.1.0, prior to 18.1.4.1.0 Oracle Transportation Management verzie 6.3.7 Oracle Utilities Framework verzie 2.2.0.0.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0 Oracle VM VirtualBox verzie prior to 6.1.16 Oracle WebCenter Portal verzie 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 Oracle WebLogic Server verzie 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 Oracle ZFS Storage Appliance Kit verzie 8.8 PeopleSoft Enterprise HCM Global Payroll Core verzie 9.2 PeopleSoft Enterprise PeopleTools verzie 8.56, 8.57, 8.58 PeopleSoft Enterprise SCM eSupplier Connection verzie 9.2 Primavera Gateway verzie 16.2.0-16.2.11, 17.12.0-17.12.8 Primavera Unifier verzie 16.1, 16.2, 17.7-17.12, 18.8, 19.12 Siebel Applications verzie 20.7, 20.8 |
| Následky |
| Vykonanie škodlivého kódu a úplné narušenie dôvernosti, integrity a dostupnosti systému Zneprístupnenie služby Neoprávnený prístup k citlivým údajom |
| Odporúčania |
| Administrátorom odporúčame bezodkladne vykonať aktualizáciu zasiahnutých systémov. Po odstránení zraniteľností, ktoré mohli spôsobiť vzdialené vykonanie kódu, je dobrou praxou kontrola systému a zmena všetkých hesiel a kľúčov na dotknutom systéme a aj na iných systémoch, kde sa používalo rovnaké heslo či kľúč. |
| Zdroje |
| https://www.oracle.com/security-alerts/cpuoct2020.html |
« Späť na zoznam
