SK-CERT Bezpečnostné varovanie V20210121-04
| Dôležitosť | Kritická |
| Klasifikácia | Neutajované/TLP WHITE |
| CVSS Skóre |
9.9 |
| Identifikátor |
| Viacero kritických bezpečnostných zraniteľností v produktoch Oracle |
| Popis |
| Spoločnosť Oracle vydala bezpečnostné aktualizácié na svoje portfólio produktov, ktoré opravujú viacero kritických bezpečnostných zraniteľností. Najzávažnejšia bezpečnostná zraniteľnosť spočíva v nedostatočnom overovaní používateľských vstupov a umožňuje vzdialenému, autentifikovanému útočníkovi vykonať škodlivý kód s následkom úplného narušenia dôvernosti, integrity a dostupnosti systému. |
| Dátum prvého zverejnenia varovania |
| 19.01.2021 |
| CVE |
| CVE-2012-1695, CVE-2012-3135, CVE-2014-3004, CVE-2014-3596, CVE-2015-9251, CVE-2016-0701, CVE-2016-1000031, CVE-2016-1181, CVE-2016-1182, CVE-2016-2183, CVE-2016-4000, CVE-2016-5019, CVE-2016-6306, CVE-2016-6814, CVE-2016-8610, CVE-2017-1000376, CVE-2017-12626, CVE-2017-14735, CVE-2017-15708, CVE-2017-15906, CVE-2017-5645, CVE-2018-0734, CVE-2018-0735, CVE-2018-1000030, CVE-2018-1060, CVE-2018-11039, CVE-2018-11040, CVE-2018-11054, CVE-2018-11055, CVE-2018-11056, CVE-2018-11057, CVE-2018-11058, CVE-2018-11307, CVE-2018-11759, CVE-2018-11784, CVE-2018-1257, CVE-2018-1258, CVE-2018-14718, CVE-2018-15473, CVE-2018-15756, CVE-2018-15769, CVE-2018-16395, CVE-2018-17189, CVE-2018-19362, CVE-2018-20684, CVE-2018-5407, CVE-2018-6829, CVE-2018-8032, CVE-2018-8039, CVE-2019-0199, CVE-2019-0215, CVE-2019-0221, CVE-2019-0227, CVE-2019-0232, CVE-2019-10072, CVE-2019-10086, CVE-2019-10088, CVE-2019-10092, CVE-2019-10093, CVE-2019-10094, CVE-2019-10098, CVE-2019-10246, CVE-2019-10247, CVE-2019-11358, CVE-2019-11477, CVE-2019-11478, CVE-2019-11479, CVE-2019-12086, CVE-2019-12384, CVE-2019-12406, CVE-2019-12415, CVE-2019-12419, CVE-2019-12814, CVE-2019-13117, CVE-2019-13118, CVE-2019-14379, CVE-2019-14439, CVE-2019-14540, CVE-2019-1547, CVE-2019-1549, CVE-2019-1552, CVE-2019-1559, CVE-2019-1563, CVE-2019-15845, CVE-2019-16168, CVE-2019-16201, CVE-2019-16254, CVE-2019-16255, CVE-2019-16335, CVE-2019-16775, CVE-2019-16776, CVE-2019-16777, CVE-2019-16942, CVE-2019-16943, CVE-2019-17091, CVE-2019-17267, CVE-2019-17359, CVE-2019-17531, CVE-2019-2094, CVE-2019-2725, CVE-2019-2729, CVE-2019-2904, CVE-2019-3862, CVE-2019-5481, CVE-2019-5482, CVE-2019-5718, CVE-2019-8457, CVE-2019-9208, CVE-2019-9579, CVE-2019-9636, CVE-2019-9936, CVE-2019-9937, CVE-2020-2510, CVE-2020-2511, CVE-2020-2512, CVE-2020-2515, CVE-2020-2516, CVE-2020-2517, CVE-2020-2518, CVE-2020-2519, CVE-2020-2527, CVE-2020-2530, CVE-2020-2531, CVE-2020-2533, CVE-2020-2534, CVE-2020-2535, CVE-2020-2536, CVE-2020-2537, CVE-2020-2538, CVE-2020-2539, CVE-2020-2540, CVE-2020-2541, CVE-2020-2542, CVE-2020-2543, CVE-2020-2544, CVE-2020-2545, CVE-2020-2546, CVE-2020-2547, CVE-2020-2548, CVE-2020-2549, CVE-2020-2550, CVE-2020-2551, CVE-2020-2552, CVE-2020-2555, CVE-2020-2556, CVE-2020-2557, CVE-2020-2558, CVE-2020-2559, CVE-2020-2560, CVE-2020-2561, CVE-2020-2563, CVE-2020-2564, CVE-2020-2565, CVE-2020-2566, CVE-2020-2567, CVE-2020-2568, CVE-2020-2569, CVE-2020-2570, CVE-2020-2571, CVE-2020-2572, CVE-2020-2573, CVE-2020-2574, CVE-2020-2576, CVE-2020-2577, CVE-2020-2578, CVE-2020-2579, CVE-2020-2580, CVE-2020-2581, CVE-2020-2582, CVE-2020-2583, CVE-2020-2584, CVE-2020-2585, CVE-2020-2586, CVE-2020-2587, CVE-2020-2588, CVE-2020-2589, CVE-2020-2590, CVE-2020-2591, CVE-2020-2592, CVE-2020-2593, CVE-2020-2595, CVE-2020-2596, CVE-2020-2597, CVE-2020-2598, CVE-2020-2599, CVE-2020-2600, CVE-2020-2601, CVE-2020-2602, CVE-2020-2603, CVE-2020-2604, CVE-2020-2605, CVE-2020-2606, CVE-2020-2607, CVE-2020-2608, CVE-2020-2609, CVE-2020-2610, CVE-2020-2611, CVE-2020-2612, CVE-2020-2613, CVE-2020-2614, CVE-2020-2615, CVE-2020-2616, CVE-2020-2617, CVE-2020-2618, CVE-2020-2619, CVE-2020-2620, CVE-2020-2621, CVE-2020-2622, CVE-2020-2623, CVE-2020-2624, CVE-2020-2625, CVE-2020-2626, CVE-2020-2627, CVE-2020-2628, CVE-2020-2629, CVE-2020-2630, CVE-2020-2631, CVE-2020-2632, CVE-2020-2633, CVE-2020-2634, CVE-2020-2635, CVE-2020-2636, CVE-2020-2637, CVE-2020-2638, CVE-2020-2639, CVE-2020-2640, CVE-2020-2641, CVE-2020-2642, CVE-2020-2643, CVE-2020-2644, CVE-2020-2645, CVE-2020-2646, CVE-2020-2647, CVE-2020-2648, CVE-2020-2649, CVE-2020-2650, CVE-2020-2651, CVE-2020-2652, CVE-2020-2653, CVE-2020-2654, CVE-2020-2655, CVE-2020-2656, CVE-2020-2657, CVE-2020-2658, CVE-2020-2659, CVE-2020-2660, CVE-2020-2661, CVE-2020-2662, CVE-2020-2663, CVE-2020-2664, CVE-2020-2665, CVE-2020-2666, CVE-2020-2667, CVE-2020-2668, CVE-2020-2669, CVE-2020-2670, CVE-2020-2671, CVE-2020-2672, CVE-2020-2673, CVE-2020-2674, CVE-2020-2675, CVE-2020-2676, CVE-2020-2677, CVE-2020-2678, CVE-2020-2679, CVE-2020-2680, CVE-2020-2681, CVE-2020-2682, CVE-2020-2683, CVE-2020-2684, CVE-2020-2685, CVE-2020-2686, CVE-2020-2687, CVE-2020-2688, CVE-2020-2689, CVE-2020-2690, CVE-2020-2691, CVE-2020-2692, CVE-2020-2693, CVE-2020-2694, CVE-2020-2695, CVE-2020-2696, CVE-2020-2697, CVE-2020-2698, CVE-2020-2699, CVE-2020-2700, CVE-2020-2701, CVE-2020-2702, CVE-2020-2703, CVE-2020-2704, CVE-2020-2705, CVE-2020-2707, CVE-2020-2709, CVE-2020-2710, CVE-2020-2711, CVE-2020-2712, CVE-2020-2713, CVE-2020-2714, CVE-2020-2715, CVE-2020-2716, CVE-2020-2717, CVE-2020-2718, CVE-2020-2719, CVE-2020-2720, CVE-2020-2721, CVE-2020-2722, CVE-2020-2723, CVE-2020-2724, CVE-2020-2725, CVE-2020-2726, CVE-2020-2727, CVE-2020-2728, CVE-2020-2729, CVE-2020-2730, CVE-2020-2731, CVE-2020-6950 |
| IOC |
| – |
| Zasiahnuté systémy |
| Enterprise Manager Base Platform 12.1.0.5 Enterprise Manager Base Platform 13.2.0.0 Enterprise Manager Base Platform 13.3.0.0 Enterprise Manager pre Fusion Middleware 13.2.0.0 Enterprise Manager pre Fusion Middleware 13.3.0.0 Enterprise Manager pre Oracle Database 12.1.0.5 Enterprise Manager pre Oracle Database 13.2.0.0 Enterprise Manager pre Oracle Database 13.3.0.0 Enterprise Manager Ops Center 12.3.3 Enterprise Manager Ops Center 12.4.0 Hyperion Financial Close Management 11.1.2.4 Hyperion Planning 11.1.2.4 Identity Manager 11.1.2.3.0 Identity Manager 12.2.1.3.0 Instantis EnterpriseTrack 17.1 Instantis EnterpriseTrack 17.2 Instantis EnterpriseTrack 17.3 JD Edwards EnterpriseOne Orchestrator 9.2 JD Edwards EnterpriseOne Tools 9.2 MySQL Client vo verzii staršej ako 5.6.46 MySQL Client vo verzii staršej ako 5.7.28 MySQL Client vo verzii staršej ako 8.0.18 MySQL Cluster vo verzii staršej ako 7.3.27 MySQL Cluster vo verzii staršej ako 7.4.25 MySQL Cluster vo verzii staršej ako 7.5.15 MySQL Cluster vo verzii staršej ako 7.6.12 MySQL Connectors vo verzii staršej ako 5.3.13 MySQL Connectors vo verzii staršej ako 8.0.18 MySQL Enterprise Backup vo verzii staršej ako 3.12.4 MySQL Enterprise Backup vo verzii staršej ako 4.1.3 MySQL Server vo verzii staršej ako 5.6.46 MySQL Server vo verzii staršej ako 5.7.28 MySQL Server vo verzii staršej ako 8.0.18 MySQL Workbench vo verzii staršej ako 8.0.18 Oracle Agile Engineering Data Management 6.2.0 Oracle Agile Engineering Data Management 6.2.1 Oracle Agile PLM 9.3.3 Oracle Agile PLM 9.3.4 Oracle Agile PLM 9.3.5 Oracle Agile PLM 9.3.6 Oracle Agile PLM Framework 9.3.3 Oracle Agile PLM MCAD Connector 3.4 Oracle Agile PLM MCAD Connector 3.5 Oracle Agile PLM MCAD Connector 3.6 Oracle Application Testing Suite 12.5.0.3 Oracle Application Testing Suite 13.1.0.1 Oracle Application Testing Suite 13.2.0.1 Oracle Application Testing Suite 13.3.0.1 Oracle AutoVue 21.0.2 Oracle Banking Corporate Lending vo verzii staršej ako 12.4.0 (vrátane) Oracle Banking Corporate Lending vo verzii staršej ako 14.3.0 (vrátane) Oracle Banking Payments vo verzii staršej ako 14.3.0 (vrátane) Oracle Big Data Discovery 1.6 Oracle Business Intelligence Enterprise Edition 11.1.1.9.0 Oracle Business Intelligence Enterprise Edition 12.2.1.3.0 Oracle Business Intelligence Enterprise Edition 12.2.1.4.0 Oracle Clinical 5.2 Oracle Coherence 3.7.1.0 Oracle Coherence 12.1.3.0.0 Oracle Coherence 12.2.1.3.0 Oracle Coherence 12.2.1.4.0 Oracle Communications Design Studio 7.3.4.3.0 Oracle Communications Design Studio 7.3.5.5.0 Oracle Communications Design Studio 7.4.0.4.0 Oracle Communications Design Studio 7.4.1.1.0 Oracle Communications Diameter Signaling Router (DSR) 8.0 Oracle Communications Diameter Signaling Router (DSR) 8.1 Oracle Communications Diameter Signaling Router (DSR) 8.2 Oracle Communications Diameter Signaling Router (DSR) 8.3 Oracle Communications Diameter Signaling Router (DSR) 8.4 Oracle Communications Instant Messaging Server 10.0.1.3.0 Oracle Communications Interactive Session Recorder 6.0 Oracle Communications Interactive Session Recorder 6.1 Oracle Communications Interactive Session Recorder 6.2 Oracle Communications Interactive Session Recorder 6.3 Oracle Communications IP Service Activator 7.3.4 Oracle Communications IP Service Activator 7.4.0 Oracle Communications Session Border Controller 7.4 Oracle Communications Session Border Controller 8.0 Oracle Communications Session Border Controller 8.1 Oracle Communications Session Border Controller 8.2 Oracle Communications Session Border Controller 8.3 Oracle Communications Session Router 7.4 Oracle Communications Session Router 8.0 Oracle Communications Session Router 8.1 Oracle Communications Session Router 8.2 Oracle Communications Session Router 8.3 Oracle Communications Subscriber-Aware Load Balancer 7.3 Oracle Communications Subscriber-Aware Load Balancer 8.1 Oracle Communications Subscriber-Aware Load Balancer 8.3 Oracle Communications Unified Inventory Management 7.3 Oracle Communications Unified Inventory Management 7.4 Oracle Communications Unified Session Manager 7.3.5 Oracle Communications Unified Session Manager 8.2.5 Oracle Database Server 11.2.0.4 Oracle Database Server 12.1.0.2 Oracle Database Server 12.2.0.1 Oracle Database Server 18c Oracle Database Server 19c Oracle Demantra Demand Management 12.2.4 Oracle Demantra Demand Management 12.2.4.1 Oracle Demantra Demand Management 12.2.5 Oracle Demantra Demand Management 12.2.5.1 Oracle E-Business Suite vo verzii staršej ako 12.1.3 (vrátane) Oracle E-Business Suite vo verzii staršej ako 12.2.9 (vrátane) Oracle Endeca Information Discovery Integrator, version 3.2.0 Fusion Middleware Oracle Endeca Information Discovery Studio, version 3.2.0 Fusion Middleware Oracle Enterprise Communications Broker PCz3.0 Oracle Enterprise Communications Broker PCz3.1 Oracle Enterprise Communications Broker PCz3.2 Oracle Enterprise Repository 12.1.3.0.0 Oracle Enterprise Session Border Controller 7.5 Oracle Enterprise Session Border Controller 8.0 Oracle Enterprise Session Border Controller 8.1 Oracle Enterprise Session Border Controller 8.2 Oracle Enterprise Session Border Controller 8.3 Oracle Financial Services Analytical Applications Infrastructure vo verzii staršej ako 7.3.5 (vrátane) Oracle Financial Services Analytical Applications Infrastructure vo verzii staršej ako 8.0.8 (vrátane) Oracle Financial Services Funds Transfer Pricing vo verzii staršej ako 8.0.7 (vrátane) Oracle Financial Services Revenue Management and Billing 2.7.0.0 Oracle Financial Services Revenue Management and Billing 2.7.0.1 Oracle Financial Services Revenue Management and Billing 2.8.0.0 Oracle FLEXCUBE Investor Servicing vo verzii staršej ako 12.4.0 Oracle FLEXCUBE Investor Servicing vo verzii staršej ako 14.1.0 Oracle FLEXCUBE Universal Banking vo verzii staršej ako 12.4.0 Oracle FLEXCUBE Universal Banking vo verzii staršej ako 14.3.0 Oracle GraalVM Enterprise Edition 19.3.0.2 Oracle Health Sciences Data Management Workbench 2.4 Oracle Health Sciences Data Management Workbench 2.5 Oracle Healthcare Master Person Index 3.0 Oracle Hospitality Cruise Materials Management 7.30.567 Oracle Hospitality Guest Access 4.2 Oracle Hospitality OPERA 5 verzia 5.5 Oracle Hospitality OPERA 5 verzia 5.6 Oracle Hospitality Suites Management 3.7 Oracle Hospitality Suites Management 3.8 Oracle HTTP Server 11.1.1.9.0 Oracle HTTP Server 12.1.3.0.0 Oracle HTTP Server 12.2.1.3.0 Oracle iLearning 6.1 Oracle Java SE 7u241 Oracle Java SE 8u231 Oracle Java SE 11.0.5 Oracle Java SE 13.0.1 Oracle Java SE Embedded 8u231 Oracle Outside In Technology 8.5.4 Oracle Real-Time Scheduler vo verzii staršej ako 2.3.0.3 (vrátane) Oracle Reports Developer 12.2.1.3.0 Oracle Reports Developer 12.2.1.4.0 Oracle Retail Assortment Planning 15.0.3 Oracle Retail Assortment Planning 16.0.3 Oracle Retail Clearance Optimization Engine 13.4 Oracle Retail Clearance Optimization Engine 14.0 Oracle Retail Clearance Optimization Engine 14.0.3 Oracle Retail Clearance Optimization Engine 14.0.5 Oracle Retail Customer Management and Segmentation Foundation 16.0 Oracle Retail Customer Management and Segmentation Foundation 17.0 Oracle Retail Customer Management and Segmentation Foundation 18.0 Oracle Retail Markdown Optimization 13.4 Oracle Retail Markdown Optimization 13.4.4 Oracle Retail Order Broker 5.2 Oracle Retail Order Broker 15.0 Oracle Retail Order Broker 16.0 Oracle Retail Order Broker 18.0 Oracle Retail Predictive Application Server 15.0.3 Oracle Retail Predictive Application Server 16.0.3 Oracle Retail Sales Audit 15.0.3 Oracle Retail Sales Audit 16.0.2 Oracle Secure Global Desktop 5.4 Oracle Secure Global Desktop 5.5 Oracle Security Service 11.1.1.9.0 Oracle Security Service 12.1.3.0.0 Oracle Security Service 12.2.1.3.0 Oracle Solaris 10 Oracle Solaris 11 Oracle Tuxedo 12.1.1.0.0 Oracle Tuxedo 12.1.3.0.0 Oracle Utilities Framework vo verzii staršej ako 4.2.0.3 (vrátane) Oracle Utilities Framework vo verzii staršej ako 4.3.0.4 (vrátane) Oracle Utilities Mobile Workforce Management vo verzii staršej ako 2.3.0.3 (vrátane) Oracle Utilities Work and Asset Management (v1) 1.9.1.2 Oracle VM Server pre SPARC 3.6 Oracle VM VirtualBox vo verzii staršej ako 6.1.18 Oracle WebCenter Sites 12.2.1.3.0 Oracle WebLogic Server 10.3.6.0.0 Oracle WebLogic Server 12.1.3.0.0 Oracle WebLogic Server 12.2.1.3.0 Oracle WebLogic Server 12.2.1.4.0 PeopleSoft Enterprise CC Common Application Objects 9.1 PeopleSoft Enterprise CC Common Application Objects 9.2 PeopleSoft Enterprise HCM Human Resources 9.2 PeopleSoft Enterprise PeopleTools 8.56 PeopleSoft Enterprise PeopleTools 8.57 PeopleSoft Enterprise PeopleTools 8.58 PeopleSoft PeopleTools 8.56 PeopleSoft PeopleTools 8.57 Primavera Gateway 15.2.18 Primavera Gateway 16.2.11 Primavera Gateway 17.12.6 Primavera Gateway 18.8.8.1 Primavera P6 Enterprise Project Portfolio Management vo verzii staršej ako 15.2.18.7 (vrátane) Primavera P6 Enterprise Project Portfolio Management vo verzii staršej ako 16.2.19.0 (vrátane) Primavera P6 Enterprise Project Portfolio Management vo verzii staršej ako 17.12.16.0 (vrátane) Primavera P6 Enterprise Project Portfolio Management vo verzii staršej ako 18.8.16.0 (vrátane) Primavera P6 Enterprise Project Portfolio Management 19.12.0.0 Primavera P6 Enterprise Project Portfolio Management 20.1.0.0 Primavera Unifier 16.1 Primavera Unifier 16.2 Primavera Unifier vo verzii staršej ako 17.12 (vrátane) Primavera Unifier 18.8 Primavera Unifier 19.12 Siebel Applications vo verzii staršej ako 19.10 Sun ZFS Storage Appliance Kit 8.8.6 Tape Library ACSLS 8.5 Tape Library ACSLS 8.5.1 |
| Následky |
| Vykonanie škodlivého kódu a úplné narušenie dôvernosti, integrity a dostupnosti systému |
| Odporúčania |
| Administrátorom a používateľom odporúčame bezodkladne vykonať aktualizáciu zasiahnutých systémov. Po odstránení zraniteľností, ktoré mohli spôsobiť vzdialené vykonanie kódu, je dobrou praxou kontrola systému a zmena všetkých hesiel a kľúčov na dotknutom systéme a aj na iných systémoch, kde sa používalo rovnaké heslo či kľúč. |
| Zdroje |
| https://www.oracle.com/security-alerts/cpujan2020.html https://www.tenable.com/cve/CVE-2020-2586 https://www.checkpoint.com/defense/advisories/public/2020/cpai-2020-0178.html |
« Späť na zoznam
