Oracle Quarterly Critical Patches Issues April 20, 2021

Fortify Security Team
Apr 20, 2021

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • Oracle Application Express, versions prior to 20.2
  • Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 18c, 19c
  • Oracle Global Lifecycle Management OPatch, versions prior to 12.2.0.1.22
  • Oracle NoSQL Database, versions prior to 20.3
  • Oracle REST Data Services, versions prior to 20.4.3.50.1904
  • Oracle Spatial Studio, versions prior to 19.1.0, prior to 20.1.1
  • Oracle SQL Developer, versions prior to 20.4.1.407.6
  • Oracle Commerce Guided Search, versions 11.0, 11.1
  • Oracle Commerce Merchandising, versions 11.0, 11.0.11.1, 11.1
  • Oracle Communications Calendar Server, version 8.0
  • Oracle Communications Contacts Server, version 8.0
  • Oracle Communications Design Studio, version 7.4.2
  • Oracle Communications Messaging Server, versions 8.0.2, 8.1, 8.1.0
  • Oracle Communications MetaSolv Solution, versions 6.3.0, 6.3.1
  • Oracle Communications Unified Inventory Management, versions 7.3.4, 7.3.5, 7.4.0, 7.4.1
  • Oracle Communications Application Session Controller, version 3.9m0p3
  • Oracle Communications Converged Application Server – Service Controller, version 6.2
  • Oracle Communications Evolved Communications Application Server, version 7.1
  • Oracle Communications Interactive Session Recorder, versions 6.3, 6.4
  • Oracle Communications Performance Intelligence Center Software, versions 10.4.0.2, 10.4.0.3
  • Oracle Communications Services Gatekeeper, versions 6.0, 6.1, 7.0
  • Oracle Communications Session Border Controller, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle Communications Session Router, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle Communications Subscriber-Aware Load Balancer, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle Communications Unified Session Manager, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle Enterprise Communications Broker, versions PCZ3.1, PCZ3.2, PCZ3.3
  • Oracle Enterprise Session Border Controller, versions Cz8.2, Cz8.3, Cz8.4
  • Oracle SD-WAN Aware, version 8.2
  • Oracle SD-WAN Edge, versions 8.2, 9.0
  • Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
  • Primavera Gateway, versions 17.12.0-17.12.10
  • Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12
  • Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10
  • Enterprise Manager Base Platform, version 13.4.0.0
  • Enterprise Manager for Fusion Middleware, versions 12.2.1.4, 13.4.0.0
  • Enterprise Manager for Virtualization, version 13.4.0.0
  • Enterprise Manager Ops Center, version 12.4.0.0
  • Oracle Banking Platform, versions 2.4.0, 2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.9.0, 2.10.0
  • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0
  • Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3
  • Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
  • Oracle Hospitality Inventory Management, version 9.1.0
  • Oracle Hospitality RES 3700, versions 5.7.0-5.7.6
  • Oracle API Gateway, version 11.1.2.4.0
  • Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Oracle Endeca Information Discovery Studio, version 3.2.0.0
  • Oracle Enterprise Repository, version 11.1.1.7.0
  • Oracle Fusion Middleware, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Fusion Middleware MapViewer, version 12.2.1.4.0
  • Oracle Identity Manager Connector, version 11.1.1.5.0
  • Oracle Outside In Technology, version 8.5.5
  • Oracle Platform Security for Java, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Service Bus, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Oracle Health Sciences Empirica Signal, versions 9.0, 9.1
  • Oracle Health Sciences Information Manager, versions 3.0.0-3.0.2
  • Oracle Healthcare Foundation, versions 7.1.5, 7.2.2, 7.3.0, 7.3.1, 8.0.1
  • Oracle Hospitality Cruise Shipboard Property Management System, version 20.1.0
  • Oracle Hospitality OPERA 5, versions 5.5, 5.6
  • Hyperion Analytic Provider Services, versions 11.1.2.4, 12.2.1.4
  • Hyperion Financial Management, version 11.1.2.4
  • Oracle iLearning, versions 6.2, 6.3
  • Oracle Insurance Data Gateway, version 1.0.2.3
  • Oracle GraalVM Enterprise Edition, versions 19.3.5, 20.3.1.2, 21.0.0.2
  • Oracle Java SE, versions 7u291, 8u281, 11.0.10, 16
  • Oracle Java SE Embedded, version 8u281
  • JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.5.3
  • JD Edwards EnterpriseOne Tools, versions prior to 9.2.4.0, prior to 9.2.5.3
  • JD Edwards World Security, version A9.4
  • MySQL Cluster, versions 8.0.23 and prior
  • MySQL Enterprise Monitor, versions 8.0.23 and prior
  • MySQL Server, versions 5.7.33 and prior, 8.0.23 and prior
  • MySQL Workbench, versions 8.0.23 and prior
  • PeopleSoft Enterprise CS Campus Community, version 9.2
  • PeopleSoft Enterprise FIN Common Application Objects, version 9.2
  • PeopleSoft Enterprise FIN Expenses, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58
  • PeopleSoft Enterprise PT PeopleTools, versions 8.56, 8.57, 8.58
  • PeopleSoft Enterprise SCM eProcurement, version 9.2
  • Oracle Retail Assortment Planning, version 16.0.3
  • Oracle Retail Back Office, version 14.1
  • Oracle Retail Category Management Planning & Optimization, version 16.0.3
  • Oracle Retail Central Office, version 14.1
  • Oracle Retail EFTLink, versions 15.0.2, 16.0.3, 17.0.2, 18.0.1, 19.0.1, 20.0.0
  • Oracle Retail Insights Cloud Service Suite, version 19.0
  • Oracle Retail Item Planning, version 16.0.3
  • Oracle Retail Macro Space Optimization, version 16.0.3
  • Oracle Retail Merchandise Financial Planning, version 16.0.3
  • Oracle Retail Merchandising System, version 16.0.3
  • Oracle Retail Point-of-Service, version 14.1
  • Oracle Retail Predictive Application Server, versions 14.1, 15.0, 16.0
  • Oracle Retail Regular Price Optimization, version 16.0.3
  • Oracle Retail Replenishment Optimization, version 16.0.3
  • Oracle Retail Returns Management, version 14.1
  • Oracle Retail Sales Audit, version 14.0
  • Oracle Retail Size Profile Optimization, version 16.0.3
  • Oracle Retail Store Inventory Management, versions 14.1.3.10, 15.0.3.5, 16.0.3.5
  • Oracle Retail Xstore Point of Service, versions 15.0.4, 16.0.6, 17.0.4, 18.0.3, 19.0.2
  • Siebel Applications, versions 21.2 and prior
  • Oracle Cloud Infrastructure Storage Gateway, versions prior to 1.4
  • Oracle Storage Cloud Software Appliance, versions 16.3.1.4.1 and prior
  • Agile Product Lifecycle Management Integration Pack for Oracle E-Business Suite, versions 3.5, 3.6
  • Agile Product Lifecycle Management Integration Pack for SAP: Design to Release, versions 3.5, 3.6
  • Oracle Advanced Supply Chain Planning, versions 12.1, 12.2
  • Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6
  • Oracle Rapid Planning, version 12.1.3
  • OSS Support Tools, versions prior to 2.12.41
  • Oracle Solaris, versions 10, 11
  • Oracle ZFS Storage Appliance Kit, version 8.8
  • Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0
  • Oracle Secure Global Desktop, version 5.6
  • Oracle VM VirtualBox, versions prior to 6.1.20

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Low

RECOMMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
  • Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:
Oracle:
https://www.oracle.com/security-alerts/cpuapr2021.html

Recent Posts

Google Android OS Could Allow for Privilege Escalation

Multiple vulnerabilities have been discovered in Google Android OS, the most severe of which could allow for privilege escalation. Android is an operating system developed by Google for mobile devices, including, but not limited to, smartphones, tablets, and watches....

Apple Products Could Allow for Arbitrary Code Execution

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution. Safari is a graphical web browser developed by Apple. macOS Ventura is the 19th and current major release of macOS macOS Monterey is the...

Hacktivists Use of DDoS Activity Causes Minor Impacts

The FBI defines hacktivism as a collective of cyber criminals who conduct cyber activities to advance an ideological, social, or political cause. Historically, hacktivist collectives conducted and advocated for cyber crime activity following high-profile political,...