(800) 989-2647

[email protected]

Security Advisories

Oracle Quarterly Critical Patches Issued July 20, 2021

Fortify Security Team
Jul 20, 2021

Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

  • Oracle Database Server, versions 12.1.0.2, 19c
  • Big Data Spatial and Graph, versions prior to 2.0, prior to 23.1
  • Essbase, version 21.2
  • Essbase Analytic Provider Services, versions 11.1.2.4, 21.2
  • Hyperion Essbase Administration Services, versions 11.1.2.4, 21.2
  • Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version 11.3.1.5
  • Oracle Communications Billing and Revenue Management, versions 7.5.0.23.0, 12.0.0.3.0
  • Oracle Communications BRM – Elastic Charging Engine, versions 11.3.0.9.0, 12.0.0.3.0
  • Oracle Communications Convergent Charging Controller, version 12.0.4.0.0
  • Oracle Communications Design Studio, version 7.4.2
  • Oracle Communications Instant Messaging Server, version 10.0.1.4.0
  • Oracle Communications Network Charging and Control, versions 6.0.1.0, 12.0.1.0-12.0.4.0, 12.0.4.0.0
  • Oracle Communications Offline Mediation Controller, version 12.0.0.3.0
  • Oracle Communications Pricing Design Center, version 12.0.0.3.0
  • Oracle Communications Unified Inventory Management, versions 7.3.2, 7.3.4, 7.3.5, 7.4.0, 7.4.1
  • Oracle Communications Application Session Controller, version 3.9
  • Oracle Communications Cloud Native Core Console, version 1.4.0
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 1.4.0, 1.7.0
  • Oracle Communications Cloud Native Core Network Slice Selection Function, version 1.2.1
  • Oracle Communications Cloud Native Core Policy, versions 1.5.0, 1.9.0
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy, version 1.7.0
  • Oracle Communications Cloud Native Core Service Communication Proxy, version 1.5.2
  • Oracle Communications Cloud Native Core Unified Data Repository, versions 1.4.0, 1.6.0
  • Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0-8.5.0
  • Oracle Communications EAGLE Software, versions 46.6.0-46.8.2
  • Oracle Communications Evolved Communications Application Server, version 7.1
  • Oracle Communications Services Gatekeeper, versions 7.0, 8.2
  • Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3
  • Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.11, 19.12.0-19.12.10, 20.12.0
  • Primavera P6 Enterprise Project Portfolio Management, versions 17.12.0-17.12.20, 18.8.0-18.8.23, 19.12.0-19.12.14, 20.12.0-20.12.3
  • Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12
  • Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10
  • Enterprise Manager Base Platform, version 13.4.0.0
  • Oracle Application Testing Suite, version 13.3.0.1
  • Oracle Configuration Manager, version 12.1.2.0.8
  • Oracle Banking Enterprise Collections, versions 2.10.0, 2.12.0
  • Oracle Banking Party Management, version 2.7.0
  • Oracle Banking Platform, versions 2.4.0, 2.7.1, 2.9.0
  • Oracle Banking Treasury Management, version 14.4
  • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.0.9, 8.1.0
  • Oracle Financial Services Crime and Compliance Investigation Hub, version 20.1.2
  • Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.0.9.6.3
  • Oracle FLEXCUBE Private Banking, versions 12.0.0, 12.1.0
  • Oracle FLEXCUBE Universal Banking, versions 12.0-12.4, 14.0-14.4.0
  • MICROS Compact Workstation 3, version 310
  • MICROS ES400 Series, versions 400-410
  • MICROS Kitchen Display System Hardware, version 210
  • MICROS Workstation 5A, version 5A
  • MICROS Workstation 6, versions 610-655
  • Oracle Hospitality Reporting and Analytics, version 9.1.0
  • Identity Manager, versions 11.1.2.2.0, 11.1.2.3.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Access Manager, version 11.1.2.3.0
  • Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle Business Intelligence Enterprise Edition, version 12.2.1.4.0
  • Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Oracle Data Integrator, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Enterprise Data Quality, version 12.2.1.3.0
  • Oracle Enterprise Repository, version 11.1.1.7.0
  • Oracle Fusion Middleware MapViewer, version 12.2.1.4.0
  • Oracle GoldenGate Application Adapters, version 19.1.0.0.0
  • Oracle JDeveloper, version 12.2.1.4.0
  • Oracle JDeveloper and ADF, version 12.2.1.4.0
  • Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0
  • Oracle Outside In Technology, version 8.5.5
  • Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
  • Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
  • Real-Time Decisions (RTD) Solutions, version 3.2.0.0
  • Oracle Hospitality Suite8, versions 8.13, 8.14
  • Hyperion Financial Reporting, versions 11.1.2.4, 11.2.5.0
  • Hyperion Infrastructure Technology, versions 11.1.2.4, 11.2.5.0
  • Oracle Hyperion BI+, versions 11.1.2.4, 11.2.5.0
  • Oracle Insurance Policy Administration, versions 11.0.2, 11.1.0-11.3.0
  • Oracle Insurance Policy Administration J2EE, version 11.0.2
  • Oracle Insurance Rules Palette, versions 11.0.2, 11.1.0-11.3.0
  • Oracle GraalVM Enterprise Edition, versions 20.3.2, 21.1.0
  • Oracle Java SE, versions 7u301, 8u291, 11.0.11, 16.0.1
  • JD Edwards EnterpriseOne Orchestrator, versions 9.2.5.3 and prior
  • JD Edwards EnterpriseOne Tools, versions 9.2.5.3 and prior
  • MySQL Cluster, versions 8.0.25 and prior
  • MySQL Connectors, versions 8.0.23 and prior
  • MySQL Enterprise Monitor, versions 8.0.23 and prior
  • MySQL Server, versions 5.7.34 and prior, 8.0.25 and prior
  • PeopleSoft Enterprise CS Campus Community, version 9.2
  • PeopleSoft Enterprise HCM Candidate Gateway, version 9.2
  • PeopleSoft Enterprise HCM Shared Components, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.57, 8.58, 8.59
  • PeopleSoft Enterprise PT PeopleTools, versions 8.57, 8.58, 8.59
  • Oracle Policy Automation, versions 12.2.0-12.2.22
  • Oracle Retail Back Office, version 14.1
  • Oracle Retail Central Office, version 14.1
  • Oracle Retail Customer Engagement, versions 16.0-19.0
  • Oracle Retail Customer Management and Segmentation Foundation, versions 16.0-19.0
  • Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3.0
  • Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3.0
  • Oracle Retail Merchandising System, versions 14.1.3.2, 15.0.3.1, 16.0.3
  • Oracle Retail Order Broker, versions 15.0, 16.0
  • Oracle Retail Order Management System Cloud Service, version 19.5
  • Oracle Retail Point-of-Service, version 14.1
  • Oracle Retail Price Management, versions 14.0, 14.1, 15.0, 16.0
  • Oracle Retail Returns Management, version 14.1
  • Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1, 16.0.3.0
  • Oracle Retail Xstore Point of Service, versions 16.0.6, 17.0.4, 18.0.3, 19.0.2, 20.0.1
  • Siebel Applications, versions 21.5 and prior
  • Oracle Agile Engineering Data Management, version 6.2.1.0
  • Oracle Agile PLM, versions 9.3.3, 9.3.5, 9.3.6
  • Oracle Transportation Management, version 6.4.3
  • OSS Support Tools, versions prior to 2.12.41
  • Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2400, prior to XCP3100
  • Oracle Solaris, version 11
  • Oracle Solaris Cluster, version 4.4
  • Oracle ZFS Storage Appliance Kit, version 8.8
  • StorageTek Tape Analytics SW Tool, version 2.3
  • Oracle Secure Global Desktop, version 5.6
  • Oracle VM VirtualBox, versions prior to 6.1.24

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: Low

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing.
  • Run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack.
  • Remind all users not to visit untrusted websites or follow links provided by unknown or untrusted sources.
  • Inform and educate users regarding threats posed by hypertext links contained in emails or attachments especially from untrusted sources.
  • Apply the Principle of Least Privilege to all systems and services.

REFERENCES:
Oracle:
https://www.oracle.com/security-alerts/cpujul2021.html

Recent Posts

Mozilla Products Could Allow for Arbitrary Code Execution

Multiple vulnerabilities have been discovered in Mozilla Firefox and Mozilla Thunderbird, the most severe of which could allow for arbitrary code execution. Mozilla Firefox is a web browser used to access the Internet. Mozilla Firefox ESR is a version of the web...

Apple Products Could Allow for Arbitrary Code Execution

Multiple vulnerabilities have been discovered in Apple Products, the most severe of which could allow for arbitrary code execution. macOS Ventura is the 19th and current major release of macOS iOS is a mobile operating system for mobile devices, including the iPhone,...

Citrix ADC and Gateway Could Allow for Authentication Bypass

Multiple vulnerabilities have been discovered in Citrix ADC and Gateway, the most severe of which could allow for Authentication Bypass. Citrix ADC and Gateway is an Application Delivery Controller and a gateway service to products respectively. Successful...