Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.
THREAT INTELLIGENCE:
There are currently no reports of these vulnerabilities being exploited in the wild.
SYSTEMS AFFECTED:
- Autonomous Health Framework
- Big Data Spatial and Graph, versions prior to 23.1
- Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0
- Enterprise Manager for MySQL Database
- Enterprise Manager Ops Center, version 12.4.0.0
- JD Edwards EnterpriseOne Orchestrator, versions 9.2.6.3 and prior
- JD Edwards EnterpriseOne Tools, versions 9.2.6.3 and prior
- MySQL Cluster, versions 7.4.36 and prior, 7.5.26 and prior, 7.6.22 and prior, 8.0.29 and prior, and 8.0.29 and prior
- MySQL Enterprise Monitor, versions 8.0.30 and prior
- MySQL Server, versions 5.7.38 and prior, 8.0.29 and prior
- MySQL Shell, versions 8.0.28 and prior
- MySQL Shell for VS Code, versions 1.1.8 and prior
- MySQL Workbench, versions 8.0.29 and prior
- Oracle Agile Engineering Data Management, version 6.2.1.0
- Oracle Agile PLM, version 9.3.6
- Oracle Agile Product Lifecycle Management for Process, versions 6.2.2, 6.2.3
- Oracle Application Express, versions prior to 22.1.1
- Oracle Application Testing Suite, version 13.3.0.1
- Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2
- Oracle Banking Branch, version 14.5
- Oracle Banking Cash Management, version 14.5
- Oracle Banking Corporate Lending Process Management, version 14.5
- Oracle Banking Credit Facilities Process Management, version 14.5
- Oracle Banking Deposits and Lines of Credit Servicing, version 2.7
- Oracle Banking Electronic Data Exchange for Corporates, version 14.5
- Oracle Banking Liquidity Management, versions 14.2, 14.5
- Oracle Banking Origination, version 14.5
- Oracle Banking Party Management, version 2.7
- Oracle Banking Platform, versions 2.6.2, 2.9, 2.12
- Oracle Banking Supply Chain Finance, version 14.5
- Oracle Banking Trade Finance, version 14.5
- Oracle Banking Trade Finance Process Management, version 14.5
- Oracle Banking Virtual Account Management, version 14.5
- Oracle Berkeley DB
- Oracle BI Publisher, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Blockchain Platform
- Oracle Business Intelligence Enterprise Edition, version 5.9.0.0.0
- Oracle Coherence, versions 3.7.1.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
- Oracle Commerce Guided Search, version 11.3.2
- Oracle Commerce Merchandising, version 11.3.2
- Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2
- Oracle Communications ASAP, version 7.3
- Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.6.0
- Oracle Communications BRM – Elastic Charging Engine, versions prior to 12.0.0.4.6, prior to 12.0.0.5.1
- Oracle Communications Cloud Native Core Binding Support Function, versions 22.1.3, 22.2.0
- Oracle Communications Cloud Native Core Console, versions 22.1.2, 22.2.0
- Oracle Communications Cloud Native Core Network Exposure Function, version 22.1.1
- Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 22.1.0, 22.1.2, 22.2.0
- Oracle Communications Cloud Native Core Network Repository Function, versions 22.1.2, 22.2.0
- Oracle Communications Cloud Native Core Network Slice Selection Function, version 22.1.1
- Oracle Communications Cloud Native Core Policy, versions 22.1.3, 22.2.0
- Oracle Communications Cloud Native Core Security Edge Protection Proxy, version 22.1.1
- Oracle Communications Cloud Native Core Service Communication Proxy, version 22.2.0
- Oracle Communications Cloud Native Core Unified Data Repository, version 22.2.0
- Oracle Communications Core Session Manager, versions 8.2.5, 8.4.5
- Oracle Communications Design Studio, version 7.4.2
- Oracle Communications Instant Messaging Server, version 10.0.1.5.0
- Oracle Communications IP Service Activator
- Oracle Communications Offline Mediation Controller, versions prior to 12.0.0.4.4, prior to 12.0.0.5.1
- Oracle Communications Operations Monitor, versions 4.3, 4.4, 5.0
- Oracle Communications Session Border Controller, versions 8.4, 9.0, 9.1
- Oracle Communications Unified Inventory Management, versions 7.4.1, 7.4.2, 7.5.0
- Oracle Communications Unified Session Manager, version 8.2.5
- Oracle Crystal Ball, versions 11.1.2.0.0-11.1.2.4.900
- Oracle Data Integrator
- Oracle Database Server, versions 12.1.0.2, 19c, 21c
- Oracle E-Business Suite, versions 12.2.3-12.2.11
- Oracle Enterprise Communications Broker, version 3.3
- Oracle Enterprise Operations Monitor, versions 4.3, 4.4, 5.0
- Oracle Enterprise Session Border Controller, versions 8.4, 9.0, 9.1
- Oracle Essbase, version 21.3
- Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1
- Oracle Financial Services Behavior Detection Platform, versions 8.0.7.0, 8.0.8.0, 8.1.1.0-8.1.2.1
- Oracle Financial Services Crime and Compliance Management Studio, versions 8.0.8.2.0, 8.0.8.3.0
- Oracle Financial Services Enterprise Case Management, versions 8.0.7.1, 8.0.7.2, 8.0.8.0, 8.0.8.1, 8.1.1.0-8.1.2.1
- Oracle Financial Services Revenue Management and Billing, versions 2.9.0.0.0, 2.9.0.1.0, 3.0.0.0.0-3.2.0.0.0, 4.0.0.0.0
- Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, versions 8.0.7.0, 8.0.8.0
- Oracle FLEXCUBE Core Banking, versions 5.2, 11.6-11.8, 11.10
- Oracle FLEXCUBE Private Banking, version 12.1
- Oracle FLEXCUBE Universal Banking, versions 12.1-12.4, 14.0-14.3, 14.5
- Oracle Global Lifecycle Management NextGen OUI Framework, versions prior to 13.9.4.2.10
- Oracle Global Lifecycle Management OPatch, versions prior to 12.2.0.1.30
- Oracle GoldenGate, versions [19c] prior to 19.1.0.0.220719, [21c] prior to 21.7.0.0.0
- Oracle GraalVM Enterprise Edition, versions 20.3.6, 21.3.2, 22.1.0
- Oracle Graph Server and Client, versions prior to 22.2.0
- Oracle Health Sciences Data Management Workbench, versions 2.4.8.7, 2.5.2.1, 3.0.0.0, 3.1.0.3
- Oracle Health Sciences Empirica Signal, versions 9.1.0.52, 9.2.0.52
- Oracle Health Sciences Information Manager, versions 3.0.0.1, 3.0.1.0-3.0.5.0
- Oracle Healthcare Foundation, versions 8.1.0, 8.2.0, 8.2.1
- Oracle Hospitality Cruise Shipboard Property Management System, version 20.2.1
- Oracle Hospitality Inventory Management, version 9.1
- Oracle Hospitality Materials Control, version 18.1
- Oracle Hospitality OPERA 5, version 5.6
- Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Identity Management Suite
- Oracle Identity Manager Connector
- Oracle Java SE, versions 7u343, 8u333, 11.0.15.1, 17.0.3.1, 18.0.1.1
- Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Middleware Common Libraries and Tools, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle NoSQL Database
- Oracle Policy Automation, versions 12.2.0-12.2.25
- Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.24
- Oracle Product Lifecycle Analytics, version 3.6.1
- Oracle REST Data Services, versions prior to 22.1.1
- Oracle Retail Allocation, versions 15.0.3.1, 16.0.3
- Oracle Retail Bulk Data Integration, version 16.0.3
- Oracle Retail Customer Insights, versions 15.0.2, 16.0.2
- Oracle Retail Customer Management and Segmentation Foundation, versions 17.0, 18.0, 19.0
- Oracle Retail Extract Transform and Load, version 13.2.5
- Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
- Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
- Oracle Retail Merchandising System, versions 16.0.3, 19.0.1
- Oracle Retail Order Broker, versions 18.0, 19.1
- Oracle Retail Pricing, version 19.0.1
- Oracle Retail Sales Audit, versions 15.0.3.1, 16.0.3
- Oracle Retail Xstore Point of Service, versions 17.0.4, 18.0.3, 19.0.2, 20.0.1, 21.0.1
- Oracle SD-WAN Edge, versions 9.0, 9.1
- Oracle Security Service, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle SOA Suite, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Solaris, versions 10, 11
- Oracle Spatial Studio, versions prior to 22.1.0
- Oracle SQL Developer
- Oracle Stream Analytics, versions [19c] prior to 19.1.0.0.6.4
- Oracle TimesTen In-Memory Database, versions prior to 22.1.1.1.0
- Oracle Transportation Management, version 1.4.4
- Oracle Utilities Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0
- Oracle VM VirtualBox, versions prior to 6.1.36
- Oracle WebCenter Content, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle WebCenter Sites Support Tools, versions prior to 4.4.2
- Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
- Oracle Weblogic Server Proxy Plug-in, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle ZFS Storage Appliance Kit, version 8.8
- PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59
- Primavera Gateway, versions 17.12.0-17.12.11, 18.8.0-18.8.14, 19.12.0-19.12.13, 20.12.0-20.12.8, 21.12.0-21.12.1
- Primavera P6 Enterprise Project Portfolio Management, versions 17.12.0.0-17.12.20.4, 18.8.0.0-18.8.25.4, 19.12.0.0-19.12.19.0, 20.12.0.0-20.12.14.0, 21.12.0.0-21.12.4.0
- Primavera Unifier, versions 17.7-17.12, 18.8, 19.12, 20.12, 21.12
- Siebel Applications, versions 22.6 and prior
RISK:
Government:
- Large and medium government entities: High
- Small government entities: High
Businesses:
- Large and medium business entities: High
- Small business entities: High
Home users: Low
TECHNICAL SUMMARY:
*Technical Summary Here*
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
- Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
- Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
- Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
REFERENCES:
https://www.oracle.com/security-alerts/cpujul2022.html