OVERVIEW: Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.
SYSTEMS AFFECTED:
- Application Management Pack for Oracle E-Business Suite, version 13.4.1.0.0
- Big Data Spatial and Graph
- Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0
- Enterprise Manager for Virtualization, versions 13.4.0.0, 13.5.0.0
- Enterprise Manager Ops Center, version 12.4.0.0
- JD Edwards EnterpriseOne Orchestrator, versions 9.2.6.4 and prior
- JD Edwards EnterpriseOne Tools, versions 9.2.6.4 and prior
- MySQL Connectors, versions 8.0.30 and prior
- MySQL Enterprise Backup, versions 4.1.4 and prior
- MySQL Enterprise Monitor, versions 8.0.31 and prior
- MySQL Installer, versions 1.6.3 and prior
- MySQL Server, versions 5.7.39 and prior, 8.0.30 and prior
- MySQL Shell, versions 8.0.30 and prior
- MySQL Workbench, versions 8.0.30 and prior
- Oracle Access Manager, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Agile Engineering Data Management, version 6.2.1.0
- Oracle Agile PLM, version 9.3.6
- Oracle Airlines Data Model
- Oracle Application Express
- Oracle AutoVue, version 21.0.2
- Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2
- Oracle Banking Enterprise Default Management, version 2.12.0
- Oracle Banking Loans Servicing, versions 2.8.0, 2.12.0
- Oracle Banking Party Management, version 2.7.0
- Oracle Banking Platform, versions 2.7.1, 2.9.0, 2.12.0
- Oracle BI Publisher, versions 5.9.0.0, 6.4.0.0.0, 12.2.1.3.0, 12.2.1.4.0
- Oracle Business Activity Monitoring(Oracle BAM), versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Business Intelligence Enterprise Edition, versions 5.9.0.0, 6.4.0.0
- Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0
- Oracle Commerce Platform, versions 11.3.0-11.3.2
- Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.7.0
- Oracle Communications Cloud Native Core Binding Support Function, version 22.3.0
- Oracle Communications Cloud Native Core Console, version 22.2.0
- Oracle Communications Cloud Native Core Network Exposure Function, versions 22.2.1, 22.3.0
- Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 1.9.0, 22.1, 22.1.0, 22.2, 22.2.0, 22.2.1
- Oracle Communications Cloud Native Core Network Repository Function, version 22.2.2
- Oracle Communications Cloud Native Core Policy, version 22.3.0
- Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 22.1.1, 22.2.0, 22.2.1, 22.3.0
- Oracle Communications Cloud Native Core Service Communication Proxy, versions 22.2.3, 22.3.1, 22.4.0
- Oracle Communications Cloud Native Core Unified Data Repository, versions 22.1.1, 22.2.1, 22.3.0
- Oracle Communications Converged Application Server – Service Controller, version 6.2
- Oracle Communications Convergence, version 3.0.3.0
- Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0
- Oracle Communications Data Model, version 12.2.0.1
- Oracle Communications Design Studio, version 7.4.2
- Oracle Communications Diameter Signaling Router, version 8.6.0.0
- Oracle Communications Element Manager, version 9.0
- Oracle Communications Evolved Communications Application Server, version 7.1
- Oracle Communications Instant Messaging Server, version 10.0.1.6.0
- Oracle Communications Interactive Session Recorder, version 6.4
- Oracle Communications Messaging Server, version 8.1
- Oracle Communications MetaSolv Solution, version 6.3.1
- Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.5.0.0
- Oracle Communications Order and Service Management, versions 7.3, 7.4
- Oracle Communications Policy Management, version 12.6.0.0.0
- Oracle Communications Pricing Design Center, versions 12.0.0.4.0-12.0.0.7.0
- Oracle Communications Services Gatekeeper, version 7.0.0.0.0
- Oracle Communications Session Border Controller, versions 8.4, 9.0, 9.1
- Oracle Communications Session Report Manager, version 9.0
- Oracle Communications Unified Assurance, versions prior to 5.5.7.0.0, 6.0.0.0.0
- Oracle Communications User Data Repository, versions 12.4.0, 12.6.0, 12.6.1
- Oracle Communications WebRTC Session Controller, versions 7.2.0, 7.2.1
- Oracle Data Integrator, version 12.2.1.4.0
- Oracle Database Server, versions 19c, 21c
- Oracle Documaker Enterprise Edition, versions 12.6-12.7
- Oracle E-Business Suite, versions 12.2.3-12.2.11
- Oracle Enterprise Data Quality, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Enterprise Operations Monitor, versions 4.4, 5.0
- Oracle Essbase, version 21.3
- Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.0-8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1
- Oracle Financial Services Behavior Detection Platform, versions 8.0.7.2, 8.0.8.1, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1, 8.1.2.2
- Oracle Financial Services Enterprise Case Management, versions 8.0.7.3, 8.0.8.2, 8.1.1.0, 8.1.1.1, 8.1.2.0, 8.1.2.1, 8.1.2.2
- Oracle Financial Services Model Management and Governance, versions 8.0.8.0, 8.1.0.0, 8.1.1.0
- Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, versions 8.0.7.0, 8.0.8.0
- Oracle GoldenGate, version 19c
- Oracle GraalVM Enterprise Edition, versions 20.3.7, 21.3.3, 22.2.0
- Oracle Healthcare Data Repository, versions 8.1.1, 8.1.2, 8.1.3
- Oracle Healthcare Foundation, versions 8.1, 8.2
- Oracle Healthcare Master Person Index, versions 5.0.0-5.0.3
- Oracle Healthcare Translational Research, version 4.1
- Oracle Hospitality Cruise Fleet Management System, version 9.1.5
- Oracle Hospitality Cruise Shipboard Property Management System, versions 20.2.0, 20.2.2
- Oracle Hospitality Suite8, versions 8.10.2, 8.11.0, 8.12.0, 8.13.0, 8.14.0
- Oracle HTTP Server, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Hyperion Infrastructure Technology, version 11.2.9
- Oracle Identity Management Suite, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Insurance Insbridge Rating and Underwriting, versions 5.2.0, 5.4.0-5.6.2
- Oracle Java SE, versions 8u341, 8u345-perf, 11.0.16.1, 17.0.4.1, 19
- Oracle MapViewer, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Middleware Common Libraries and Tools, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle NoSQL Database
- Oracle Outside In Technology, version 8.5.6
- Oracle Retail Assortment Planning, version 16.0.3
- Oracle Retail Back Office, version 14.1
- Oracle Retail Central Office, version 14.1
- Oracle Retail Customer Insights, versions 15.0.2, 15.2, 16.0.2
- Oracle Retail Customer Management and Segmentation Foundation, versions 17.0, 18.0, 19.0
- Oracle Retail EFTLink, versions 20.0.1, 21.0.0
- Oracle Retail Fiscal Management, version 14.2
- Oracle Retail Merchandising System, versions 14.1.3.2, 15.0.3.1, 19.0.1
- Oracle Retail Point Of Service, version 14.1
- Oracle Retail Predictive Application Server, versions 14.1.3.47, 15.0.3.116, 16.0.3.260
- Oracle Retail Returns Management, version 14.1
- Oracle Retail Sales Audit, version 19.0.1
- Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1, 16.0.3
- Oracle SD-WAN Aware, version 9.0.1.3.0
- Oracle SD-WAN Edge, versions 7.0.7, 9.1.1.2.0
- Oracle Secure Backup, versions prior to 18.1.0.2.0
- Oracle SOA Suite, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle Solaris, version 11
- Oracle Solaris Cluster, version 4
- Oracle SQL Developer
- Oracle TimesTen In-Memory Database
- Oracle Transportation Management, versions 6.4.3, 6.5.1
- Oracle Utilities Testing Accelerator, versions 6.0.0.1.3, 6.0.0.2.4, 6.0.0.3.3, 7.0.0.0.0
- Oracle VM VirtualBox, versions prior to 6.1.40
- Oracle WebCenter Content, version 12.2.1.3.0
- Oracle WebCenter Portal, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0
- Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
- PeopleSoft Enterprise Common Components, version 9.2
- PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59, 8.60
- Primavera Gateway, versions 18.8.0-18.8.15, 19.12.0-19.12.14, 20.12.0-20.12.9, 21.12.0-21.12.7
- Primavera Unifier, versions 18.8, 19.12, 20.12, 21.12
- Siebel Applications, versions 22.8 and prior
RISK:
Government:
- Large and medium government entities: High
- Small government entities: High
Businesses:
- Large and medium business entities: High
- Small business entities: High
Home users: Low
RECOMMENDATIONS
??????We recommend the following actions be taken:
- Apply appropriate patches or appropriate mitigations provided by Microsoft to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
- Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
- Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
- Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
- Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
REFERENCES:
Oracle:
https://www.oracle.com/security-alerts/cpuoct2022.html