GovCERT.HK - Security Alert (A16-07-03): Multiple Vulnerabilities in Oracle Java and Oracle Products (July 2016)

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 13 vulnerabilities identified in Java affecting multiple sub-components including CORBA, Deployment, Hotspot, Install, JavaFX, JAXP, Libraries and Networking. All of them could be remotely exploited without authentication in which 3 of them could affect server deployment of Java (e.g. through a web service).

For vulnerabilities identified in those Oracle products, they can be remotely exploited through various protocols including HTTP, HTTPS, IPMI, MySQL Protocol, NTP, Oracle Net, SNMP, SSH, SSL/TLS, T3, TLS, UDP and X11 over a network.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to launch executables using the Java launcher. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.

Affected Systems:

Oracle Java SE

Oracle Java SE, versions 6u115, 7u101, 8u92
Oracle Java SE Embedded, version 8u91
Oracle JRockit, version R28.3.10

Database Server

Application Express, versions prior to 5.0.4
Oracle Database Server, versions 11.2.0.4, 12.1.0.1, 12.1.0.2

Oracle Linux and Virtualization

Oracle Secure Global Desktop, versions 4.63, 4.71, 5.2
Oracle VM VirtualBox, versions prior to 5.0.26

Oracle MySQL Product Suite

MySQL Server, versions 5.5.49 and prior, 5.6.30 and prior, 5.7.12 and prior

Fusion Applications and Middleware

Hyperion Financial Reporting, version 11.1.2.4
Oracle Access Manager, versions 10.1.4.x, 11.1.1.7
Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0
Oracle Directory Server Enterprise Edition, versions 7.0, 11.1.1.7.0
Oracle Exalogic Infrastructure, versions 1.x, 2.x
Oracle Fusion Applications, versions 11.1.2 through 11.1.10
Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.0
Oracle GlassFish Server, versions 2.1.1, 3.0.1, 3.1.2
Oracle HTTP Server, versions 11.1.1.9, 12.1.3.0
Oracle JDeveloper, versions 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0
Oracle Portal, versions 11.1.1.6
Oracle TopLink, versions 12.1.3.0, 12.2.1.0, 12.2.1.1
Oracle WebCenter Sites, versions 11.1.1.8, 12.2.1.0
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.0
Outside In Technology, versions 8.5.0, 8.5.1, 8.5.2

E-Business Suite

Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5

Enterprise Manager

Enterprise Manager Base Platform, versions 12.1.0.5, 13.1.0.0
Enterprise Manager for Fusion Middleware, versions 11.1.1.7, 11.1.1.9
Enterprise Manager Ops Center, versions 12.1.4, 12.2.2, 12.3.2

Health Sciences

Oracle Health Sciences Clinical Development Center, versions 3.1.1.x, 3.1.2.x
Oracle Health Sciences Information Manager, versions 1.2.8.3, 2.0.2.3, 3.0.1.0
Oracle Healthcare Analytics Data Integration, versions 3.1.0.0.0
Oracle Healthcare Master Person Index, versions 2.0.12, 3.0.0, 4.0.1

JD Edwards

JD Edwards EnterpriseOne Tools, version 9.2.0.5

Oracle Banking Platform

Oracle Banking Platform, versions 2.3.0, 2.4.0, 2.4.1, 2.5.0

Oracle Communications Applications

Oracle Communications ASAP, versions 7.0, 7.2, 7.3
Oracle Communications Core Session Manager, versions 7.2.5, 7.3.5
Oracle Communications EAGLE Application Processor, versions 16.0
Oracle Communications Messaging Server, versions 6.3, 7.0, 8.0, prior to 7.0.5.37.0 and 8.0.1.1.0
Oracle Communications Network Charging and Control, versions 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0
Oracle Communications Operations Monitor, versions prior to 3.3.92.0.0
Oracle Communications Policy Management, versions prior to 9.9.2
Oracle Communications Session Border Controller, versions 7.2.0, 7.3.0
Oracle Communications Unified Session Manager, versions 7.2.5, 7.3.5
Oracle Enterprise Communications Broker, versions prior to PCz 2.0.0m4p1

Oracle Financial Services Applications

Oracle Financial Services Lending and Leasing, versions 14.1, 14.2
Oracle FLEXCUBE Direct Banking, versions 12.0.1, 12.0.2, 12.0.3

Oracle Insurance Applications

Oracle Documaker, version prior to 12.5
Oracle Insurance Calculation Engine, versions 9.7.1, 10.1.2, 10.2.2
Oracle Insurance Policy Administration J2EE, versions 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
Oracle Insurance Rules Palette, versions 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2

Oracle Knowledge Applications

Oracle Knowledge, versions 8.5.x

Oracle Policy Automation

Oracle In-Memory Policy Analytics, version 12.0.1
Oracle Policy Automation, versions 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 12.1.0, 12.1.1
Oracle Policy Automation Connector for Siebel, versions 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6
Oracle Policy Automation for Mobile Devices, version 12.1.1

Oracle Primavera Products Suite

Primavera Contract Management, version 14.2
Primavera P6 Enterprise Project Portfolio Management, versions 8.2, 8.3, 8.4, 15.1, 15.2, 16.1

Oracle Supply Chain Products

Oracle Agile Engineering Data Management, versions 6.1.3.0, 6.2.0.0
Oracle Agile PLM, versions 9.3.4, 9.3.5
Oracle Demand Planning, versions 12.1, 12.2
Oracle Transportation Management, versions 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1

Oracle Utilities Applications

Oracle Utilities Framework, versions 2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0
Oracle Utilities Network Management System, versions 1.10.0.6.27, 1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12. 1.12.0.3.5
Oracle Utilities Work and Asset Management, version 1.9.1.2.8

Oracle and Sun Systems Products Suite

40G 10G 72/64 Ethernet Switch, version 2.0.0
Fujitsu M10-1, M10-4, M10-4S Servers, versions prior to XCP 2320
ILOM, versions 3.0, 3.1, 3.2
Oracle Switch ES1-24, version 1.3
Solaris, versions 10, 11.3
Solaris Cluster, versions 3.3, 4.3
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, versions prior to XCP 1121
Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version 1.2
Sun Data Center InfiniBand Switch 36, versions prior to 2.2.2
Sun Network 10GE Switch 72p, version 1.2
Sun Network QDR InfiniBand Gateway Switch, versions prior to 2.2.2

PeopleSoft

PeopleSoft Enterprise FSCM, versions 9.1, 9.2
PeopleSoft Enterprise PeopleTools, versions 8.53, 8.54, 8.55

Retail Applications

MICROS Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
Oracle Retail Central, Back Office, Returns Management, versions 13.1, 13.2, 13.3, 13.4, 14.0, 14.1, 12.0 13.0
Oracle Retail Integration Bus, versions 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
Oracle Retail Order Broker, versions 4.1, 5.1, 5.2, 15.0
Oracle Retail Service Backbone, versions 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
Oracle Retail Store Inventory Management, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1

Siebel CRM

Siebel Applications, version(s) 8.1.1, 8.2.2, IP2014, IP2015, IP2016

Impact:

Depending on the vulnerability exploited, a successful attack could lead to arbitrary code execution, denial of services, information disclosure, bypass of security restrictions or compromise of a vulnerable system.

Recommendation:

Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

Java Platform SE 8 (JDK and JRE 8 Update 101)
This link will open in a new windowhttp://www.oracle.com/technetwork/java/javase/downloads/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:

This link will open in a new windowhttp://www.oracle.com/technetwork/topics/security/cpujul2016-2881720.html

Users may contact their product support vendors for the fixes and assistance.

More Information: