April 2018: Oracle Releases Quarterly Security Patch Updates

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Component: Oracle Java SE 7
Sub-Component(s): Hotspot, Security, AWT, Concurrency, JAXP, JMX, Serialization, RMI
Patch Number: 13079846
 
Vulnerability Details: 
There were 11 new vulnerabilities discovered in Java 7. These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. Some vulnerabilities are easily exploitable, and most allow an unauthenticated attacker with network access via multiple protocols the ability to compromise Java. Some vulnerabilities require human interaction from a person other than the attacker, and while the vulnerabilities are in Java SE, attacks may significantly impact additional products.

Successful attacks can result in:

• unauthorized read, update, insert or delete access to some of Java SE accessible data
• unauthorized creation, deletion or modification access to critical data or all Java SE accessible data
• unauthorized ability to cause a partial denial of service (DOS) of Java SE
• unauthorized access to critical data or complete access to all Java SE, Java SE Embedded, JRockit accessible data
• takeover of Java SE, Java SE Embedded

Some vulnerabilities can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. They can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. Other vulnerabilities apply to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security.

Component: Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3
Sub-Component(s): WLS Security (Apache OpenJPA), WL Diagnostics Framework (Apache Log4j), Sample apps (jackson-databind), WLS Core Components
Patch Number: 27453773
 
Vulnerability Details: 
This Critical Patch contains three fixes for Oracle WebLogic Server version 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3. These vulnerabilities are easy to exploit, allowing unauthenticated attackers with network access via HTTP or T3 to:

• compromise Oracle WebLogic Server and perform a takeover of Oracle WebLogic Server 

This Critical Patch also contains a fix for Oracle WebLogic Server version 12.2.1.3. This vulnerability is easy to exploit, allowing an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server and: 

• gain unauthorized update, insert or delete access to some Oracle WebLogic Server accessible data
• gain unauthorized read access to a subset of Oracle WebLogic Server accessible data
• gain unauthorized ability to cause a partial denial of service (DOS) of Oracle WebLogic Server

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.