HUBCITYMEDIA

View Original

Oracle Releases Quarterly Security Patch Updates - April 2020

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us

See this content in the original post

Oracle Solaris 11

Subcomponent(s): SMB Server Kernel Module, Operating System Image, jQuery, Oracle WebLogic Server, SMF command svcbundle, Whodo, Common Desktop Environment

 Patch Number: 31009799

 Vulnerability Details: Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Sun ZFS Storage Appliance Kit executes to compromise Sun ZFS Storage Appliance Kit. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise StorageTek Tape Analytics SW Tool. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in StorageTek Tape Analytics SW Tool, attacks may significantly impact additional products.

Successful attacks can result in:

  • Takeover of Oracle Solaris, Sun ZFS Storage Appliance Kit, StorageTek Tape Analytics SW Tool

  • Unauthorized update, insert or delete access to some of StorageTek Tape Analytics SW Tool accessible data as well as unauthorized read access to a subset of StorageTek Tape Analytics SW Tool accessible data

  • Unauthorized read, update, insert or delete access to some of Oracle Solaris accessible data

WebLogic Server

Subcomponent(s): Console, Core, WLS Web Services, Management Services,

 Patch Number: 30857748

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP or T3 to compromise Oracle WebLogic Server.  Easily exploitable vulnerability allows high privileged attackers with network access via HTTP or T3 to compromise Oracle WebLogic Server.  Unauthenticated attackers with network access via HTTP can compromise Oracle WebLogic Server with human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products.  Attacks exploiting these vulnerabilities can result in system confidentiality, integrity and availability impacts and have the following detrimental effects.

 Successful attacks can result in:

  • Takeover of Oracle WebLogic Server.

  • Unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data.

  • Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

  • Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

Java SE

Subcomponent(s): Libraries, JSSE, Concurrency, Lightweight HTTP Server, Security, Serialization

 Patch Number: 13079846

 Vulnerability Details: Vulnerabilities of varying difficulties allowing unauthorized and highly privileged attackers via multiple network protocols, T3, and HTTPS, to compromise Java SE and Java SE Embedded.  Vulnerability is in Java SE and Java SE embedded however attacks may significantly impact additional products.  Attacks exploiting these vulnerabilities have system confidentiality, integrity and availability impacts and have a variety of detrimental effects.

 Successful attacks can result in:

●       Takeover of Java SE, Java SE Embedded.

●       Unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded.

●       Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

●       Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.

Oracle HTTP Server

Subcomponent(s): Web Listener

 Patch Number: 31047338

 Vulnerability Details: Easily exploitable vulnerabilities allows unauthenticated attackers with network access via HTTP to compromise Oracle HTTP Server. Attacks can require human interaction from a person other than the attacker, or occur with a solo unauthenticated attacker. Attacks exploiting these vulnerabilities have system confidentiality, integrity and availability impacts and have the following detrimental effects.

 Successful attacks can result in:

●       Takeover of Oracle HTTP Server

●       Unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data

●       unauthorized read access to a subset of Oracle HTTP Server accessible data.

Oracle Access Manager

Subcomponent(s): Federation, Authentication Engine, SSO Engine

Patch Number: 30609442

Vulnerability Details: Easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle Access Manager. Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle Access Manager. Successful attacks of both types require human interaction from a person other than the attacker and while the vulnerability is in Oracle Access Manager, attacks may significantly impact additional products.  Attacks exploiting these vulnerabilities confidentiality, integrity, and availability impacts and the following detrimental effects. 

 Successful attacks can result in:

●       Unauthorized update, insert or delete access to some of Oracle Access Manager accessible data

●       Unauthorized read access to a subset of Oracle Access Manager accessible data

●       Unauthorized ability to create partial Denial of Service

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.