HUBCITYMEDIA

View Original

Oracle Releases Quarterly Security Patch Updates - January 2021

As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us

See this content in the original post

Java SE 7

Product: Java SE 7

 Subcomponent(s): Libraries

 Patch Number: 13079846

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded.

 Successful attacks can result in:

  • Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.

Java SE 8

Product: Java SE 8

 Subcomponent(s): Libraries

 Patch Number: 18143322

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded.

 Successful attacks can result in:

  • Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data.

Oracle BI Publisher 11.1.1.9.0, 12.2.1.3.0

Product: Oracle BI Publisher 11.1.1.9.0, Oracle BI Publisher 12.2.1.3.0

Subcomponent(s): Administration, BI Publisher Security, E-Business Suite - XDO, Web Server

Patch Number: 32310890 (11.1.1.9.0), 32294042 (12.2.1.3)

Vulnerability Details: Easily exploitable vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle BI Publisher. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle BI Publisher, attacks may significantly impact additional products.

 Successful attacks can result in:

  • Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data

  • Unauthorized update, insert or delete access to some of Oracle BI Publisher accessible data

  • Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle BI Publisher


Oracle WebLogic Server 10.3.6

Product: Oracle WebLogic Server 10.3.6.0.0

Subcomponent(s): Web Services, Core Components, Samples, Console, Console (Apache Common Beanutils), Sample Apps (Spring Framework)

Patch Number: 32052267, 32134024

Vulnerability Details: Easily exploitable vulnerability allows unauthenticated, low privilege, or high privilege attackers with network access via HTTP, or IIOP/T3 to compromise Oracle WebLogic Server. 

Difficult to exploit vulnerability allows a low privileged attacker with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products.

 Successful attacks can result in:

  • Takeover of Oracle WebLogic Server.

  • Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data.

  • Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

  • Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server.

 

Oracle WebLogic Server 12.2.1.3

Product: Oracle WebLogic Server 12.2.1.3

Subcomponent(s): Core Components (Connect2id Nimbus JOSE+JWT), Core Components, Samples, Console (Apache Commons Beanutils), Console, Sample Apps (Spring Framework), Sample Apps (jQuery), Centralized Thirdparty Jars (Google Guava)

Patch Number: 32300397, 32148634

Vulnerability Details: Easily exploitable vulnerability allows unauthenticated, low privileged, and high privileged attackers with network access via HTTP, or IIOP/T3 to compromise Oracle WebLogic Server. 

Difficult to exploit vulnerability allows low privileged attackers with network access via HTTP to compromise Oracle WebLogic Server. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle WebLogic Server, attacks may significantly impact additional products.

Successful attacks can result in:

  • Takeover of Oracle WebLogic Server.

  • Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data.

  • Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data.

  • Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

  • Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle WebLogic Server.

  • Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle WebLogic Server.

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.