As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Oracle Identity Manager (OIM)

Product: Oracle Identity Management

 Subcomponent(s): Advanced Console

 Patch Number: 30338509 

 Vulnerability Details:  Supported versions affected are 11.1.2.3.0 and 12.2.1.3.0. An easily exploitable vulnerability allows a low privileged attacker with network access via HTTP to compromise Identity Manager.

 Successful attacks can result in:

• Unauthorized update, insert or delete access to some of Identity Manager’s accessible data

• Unauthorized read access to a subset of Identity Manager accessible data

WebLogic Server

Product: Oracle Weblogic Server

 Subcomponent(s): WLS Core Components, Application Container - Java EE, Console

 Patch Number: 30463097 - Estimated Availability January 31, 2020

 Vulnerability Details: Easily exploitable vulnerabilities that allow an unauthenticated attacker with network access via IIOP or T3 to compromise Oracle WebLogic Server. Easily exploitable vulnerabilities that allow a high privileged attacker with network access via HTTP or a logon to the infrastructure where Weblogic Server executes to compromise Oracle WebLogic Server.  Some vulnerabilities require human interaction, and while these the vulnerability is in Oracle Weblogic Server attacks might significantly impact additional products.

 Successful attacks can result in:

• Takeover of Weblogic Server

• Unauthorized access to critical data or complete access to all accessible data

• Unauthorized update, insert, or delete access to Weblogic accessible data

• Unauthorized read access to subset of Weblogic accessible data

• Unauthorized ability to cause partial denial of service

Java SE

Product: Java SE

 Subcomponent(s): Serialization, Security, Networking, Libraries

 Patch Number: 13079846

Vulnerability Details:

This patch update corrects vulnerabilities that have potentially high Confidentiality, Integrity, and Availability impacts. Exploitable vulnerabilities allow unauthenticated attackers with network access through multiple protocols to compromise Java SE. Successful attacks can have a variety of detrimental effects.

Successful attacks can result in:

• Attacker takeover of Java SE

• Unauthorized complete manipulation of Java accessible data, including access, write, delete, and modify

• Unauthorized ability to cause a partial denial of service (partial DOS) of Java SE

• Unauthenticated attacker with network access via Kerberos to compromise Java SE

Oracle HTTP Server

Product: Oracle Fusion Middleware

 Subcomponent(s): OSSL Module, Web Listener

 Patch Number: 30654519

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle HTTP Server and allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server.

 Successful attacks can result in:

•  Partial DOS of the HTTP Server

• Unauthorized update, insert or delete access to some of Oracle HTTP Server accessible data as well as unauthorized read access to a subset of Oracle HTTP Server accessible data

Oracle Solaris

Product: Oracle Solaris 11

 Subcomponent(s): Consolidation Infrastructure,Filesystem,Kernel,X Window System,SMB Server

 Patch Number: 30681152, 30681156

 Vulnerability Details: Difficult to exploit vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris. While the vulnerability is in Oracle Solaris, attacks may significantly impact additional products. Easily exploitable vulnerability allows unauthenticated attacker with network access via SMB to compromise Oracle Solaris

 Successful attacks can result in:

• Takeover of Oracle Solaris

• Unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris.

• Unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Solaris

BI Publisher

Product: Oracle Business Intelligence Enterprise Edition

 Subcomponent(s): Analytics Server and Analytics Web General (OpenSSL)

 Patch Number: 30677050

 Vulnerability Details: 

Difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTPS to compromise Oracle Business Intelligence Enterprise Edition.

Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data.

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.