As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.

We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.

For assistance with applying these patches, contact us. 

Oracle BI Publisher 11.1.1.9.0

Subcomponent(s): Mobile Service, Layout Templates

 Patch Number: 31525202

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle BI Publisher and significantly impacts additional products.

 Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert, or delete access to some of Oracle BI Publisher accessible data.

Oracle BI Publisher 12.2.1.3.0

 Subcomponent(s): Mobile Service, Layout Templates, BI Publisher Security

Patch Number: 31525202, 31178889

 Vulnerability Details: Easily exploitable vulnerability allows unauthenticated attackers with network access via HTTP to compromise Oracle BI Publisher and significantly impacts additional products.

 Successful attacks can result in:

• Unauthorized access to critical data or complete access to all Oracle BI Publisher accessible data as well as unauthorized update, insert, or delete access to some of Oracle BI Publisher accessible data.

Oracle Solaris

Subcomponent(s): Kernel, Operating System Image, Packaging Scripts,libsuri, Device Driver Utility,

 Patch Number: 11.4.23.69.3

 Vulnerability Details:

• Easily exploitable vulnerability allows low privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.

• Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise Oracle Solaris.

• Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle ZFS Storage Appliance Kit.

• Easily exploitable vulnerability allows high privileged attacker with logon to the infrastructure where Oracle Solaris executes to compromise Oracle Solaris.

Successful attacks can result in:

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Solaris

• Unauthorized read access to a subset of Oracle Solaris accessible data

• Takeover of Oracle ZFS Storage Appliance Kit

• Unauthorized creation, deletion or modification access to critical data or all Oracle Solaris accessible data

• Takeover of Oracle Solaris

Oracle Unified Directory 11.1.2.3.0

Subcomponent(s): Security

 Patch Number: 31541461

 Vulnerability Details: Easily exploitable vulnerability allows high privileged attackers with network access via HTTP to compromise Oracle Unified Directory. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Oracle Unified Directory, attacks may significantly impact additional products.

 Successful attacks can result in:

• Unauthorized creation, deletion or modification access to critical data or all Oracle Unified Directory accessible data

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of Oracle Unified Directory

WebLogic Server 10.3.6

Subcomponent(s): Security Service, Core, Console, Log4j, Web Container, Web Services

 Patch Number: Patchset: 31178492,  ADR Patch: 31241365

 Vulnerability Details: Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via HTTP, HTTPS, IIOP,  or T3 to compromise Oracle WebLogic Server.  Some attacks require human interaction and this variety of attack may significantly impact other products despite the vulnerability being in WebLogic Server.  Attackers exploiting these vulnerabilities have confidentiality, integrity and availability impacts.

 Successful attacks can result in:

• Takeover of WebLogic Server

• Unauthorized creation, deletion or modification access to all Oracle WebLogic Server accessible data

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data.

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)

• Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

WebLogic Server 12.2.1.3

Subcomponent(s): Centralized Thirdparty Jars (jackson-databind), Security Service, Core, Centralized Thirdparty Jars (Log4j), Console (Log4j), Web Container, Sample apps, Web Services

 Patch Number: Patchset: 31535411, ADR Patch: 31544340

 Vulnerability Details: Easily exploitable vulnerabilities that  allow unauthenticated attackers with network access via HTTP, HTTPS, IIOP, T3 to compromise Oracle WebLogic Server. Attackers exploiting these vulnerabilities can cause the system to have confidentiality, integrity and availability impacts.  Attacks exist that require human interaction however for these attacks despite the vulnerability being in WebLogic Server the attack could significantly impact other available products.  Difficult to exploit vulnerabilities that require human interaction which allows an unauthenticated attacker via HTTP to compromise WebLogic Server.  Vulnerabilities of this type also have confidentiality, integrity, and availability impacts. 

 Successful attacks can result in:

• Takeover of Oracle WebLogic Server

• Unauthorized creation, deletion or modification access to critical data or all Oracle WebLogic Server accessible data

• Unauthorized read access to a subset of Oracle WebLogic Server accessible data

• Unauthorized access to critical data or complete access to all Oracle WebLogic Server accessible data

• Unauthorized ability to cause a hang or frequently repeatable crash (complete DOS)

• Unauthorized update, insert or delete access to some of Oracle WebLogic Server accessible data

Java SE 7 

Subcomponent(s): Libraries, 2D, JAXP, JSSE

 Patch Number: 13079846

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Attacks of these varieties have confidentiality, integrity and availability impacts.

 Successful attacks can result in:

• Takeover of Java SE, Java SE Embedded

• Unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data

• Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

• Unauthorized ability to cause a partial denial of service (partial DOS)

• Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

Java SE 8

 Subcomponent(s): Libraries, 2D, JAXP, JSSE

 Patch Number: 18143322

 Vulnerability Details: Difficult to exploit vulnerability allows unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Some successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Easily exploitable vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Java SE, Java SE Embedded. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in Java SE, Java SE Embedded, attacks may significantly impact additional products.  Attacks of these varieties have confidentiality, integrity and availability impacts.

 Successful attacks can result in:

• Takeover of Java SE, Java SE Embedded

• Unauthorized creation, deletion or modification access to critical data or all Java SE, Java SE Embedded accessible data

• Unauthorized update, insert or delete access to some of Java SE, Java SE Embedded accessible data

• Unauthorized ability to cause a partial denial of service (partial DOS)

• Unauthorized read access to a subset of Java SE, Java SE Embedded accessible data

In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.