As part of Hub City Media’s ongoing efforts to ensure Oracle IAM environments remain secure, we are advising that Oracle has released their quarterly Security Patch Updates.
We've evaluated these updates and created a summary of critical patches that may be required for client environments. To maintain the best possible security posture, please review these patches with your team.
Component: Oracle Java SE 7
Sub-Component(s): Hotspot, JDNI, JSSE, Sound, Deployment(libpng), Security, Networking
Patch Number: 13079846
This Critical Patch Update contains 12 new security fixes for Oracle Java SE. These vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. Some vulnerabilities are easily exploitable, and most allow an unauthenticated attacker with network access, via multiple protocols, the ability to compromise Java. Some vulnerabilities require human interaction from a person other than the attacker and while the vulnerabilities are in Java SE, attacks may significantly impact additional products.
Successful attacks can result in:
Partial Denial of Service of Java SE
Unauthorized update, insert or delete access to some of Java SE
Takeover of Java SE
Component: Oracle WebLogic Server (version 10.3.6.0)
Sub-Component: WLS Core, sample apps (Spring Framework), WLS Web Services, Console
Patch Number: 28343311
Easily exploitable vulnerabilities allow an unauthenticated attacker with network access via HTTP or T3 to compromise Oracle WebLogic Server. Successful exploitation of these vulnerabilities can result in takeover of Oracle WebLogic Server.
Oracle HTTP Server
Component: Oracle HTTP Server (version 126.96.36.199)
Sub-Component: Web Listener (curl)
Patch Number: 28281599
This difficult to exploit vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of Oracle HTTP Server.
Oracle Identity Manager
Component: Oracle Identity Manager (versions 188.8.131.52.0 and 184.108.40.206.0)
Sub-Component: Installer (jackson-databind)
Patch Number: 28768324
This critical patch contains an important fix to a recently discovered vulnerability in Oracle Identity Manager. The vulnerability allows an attacker with HTTP access to the network to compromise OIM. Attacks can allow unauthorized read-access to a subset of Oracle Identity Manager accessible data, as well as the ability to cause partial denial of service of Oracle Identity Manager.
Component: BI Publisher (versions 220.127.116.11.0, 18.104.22.168.0)
Sub-Component: BI Publisher Security (Apache Log4j)
Patch Number: 28632415 and 28632479 respectively
This critical patch contains a fix to an exploitable vulnerability. This issue allows an attacker to compromise Oracle Business Intelligence Publisher though the network via HTTP access. A successful attack would result in the takeover of Oracle Business Intelligence Publisher.
Component: JRockit (version R28.3)
Sub-Components: Scripting, JNDI, JSEE, Sound
Patch Number: 28414796
Vulnerability Details: JNDI
This critical patch contains a fix to difficult to exploit vulnerabilities that allow unauthenticated attackers with network access via multiple protocols to compromise Jrockit. Some attacks require human interaction from a person other than the attacker. Attacks may significantly impact additional products.
Successful attacks can result in:
Takeover of JRockit
Partial denial of service to JRockit
In addition to the above patches, Oracle has released patches for several of their products. The entire list of products, which you may want to share within your organization, can be found here.