CERT-In Advisory
CIAD-2023-0038
Multiple Vulnerabilities in Oracle Products
Original Issue Date: October 19, 2023
Severity Rating: High
Software Affected
- BI Publisher, versions 6.4.0.0.0, 7.0.0.0.0, 12.2.1.4.0
- TimesTen In-Memory Database, versions prior to 18.1.4.38.0, prior to 18.1.4.39.0, prior to 22.1.1.18.0
- Sun ZFS Storage Appliance, version 8.8.60
- Siebel Applications, versions 23.8 and prior
- Primavera Unifier, versions 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.16, 22.12.0-22.12.9
- Primavera Gateway, versions 19.12.0-19.12.17, 20.12.0-20.12.12, 21.12.0-21.12.10
- PeopleSoft Enterprise PeopleTools, versions 8.59, 8.60
- PeopleSoft Enterprise HCM Global Payroll Switzerland, version 9.2
- PeopleSoft Enterprise CC Common Application Objects, version 9.2
- Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
- Oracle WebCenter Portal, version 12.2.1.4.0
- Oracle WebCenter Content, version 12.2.1.4.0
- Oracle VM VirtualBox, versions prior to 7.0.12
- Oracle Utilities Network Management System, versions 2.3.0.2, 2.4.0.1
- Oracle Utilities Application Framework, versions 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.0.1, 4.5.0.1.0-4.5.0.1.2
- Oracle Unified Directory, version 12.2.1.4.0
- Oracle Solaris, versions 10, 11
- Oracle SOA Suite, version 12.2.1.4.0
- Oracle Service Bus, version 12.2.1.4.0
- Oracle Secure Backup, versions 18.1.0.1.0, 18.1.0.2.0
- Oracle SD-WAN Edge, versions 9.1.1.5.0, 9.1.1.6.0
- Oracle Retail Xstore Point of Service, versions 18.0.5, 19.0.4, 20.0.3, 21.0.2, 22.0.0
- Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
- Oracle Retail Merchandising System, version 19.0.1
- Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
- Oracle Retail Fiscal Management, version 14.2
- Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
- Oracle Retail EFTLink, versions 20.0.1, 21.0.0, 22.0.0
- Oracle Retail Customer Management and Segmentation Foundation, versions 18.0.0.13, 19.0.0.7
- Oracle Retail Bulk Data Integration, versions 16.0.3, 19.0.1
- Oracle REST Data Services, versions prior to 23.2.2
- Oracle Outside In Technology, version 8.5.6
- Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0
- Oracle Managed File Transfer, version 12.2.1.4.0
- Oracle Life Sciences InForm, version 7.0.0.0
- Oracle Life Sciences InForm Publisher, version 6.3.1.0
- Oracle Java SE, versions 8u381, 8u381-perf, 11.0.20, 17.0.8, 21
- Oracle Identity Manager, version 12.2.1.4.0
- Oracle Hyperion Infrastructure Technology, version 11.2.14.0.0
- Oracle HTTP Server, version 12.2.1.4.0
- Oracle Healthcare Master Person Index, versions 5.0.0-5.0.6
- Oracle Graph Server and Client, versions 22.4.4 and prior
- Oracle GraalVM for JDK, versions 17.0.8, 21
- Oracle GoldenGate Studio, version 12.2.1.4.0
- Oracle Global Lifecycle Management OPatch, versions prior to 12.2.0.1.40
- Oracle Fusion Middleware MapViewer, version 12.2.1.4.0
- Oracle FLEXCUBE Universal Banking, versions 12.3, 12.4, 14.0-14.3, 14.5-14.7
- Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 12.3, 12.4, 14.0-14.3, 14.5-14.7
- Oracle FLEXCUBE Core Banking, versions 11.6-11.8, 11.10, 11.11
- Oracle Financial Services Model Management and Governance, versions 8.1.2.3, 8.1.2.4
- Oracle Financial Services Cash Flow Engine, version 8.1.2.0.0
Oracle Essbase, version 21.5.0.0.0
Oracle Enterprise Session Border Controller, versions 9.0-9.2
Oracle Enterprise Operations Monitor, versions 5.0, 5.1
Oracle Enterprise Manager Ops Center, version 12.4.0.0
Oracle Enterprise Manager for Peoplesoft, version 13.5.1.1
Oracle Enterprise Manager Base Platform, version 13.5.0.0
Oracle Enterprise Data Quality, version 12.2.1.4.0
Oracle Enterprise Communications Broker, versions 3.3, 4.0, 4.1
Oracle E-Business Suite, versions 12.2.3-12.2.12, [ECC] 8, [ECC] 9, [ECC] 10
Oracle Documaker, versions 12.6.4-12.7.1
Oracle Database Server, versions 19.3-19.20, 21.3-21.11
Oracle Data Integrator, version 12.2.1.4.0
Oracle Communications WebRTC Session Controller, versions 7.2.0.0.0, 7.2.1.0.0
Oracle Communications Unified Assurance, versions 5.5.0-5.5.17, 6.0.0-6.0.3
Oracle Communications Session Report Manager, versions 9.0.0-9.0.2
Oracle Communications Policy Management, version 12.6.0.0
Oracle Communications Order and Service Management, versions 7.4.0, 7.4.1
Oracle Communications Network Charging and Control, version 12.0.6.0
Oracle Communications Network Analytics Data Director, version 23.2.0
Oracle Communications MetaSolv Solution, version 6.3.1.0.0
Oracle Communications IP Service Activator, versions 7.4.0, 7.5.0
Oracle Communications Element Manager, versions 9.0.0-9.0.2
Oracle Communications Diameter Signaling Router, versions 8.6.0.0, 9.0.0.0
Oracle Communications Convergent Charging Controller, version 12.0.6.0
Oracle Communications Cloud Native Core Unified Data Repository, version 23.1.2
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 23.1.0, 23.1.3, 23.3.0
Oracle Communications Cloud Native Core Policy, versions 23.1.0-23.1.8, 23.2.0-23.2.4
Oracle Communications Cloud Native Core Network Repository Function, versions 23.1.3, 23.2.1, 23.3.0
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 23.2.0, 23.2.2
Oracle Communications Cloud Native Core Network Exposure Function, versions 23.1.3, 23.3.0
Oracle Communications Cloud Native Core Console, versions 23.1.1, 23.1.2, 23.2.1
Oracle Communications Cloud Native Core Binding Support Function, versions 23.1.0-23.1.8, 23.2.0-23.2.4
Oracle Communications BRM - Elastic Charging Engine, versions 12.0.0.4-12.0.0.8
Oracle Commerce Guided Search, version 11.3.2
Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0
Oracle Business Process Management Suite, version 12.2.1.4.0
Oracle Business Intelligence Enterprise Edition, versions 6.4.0.0.0, 7.0.0.0.0, 12.2.1.4.0
Oracle Big Data Spatial and Graph, versions 2.5 and prior
Oracle Banking Virtual Account Management, versions 14.5-14.7
Oracle Banking Trade Finance, versions 14.5-14.7
Oracle Banking Trade Finance Process Management, versions 14.5-14.7
Oracle Banking Supply Chain Finance, versions 14.5-14.7
Oracle Banking Platform, versions 2.6.2, 2.9.0
Oracle Banking Payments, versions 14.0-14.3, 14.5-14.7
Oracle Banking Party Management, version 2.7
Oracle Banking Origination, versions 14.5-14.7
Oracle Banking Loans Servicing, version 2.12
Oracle Banking Liquidity Management, versions 14.5-14.7
Oracle Banking Electronic Data Exchange for Corporates, versions 14.5-14.7
Oracle Banking Digital Experience, versions 18.3, 19.1, 19.2, 21.1, 22.1, 22.2
Oracle Banking Deposits and Lines of Credit Servicing, versions 2.7, 2.12
Oracle Banking Credit Facilities Process Management, versions 14.5-14.7
Oracle Banking Corporate Lending, versions 14.0-14.3, 14.5-14.7
Oracle Banking Corporate Lending Process Management, versions 14.5-14.7
Oracle Banking Cash Management, versions 14.5-14.7
Oracle Banking Branch, versions 14.5-14.7
Oracle Banking APIs, versions 18.3, 19.1, 19.2, 21.1, 22.1, 22.2
Oracle Application Testing Suite, version 13.3.0.1
Oracle Agile PLM, version 9.3.6
Oracle Access Manager, version 12.2.1.4.0
MySQL Shell, versions 8.1.1 and prior
MySQL Server, versions 5.7.43 and prior, 8.0.34 and prior, 8.1.0 and prior
MySQL Installer, versions prior to 1.6.8
MySQL Enterprise Monitor, versions 8.0.35 and prior
MySQL Connectors, versions 8.1.0 and prior
MySQL Cluster, versions 8.0.34 and prior, 8.1.0
Management Cloud Engine, version 23.1.0.0
JD Edwards EnterpriseOne Tools, version 9.2.7
Hospitality OPERA 5 Property Services, version 5.6
GoldenGate Veridata, versions 12.2.1.4.0-12.2.1.4.230922
GoldenGate Big Data, versions 21.3-21.10
Overview
Multiple vulnerabilities have been reported in various Oracle products which could be exploited by the attacker to execute arbitrary code, bypass security restrictions, gain sensitive information or cause denial of service condition on the targeted system.
Description
These vulnerabilities have been reported in various components of Oracle products.
Successful exploitation of these vulnerabilities could allow an attacker to execute arbitrary code, bypass security restrictions, gain sensitive information or cause denial of service condition on the targeted sys-tem.
Solution
Apply appropriate updates as mentioned in Oracle updates:
https://www.oracle.com/security-alerts/cpuoct2023.html
Vendor Information
Oracle
https://www.oracle.com/security-alerts/cpuoct2023.html
References
Oracle
https://www.oracle.com/security-alerts/cpuoct2023.html
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|