Oracle Quarterly Critical Patches Issued April 18th, 2023 – PATCH NOW – TLP: CLEAR

TLP: CLEAR

MS-ISAC CYBERSECURITY ADVISORY

MS-ISAC ADVISORY NUMBER:
2023-042

DATE(S) ISSUED:
04/18/2023

SUBJECT:
Oracle Quarterly Critical Patches Issued April 18, 2023

OVERVIEW:
Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.

SYSTEMS AFFECTED:

• JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.7.3

• JD Edwards EnterpriseOne Tools, versions prior to 9.2.7.3

• JD Edwards World Security, version A9.4

• Management Cloud Engine, version 22.1.0.0.0

• MySQL Cluster, versions 7.5.29 and prior, 7.6.25 and prior, 8.0.32 and prior

• MySQL Connectors, versions 8.0.32 and prior

• MySQL Enterprise Monitor, versions 8.0.33 and prior

• MySQL Server, versions 5.7.41 and prior, 8.0.32 and prior

• MySQL Workbench, versions 8.0.32 and prior

• Oracle Access Manager, version 12.2.1.4.0

• Oracle Agile PLM, version 9.3.6

• Oracle Application Testing Suite, version 13.3.0.1

• Oracle Argus Insight, versions prior to 8.2.3

• Oracle Argus Safety, versions prior to 8.2.3

• Oracle Banking APIs, versions 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2

• Oracle Banking Corporate Lending, versions 14.0-14.3, 14.5-14.7

• Oracle Banking Corporate Lending Process Management, versions 14.4-14.7

• Oracle Banking Digital Experience, versions 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2

• Oracle Banking Payments, versions 14.5, 14.6, 14.7

• Oracle Banking Trade Finance, versions 14.5, 14.6, 14.7

• Oracle Banking Treasury Management, versions 14.5, 14.6, 14.7

• Oracle Banking Virtual Account Management, versions 14.5, 14.6, 14.7

• Oracle BI Publisher, versions 6.4.0.0.0, 12.2.1.4.0

• Oracle Big Data Spatial and Graph, versions prior to 23.1

• Oracle Blockchain Platform, versions prior to 21.1.3

• Oracle Business Intelligence Enterprise Edition, versions 5.9.0.0.0, 6.4.0.0.0, 12.2.1.4.0

• Oracle Business Process Management Suite, version 12.2.1.4.0

• Oracle Clinical Remote Data Capture, version 5.4.0.2

• Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0

• Oracle Commerce Guided Search, version 11.3.2

• Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2

• Oracle Communications Cloud Native Configuration Console, versions 22.4.1, 23.1.0

• Oracle Communications Cloud Native Core Automated Test Suite, versions 22.3.1, 22.4.0

• Oracle Communications Cloud Native Core Binding Support Function, versions 22.4.0-22.4.4, 23.1.0-23.1.1

• Oracle Communications Cloud Native Core Console, versions 22.3.0, 22.4.0

• Oracle Communications Cloud Native Core Network Exposure Function, versions 22.4.2, 23.1.0

• Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 22.4.0

• Oracle Communications Cloud Native Core Network Repository Function, version 23.1.0

• Oracle Communications Cloud Native Core Policy, versions 22.4.0-22.4.4, 23.1.0-23.1.1

• Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 22.4.0, 22.4.1, 22.4.2, 23.1.0

• Oracle Communications Cloud Native Core Service Communication Proxy, versions 22.3.0, 22.4.0

• Oracle Communications Cloud Native Core Unified Data Repository, versions 22.4.1, 23.1.0

• Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0

• Oracle Communications Core Session Manager, versions 8.45, 9.15

• Oracle Communications Diameter Signaling Router, version 8.6.0.0

• Oracle Communications Element Manager, versions 9.0.0, 9.0.1

• Oracle Communications IP Service Activator, versions 7.4.0, 7.5.0

• Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0

• Oracle Communications Operations Monitor, version 5.0

• Oracle Communications Order and Service Management, version 7.4.1

• Oracle Communications Policy Management, version 12.6.0.0.0

• Oracle Communications Services Gatekeeper, version 7.0.0.0.0

• Oracle Communications Session Border Controller, versions 9.0, 9.1

• Oracle Communications Session Report Manager, versions 9.0.0, 9.0.1

• Oracle Communications Session Router, versions 9.0, 9.1

• Oracle Communications Subscriber-Aware Load Balancer, versions 9.0, 9.1

• Oracle Communications Unified Assurance, versions 5.5.0-5.5.10, 6.0.0-6.0.2

• Oracle Communications Unified Inventory Management, versions 7.4.0, 7.4.1, 7.4.2, 7.5.0

• Oracle Communications User Data Repository, version 12.6.1.0.0

• Oracle Data Integrator, version 12.2.1.4.0

• Oracle Database Server, versions 19c, 21c

• Oracle Documaker, versions 12.6.0.0.0, 12.6.2.0.0-12.6.4.0.0, 12.7.0.0.0, 12.7.1.0.0

• Oracle E-Business Suite, versions 12.2.3-12.2.12

• Oracle Enterprise Communications Broker, versions 3.3, 4.0

• Oracle Enterprise Manager Ops Center, version 12.4.0.0

• Oracle Enterprise Session Router, version 9.1

• Oracle Essbase, version 21.4

• Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.0, 8.0.8.0, 8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1, 8.1.2.2

• Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.7.1.2, 8.1.1.1.7

• Oracle Financial Services Asset Liability Management, version 8.0.7.8.0

• Oracle Financial Services Balance Computation Engine, version 8.1.1.1.1

• Oracle Financial Services Balance Sheet Planning, version 8.0.8.1.4

• Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4

• Oracle Financial Services Compliance Studio, version 8.1.2.4

• Oracle Financial Services Crime and Compliance Management Studio, version 8.0.8.3.5

• Oracle Financial Services Currency Transaction Reporting, versions 8.0.8.1.0, 8.1.1.1.0, 8.1.2.3.0, 8.1.2.4.1

• Oracle Financial Services Data Governance for US Regulatory Reporting, versions 8.1.2.0, 8.1.2.1

• Oracle Financial Services Data Integration Hub, versions 8.0.7.3.1, 8.1.0.1.4, 8.1.2.2.1

• Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management, versions 8.0.7.3.1, 8.0.8.3.1

• Oracle Financial Services Enterprise Case Management, versions 8.0.8.2, 8.1.1.1, 8.1.2.3, 8.1.2.4

• Oracle Financial Services Enterprise Financial Performance Analytics, version 8.0.7.8.1

• Oracle Financial Services Funds Transfer Pricing, version 8.0.7.8.1

• Oracle Financial Services Institutional Performance Analytics, version 8.0.7.8.1

• Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7.3.1, 8.0.8.3.1

• Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.7.8.1, 8.0.8.2.1

• Oracle Financial Services Model Management and Governance, versions 8.1.0.0, 8.1.2.0

• Oracle Financial Services Profitability Management, version 8.0.7.8.1

• Oracle Financial Services Regulatory Reporting, versions 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4

• Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.1.1.2.0

• Oracle Financial Services Retail Performance Analytics, version 8.0.7.8.1

• Oracle Financial Services Revenue Management and Billing, versions 2.7, 2.7.1, 2.8, 2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0

• Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8.0.0

• Oracle FLEXCUBE Core Banking, versions 11.6, 11.7, 11.8, 11.10, 11.11

• Oracle FLEXCUBE Universal Banking, versions 14.0-14.3, 14.5-14.7

• Oracle GoldenGate, versions prior to 19.1.0.0.230418, prior to 21.10.0.0.0

• Oracle GoldenGate Studio, version [Fusion Middleware] 12.2.1.4.0

• Oracle GraalVM Enterprise Edition, versions 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1

• Oracle Graph Server and Client, versions prior to 23.1.0, prior to 23.2.0

• Oracle Health Sciences InForm, versions prior to 6.3.1.3, prior to 7.0.0.1

• Oracle Healthcare Foundation, versions 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.2.2

• Oracle Healthcare Master Person Index, versions 5.0.0-5.0.4

• Oracle Healthcare Translational Research, versions 4.1.0, 4.1.1

• Oracle Hospitality OPERA 5 Property Services, version 5.6

• Oracle HTTP Server, version 12.2.1.4.0

• Oracle Hyperion Financial Reporting, version 11.2.12

• Oracle Hyperion Infrastructure Technology, version 11.2.12

• Oracle Identity Manager, version 12.2.1.4.0

• Oracle iLearning, version 6.3.1

• Oracle Insurance Policy Administration Operational Data Store for Life and Annuity, version 1.0.1.8

• Oracle Java SE, versions 8u361, 8u361-perf, 11.0.18, 17.0.6, 20

• Oracle JDeveloper, version 12.2.1.4.0

• Oracle Managed File Transfer, version 12.2.1.4.0

• Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0

• Oracle NoSQL Database, versions prior to 19.5.32

• Oracle Outside In Technology, version 8.5.6

• Oracle REST Data Services, versions prior to 23.1.0

• Oracle Retail Customer Management and Segmentation Foundation, versions 18.0.0.12, 19.0.0.6

• Oracle Retail Fiscal Management, version 14.2

• Oracle Retail Invoice Matching, versions 15.0.3, 16.0.3

• Oracle Retail Merchandising System, versions 15.0.3.1, 16.0.2, 16.0.3

• Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3

• Oracle Retail Price Management, versions 14.1.3.2, 15.0.3.1, 16.0.3

• Oracle Retail Sales Audit, version 15.0.3.1

• Oracle Retail Xstore Office Cloud Service, versions 18.0.5, 19.0.4, 20.0.3, 21.0.2

• Oracle Retail Xstore Point of Service, versions 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2

• Oracle SD-WAN Aware, version 9.0.1.6.0

• Oracle SD-WAN Edge, versions 9.1.1.3.0, 9.1.1.4.0

• Oracle SOA Suite, version 12.2.1.4.0

• Oracle Solaris, versions 10, 11

• Oracle SQL Developer, versions prior to 22.4.0, prior to 23.1.0

• Oracle TimesTen In-Memory Database, versions prior to 22.1.1.7.0

• Oracle Utilities Application Framework, versions 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0

• Oracle Utilities Network Management System, versions 2.3.0.2, 2.4.0.1, 2.5.0.0, 2.5.0.1, 2.5.0.2

• Oracle VM VirtualBox, versions prior to 6.1.44, prior to 7.0.8

• Oracle WebCenter Portal, version 12.2.1.4.0

• Oracle WebCenter Sites, version 12.2.1.4.0

• Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

• PeopleSoft Enterprise HCM Human Resources, version 9.2

• PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59, 8.60

• Primavera P6 Enterprise Project Portfolio Management, versions 18.8.0-18.8.26, 19.12.0-19.12.21, 20.12.0-20.12.18, 21.12.0-21.12.12, 22.12.0-22.12.3

• Primavera Unifier, versions 18.8.0-18.8.18, 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.14, 22.12.0-22.12.3

• Siebel Applications, versions 21.10 and prior, 22.10 and prior, 23.3 and prior

RISK:
Government:

• Large and medium government entities: High

• Small government entities: High

Businesses:

• Large and medium business entities: High

• Small business entities: High

Home users: Low

RECOMMENDATIONS:
We recommend the following actions be taken:

• Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing. (M1051: Update Software)

• Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.

• Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.

• Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)

• Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.

• Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.

• Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)

• Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.

• Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.

• Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)

• Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.

Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
 

REFERENCES:

https://learn.cisecurity.org/e/799323/ecurity-alerts-cpuapr2023-html/4sw3q5/903178027?h=f0K8NFqftEiyo7_Cwq6P85vRJDuFG8lri8ZqWvISFXk

Multi-State Information Sharing and Analysis Center (MS-ISAC)
Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC)
31 Tech Valley Drive
East Greenbush, NY 12061

24×7 Security Operations Center
SOC@cisecurity.org – 1-866-787-4722

TLP:CLEAR
www.cisa.gov/tlp
Information may be distributed without restriction, subject to standard copyright rules.