|
|
MS-ISAC CYBERSECURITY ADVISORY
MS-ISAC ADVISORY NUMBER: 2023-042
DATE(S) ISSUED: 04/18/2023
SUBJECT: Oracle Quarterly Critical Patches Issued April 18, 2023
OVERVIEW: Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.
- JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.7.3
- JD Edwards EnterpriseOne Tools, versions prior to 9.2.7.3
- JD Edwards World Security, version A9.4
- Management Cloud Engine, version 22.1.0.0.0
- MySQL Cluster, versions 7.5.29 and prior, 7.6.25 and prior, 8.0.32 and prior
- MySQL Connectors, versions 8.0.32 and prior
- MySQL Enterprise Monitor, versions 8.0.33 and prior
- MySQL Server, versions 5.7.41 and prior, 8.0.32 and prior
- MySQL Workbench, versions 8.0.32 and prior
- Oracle Access Manager, version 12.2.1.4.0
- Oracle Agile PLM, version 9.3.6
- Oracle Application Testing Suite, version 13.3.0.1
- Oracle Argus Insight, versions prior to 8.2.3
- Oracle Argus Safety, versions prior to 8.2.3
- Oracle Banking APIs, versions 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2
- Oracle Banking Corporate Lending, versions 14.0-14.3, 14.5-14.7
- Oracle Banking Corporate Lending Process Management, versions 14.4-14.7
- Oracle Banking Digital Experience, versions 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2
- Oracle Banking Payments, versions 14.5, 14.6, 14.7
- Oracle Banking Trade Finance, versions 14.5, 14.6, 14.7
- Oracle Banking Treasury Management, versions 14.5, 14.6, 14.7
- Oracle Banking Virtual Account Management, versions 14.5, 14.6, 14.7
- Oracle BI Publisher, versions 6.4.0.0.0, 12.2.1.4.0
- Oracle Big Data Spatial and Graph, versions prior to 23.1
- Oracle Blockchain Platform, versions prior to 21.1.3
- Oracle Business Intelligence Enterprise Edition, versions 5.9.0.0.0, 6.4.0.0.0, 12.2.1.4.0
- Oracle Business Process Management Suite, version 12.2.1.4.0
- Oracle Clinical Remote Data Capture, version 5.4.0.2
- Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0
- Oracle Commerce Guided Search, version 11.3.2
- Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2
- Oracle Communications Cloud Native Configuration Console, versions 22.4.1, 23.1.0
- Oracle Communications Cloud Native Core Automated Test Suite, versions 22.3.1, 22.4.0
- Oracle Communications Cloud Native Core Binding Support Function, versions 22.4.0-22.4.4, 23.1.0-23.1.1
- Oracle Communications Cloud Native Core Console, versions 22.3.0, 22.4.0
- Oracle Communications Cloud Native Core Network Exposure Function, versions 22.4.2, 23.1.0
- Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 22.4.0
- Oracle Communications Cloud Native Core Network Repository Function, version 23.1.0
- Oracle Communications Cloud Native Core Policy, versions 22.4.0-22.4.4, 23.1.0-23.1.1
- Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 22.4.0, 22.4.1, 22.4.2, 23.1.0
- Oracle Communications Cloud Native Core Service Communication Proxy, versions 22.3.0, 22.4.0
- Oracle Communications Cloud Native Core Unified Data Repository, versions 22.4.1, 23.1.0
- Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0
- Oracle Communications Core Session Manager, versions 8.45, 9.15
- Oracle Communications Diameter Signaling Router, version 8.6.0.0
- Oracle Communications Element Manager, versions 9.0.0, 9.0.1
- Oracle Communications IP Service Activator, versions 7.4.0, 7.5.0
- Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0
- Oracle Communications Operations Monitor, version 5.0
- Oracle Communications Order and Service Management, version 7.4.1
- Oracle Communications Policy Management, version 12.6.0.0.0
- Oracle Communications Services Gatekeeper, version 7.0.0.0.0
- Oracle Communications Session Border Controller, versions 9.0, 9.1
- Oracle Communications Session Report Manager, versions 9.0.0, 9.0.1
- Oracle Communications Session Router, versions 9.0, 9.1
- Oracle Communications Subscriber-Aware Load Balancer, versions 9.0, 9.1
- Oracle Communications Unified Assurance, versions 5.5.0-5.5.10, 6.0.0-6.0.2
- Oracle Communications Unified Inventory Management, versions 7.4.0, 7.4.1, 7.4.2, 7.5.0
- Oracle Communications User Data Repository, version 12.6.1.0.0
- Oracle Data Integrator, version 12.2.1.4.0
- Oracle Database Server, versions 19c, 21c
- Oracle Documaker, versions 12.6.0.0.0, 12.6.2.0.0-12.6.4.0.0, 12.7.0.0.0, 12.7.1.0.0
- Oracle E-Business Suite, versions 12.2.3-12.2.12
- Oracle Enterprise Communications Broker, versions 3.3, 4.0
- Oracle Enterprise Manager Ops Center, version 12.4.0.0
- Oracle Enterprise Session Router, version 9.1
- Oracle Essbase, version 21.4
- Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.0, 8.0.8.0, 8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1, 8.1.2.2
- Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.7.1.2, 8.1.1.1.7
- Oracle Financial Services Asset Liability Management, version 8.0.7.8.0
- Oracle Financial Services Balance Computation Engine, version 8.1.1.1.1
- Oracle Financial Services Balance Sheet Planning, version 8.0.8.1.4
- Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4
- Oracle Financial Services Compliance Studio, version 8.1.2.4
- Oracle Financial Services Crime and Compliance Management Studio, version 8.0.8.3.5
- Oracle Financial Services Currency Transaction Reporting, versions 8.0.8.1.0, 8.1.1.1.0, 8.1.2.3.0, 8.1.2.4.1
- Oracle Financial Services Data Governance for US Regulatory Reporting, versions 8.1.2.0, 8.1.2.1
- Oracle Financial Services Data Integration Hub, versions 8.0.7.3.1, 8.1.0.1.4, 8.1.2.2.1
- Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management, versions 8.0.7.3.1, 8.0.8.3.1
- Oracle Financial Services Enterprise Case Management, versions 8.0.8.2, 8.1.1.1, 8.1.2.3, 8.1.2.4
- Oracle Financial Services Enterprise Financial Performance Analytics, version 8.0.7.8.1
- Oracle Financial Services Funds Transfer Pricing, version 8.0.7.8.1
- Oracle Financial Services Institutional Performance Analytics, version 8.0.7.8.1
- Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7.3.1, 8.0.8.3.1
- Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.7.8.1, 8.0.8.2.1
- Oracle Financial Services Model Management and Governance, versions 8.1.0.0, 8.1.2.0
- Oracle Financial Services Profitability Management, version 8.0.7.8.1
- Oracle Financial Services Regulatory Reporting, versions 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4
- Oracle Financial Services Regulatory Reporting with AgileREPORTER, version 8.1.1.2.0
- Oracle Financial Services Retail Performance Analytics, version 8.0.7.8.1
- Oracle Financial Services Revenue Management and Billing, versions 2.7, 2.7.1, 2.8, 2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0
- Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8.0.0
- Oracle FLEXCUBE Core Banking, versions 11.6, 11.7, 11.8, 11.10, 11.11
- Oracle FLEXCUBE Universal Banking, versions 14.0-14.3, 14.5-14.7
- Oracle GoldenGate, versions prior to 19.1.0.0.230418, prior to 21.10.0.0.0
- Oracle GoldenGate Studio, version [Fusion Middleware] 12.2.1.4.0
- Oracle GraalVM Enterprise Edition, versions 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1
- Oracle Graph Server and Client, versions prior to 23.1.0, prior to 23.2.0
- Oracle Health Sciences InForm, versions prior to 6.3.1.3, prior to 7.0.0.1
- Oracle Healthcare Foundation, versions 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.2.2
- Oracle Healthcare Master Person Index, versions 5.0.0-5.0.4
- Oracle Healthcare Translational Research, versions 4.1.0, 4.1.1
- Oracle Hospitality OPERA 5 Property Services, version 5.6
- Oracle HTTP Server, version 12.2.1.4.0
- Oracle Hyperion Financial Reporting, version 11.2.12
- Oracle Hyperion Infrastructure Technology, version 11.2.12
- Oracle Identity Manager, version 12.2.1.4.0
- Oracle iLearning, version 6.3.1
- Oracle Insurance Policy Administration Operational Data Store for Life and Annuity, version 1.0.1.8
- Oracle Java SE, versions 8u361, 8u361-perf, 11.0.18, 17.0.6, 20
- Oracle JDeveloper, version 12.2.1.4.0
- Oracle Managed File Transfer, version 12.2.1.4.0
- Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0
- Oracle NoSQL Database, versions prior to 19.5.32
- Oracle Outside In Technology, version 8.5.6
- Oracle REST Data Services, versions prior to 23.1.0
- Oracle Retail Customer Management and Segmentation Foundation, versions 18.0.0.12, 19.0.0.6
- Oracle Retail Fiscal Management, version 14.2
- Oracle Retail Invoice Matching, versions 15.0.3, 16.0.3
- Oracle Retail Merchandising System, versions 15.0.3.1, 16.0.2, 16.0.3
- Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3
- Oracle Retail Price Management, versions 14.1.3.2, 15.0.3.1, 16.0.3
- Oracle Retail Sales Audit, version 15.0.3.1
- Oracle Retail Xstore Office Cloud Service, versions 18.0.5, 19.0.4, 20.0.3, 21.0.2
- Oracle Retail Xstore Point of Service, versions 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2
- Oracle SD-WAN Aware, version 9.0.1.6.0
- Oracle SD-WAN Edge, versions 9.1.1.3.0, 9.1.1.4.0
- Oracle SOA Suite, version 12.2.1.4.0
- Oracle Solaris, versions 10, 11
- Oracle SQL Developer, versions prior to 22.4.0, prior to 23.1.0
- Oracle TimesTen In-Memory Database, versions prior to 22.1.1.7.0
- Oracle Utilities Application Framework, versions 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0
- Oracle Utilities Network Management System, versions 2.3.0.2, 2.4.0.1, 2.5.0.0, 2.5.0.1, 2.5.0.2
- Oracle VM VirtualBox, versions prior to 6.1.44, prior to 7.0.8
- Oracle WebCenter Portal, version 12.2.1.4.0
- Oracle WebCenter Sites, version 12.2.1.4.0
- Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
- PeopleSoft Enterprise HCM Human Resources, version 9.2
- PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59, 8.60
- Primavera P6 Enterprise Project Portfolio Management, versions 18.8.0-18.8.26, 19.12.0-19.12.21, 20.12.0-20.12.18, 21.12.0-21.12.12, 22.12.0-22.12.3
- Primavera Unifier, versions 18.8.0-18.8.18, 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.14, 22.12.0-22.12.3
- Siebel Applications, versions 21.10 and prior, 22.10 and prior, 23.3 and prior
- Large and medium government entities: High
- Small government entities: High
- Large and medium business entities: High
- Small business entities: High
RECOMMENDATIONS: We recommend the following actions be taken:
- Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing. (M1051: Update Software)
- Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)
- Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.
- Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
- Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)
- Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.
- Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
- Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)
- Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.
Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
Multi-State Information Sharing and Analysis Center (MS-ISAC) Elections Infrastructure Information Sharing and Analysis Center (EI-ISAC) 31 Tech Valley Drive East Greenbush, NY 12061
24×7 Security Operations Center SOC@cisecurity.org – 1-866-787-4722
TLP:CLEAR www.cisa.gov/tlp Information may be distributed without restriction, subject to standard copyright rules.
|
|
|
|