[SingCERT] Alert on Oracle Critical Patch Update Advisory for Administrators

Published on 16 Jan 2019

Updated on 23 Oct 2019

Background

Oracle has released a critical patch update comprising 284 security patches for over 30 of its products.

Many of the 284 vulnerabilities are remotely exploitable without authentication; for instance, an attacker could gain access into a network without using any user credentials.

• Oracle Communications Applications are affected by 29 vulnerabilities
• Oracle Construction and Engineering Suite is affected by 4 vulnerabilities
• Oracle E-Business Suite is affected by 16 vulnerabilities
• Oracle Enterprise Manager Products Suite is affected by 9 vulnerabilities
• Oracle Financial Services Applications are affected by 9 vulnerabilities
• Oracle Food and Beverage Applications are affected by 3 vulnerabilities
• Oracle Fusion Middleware is affected by 57 vulnerabilities
• Oracle Health Sciences Applications are affected by 2 vulnerabilities
• Oracle Insurance Applications are affected by 3 vulnerabilities
• Oracle Java SE is affected by 5 vulnerabilities
• Oracle JD Edwards products are affected by 2 vulnerabilities
• Oracle MySQL is affected by 3 vulnerabilities
• Oracle PeopleSoft products are affected by 15 vulnerabilities
• Oracle Retail Applications are affected by 15 vulnerabilities
• Oracle Siebel CRM is affected by 1 vulnerability
• Oracle Sun Systems products are affected by 5 vulnerabilities
• Oracle Supply Chain products are affected by 4 vulnerabilities
• Oracle Support Tools are affected by 1 vulnerability
• Oracle Utilities are affected by 2 vulnerabilities
• Oracle Virtualisation is affected by 4 vulnerabilities

Affected Products

A full list of the affected products is available at reference [1] link below.

Impact

An attacker could exploit these vulnerabilities remotely by sending a maliciously crafted payload, resulting in a denial of service (DoS) condition, or the execution of arbitrary codes on affected systems. In its release, Oracle noted that there were successful exploit attempts for customers who have not applied the security patches.

Recommendations

System administrators of affected Oracle products are advised to install the security updates immediately.

References

[1] https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
[2] https://www.us-cert.gov/ncas/current-activity/2019/01/15/Oracle-Releases-January-2019-Security-Bulletin