MS-ISAC ADVISORY NUMBER:
2023-042
DATE(S) ISSUED:
04/18/2023
OVERVIEW:
Multiple vulnerabilities have been discovered in Oracle products, which could allow for remote code execution.
SYSTEMS AFFECTED:
- JD Edwards Enterprise-One Orchestrator, versions prior to 9.2.7.3
- JD Edwards Enterprise-One Tools, versions prior to 9.2.7.3
- JD Edwards World Security, version A9.4
- Management Cloud Engine, version 22.1.0.0.0
- My-SQL Cluster, versions 7.5.29 and prior, 7.6.25 and prior, 8.0.32 and prior
- My-SQL Connectors, versions 8.0.32 and prior
- My-SQL Enterprise Monitor, versions 8.0.33 and prior
- My-SQL Server, versions 5.7.41 and prior, 8.0.32 and prior
- My-SQL Workbench, versions 8.0.32 and prior
- Oracle Access Manager, version 12.2.1.4.0
- Oracle Agile PLM, version 9.3.6
- Oracle Application Testing Suite, version 13.3.0.1
- Oracle Argus Insight, versions prior to 8.2.3
- Oracle Argus Safety, versions prior to 8.2.3
- Oracle BI Publisher, versions 6.4.0.0.0, 12.2.1.4.0
- Oracle Banking APIs, versions 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2
- Oracle Banking Corporate Lending Process Management, versions 14.414.7
- Oracle Banking Corporate Lending, versions 14.014.3, 14.514.7
- Oracle Banking Digital Experience, versions 18.2, 18.3, 19.1, 19.2, 21.1, 22.1, 22.2
- Oracle Banking Payments, versions 14.5, 14.6, 14.7
- Oracle Banking Trade Finance, versions 14.5, 14.6, 14.7
- Oracle Banking Treasury Management, versions 14.5, 14.6, 14.7
- Oracle Banking Virtual Account Management, versions 14.5, 14.6, 14.7
- Oracle Big Data Spatial and Graph, versions prior to 23.1
- Oracle Blockchain Platform, versions prior to 21.1.3
- Oracle Business Intelligence Enterprise Edition, versions 5.9.0.0.0, 6.4.0.0.0, 12.2.1.4.0
- Oracle Business Process Management Suite, version 12.2.1.4.0
- Oracle Clinical Remote Data Capture, version 5.4.0.2
- Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0
- Oracle Commerce Guided Search, version 11.3.2
- Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2
- Oracle Communications Cloud Native Configuration Console, versions 22.4.1, 23.1.0
- Oracle Communications Cloud Native Core Automated Test Suite, versions 22.3.1, 22.4.0
- Oracle Communications Cloud Native Core Binding Support Function, versions 22.4.022.4.4, 23.1.023.1.1
- Oracle Communications Cloud Native Core Console, versions 22.3.0, 22.4.0
- Oracle Communications Cloud Native Core Network Exposure Function, versions 22.4.2, 23.1.0
- Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 22.4.0
- Oracle Communications Cloud Native Core Network Repository Function, version 23.1.0
- Oracle Communications Cloud Native Core Policy, versions 22.4.022.4.4, 23.1.023.1.1
- Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 22.4.0, 22.4.1, 22.4.2, 23.1.0
- Oracle Communications Cloud Native Core Service Communication Proxy, versions 22.3.0, 22.4.0
- Oracle Communications Cloud Native Core Unified Data Repository, versions 22.4.1, 23.1.0
- Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.012.0.6.0.0
- Oracle Communications Core Session Manager, versions 8.45, 9.15
- Oracle Communications Diameter Signaling Router, version 8.6.0.0
- Oracle Communications Element Manager, versions 9.0.0, 9.0.1
- Oracle Communications IP Service Activator, versions 7.4.0, 7.5.0
- Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.012.0.6.0.0
- Oracle Communications Operations Monitor, version 5.0
- Oracle Communications Order and Service Management, version 7.4.1
- Oracle Communications Policy Management, version 12.6.0.0.0
- Oracle Communications Services Gatekeeper, version 7.0.0.0.0
- Oracle Communications Session Border Controller, versions 9.0, 9.1
- Oracle Communications Session Report Manager, versions 9.0.0, 9.0.1
- Oracle Communications Session Router, versions 9.0, 9.1
- Oracle Communications Subscriber-Aware Load Balancer, versions 9.0, 9.1
- Oracle Communications Unified Assurance, versions 5.5.05.5.10, 6.0.06.0.2
- Oracle Communications Unified Inventory Management, versions 7.4.0, 7.4.1, 7.4.2, 7.5.0
- Oracle Communications User Data Repository, version 12.6.1.0.0
- Oracle Data Integrator, version 12.2.1.4.0
- Oracle Database Server, versions 19c, 21c
- Oracle Documaker, versions 12.6.0.0.0, 12.6.2.0.012.6.4.0.0, 12.7.0.0.0, 12.7.1.0.0
- Oracle EBusiness Suite, versions 12.2.312.2.12
- Oracle Enterprise Communications Broker, versions 3.3, 4.0
- Oracle Enterprise Manager Ops Center, version 12.4.0.0
- Oracle Enterprise Session Router, version 9.1
- Oracle Essbase, version 21.4
- Oracle FLEXCUBE Core Banking, versions 11.6, 11.7, 11.8, 11.10, 11.11
- Oracle FLEXCUBE Universal Banking, versions 14.014.3, 14.514.7
- Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.0, 8.0.8.0, 8.0.9.0, 8.1.0.0, 8.1.1.0, 8.1.2.0, 8.1.2.1, 8.1.2.2
- Oracle Financial Services Analytical Applications Reconciliation Framework, versions 8.0.7.1.2, 8.1.1.1.7
- Oracle Financial Services Asset Liability Management, version 8.0.7.8.0
- Oracle Financial Services Balance Computation Engine, version 8.1.1.1.1
- Oracle Financial Services Balance Sheet Planning, version 8.0.8.1.4
- Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4
- Oracle Financial Services Compliance Studio, version 8.1.2.4
- Oracle Financial Services Crime and Compliance Management Studio, version 8.0.8.3.5
- Oracle Financial Services Currency Transaction Reporting, versions 8.0.8.1.0, 8.1.1.1.0, 8.1.2.3.0, 8.1.2.4.1
- Oracle Financial Services Data Governance for US Regulatory Reporting, versions 8.1.2.0, 8.1.2.1
- Oracle Financial Services Data Integration Hub, versions 8.0.7.3.1, 8.1.0.1.4, 8.1.2.2.1
- Oracle Financial Services Deposit Insurance Calculations for Liquidity Risk Management, versions 8.0.7.3.1, 8.0.8.3.1
- Oracle Financial Services Enterprise Case Management, versions 8.0.8.2, 8.1.1.1, 8.1.2.3, 8.1.2.4
- Oracle Financial Services Enterprise Financial Performance Analytics, version 8.0.7.8.1
- Oracle Financial Services Funds Transfer Pricing, version 8.0.7.8.1
- Oracle Financial Services Institutional Performance Analytics, version 8.0.7.8.1
- Oracle Financial Services Liquidity Risk Measurement and Management, versions 8.0.7.3.1, 8.0.8.3.1
- Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.7.8.1, 8.0.8.2.1
- Oracle Financial Services Model Management and Governance, versions 8.1.0.0, 8.1.2.0
- Oracle Financial Services Profitability Management, version 8.0.7.8.1
- Oracle Financial Services Regulatory Reporting with Agile-REPORTER, version 8.1.1.2.0
- Oracle Financial Services Regulatory Reporting, versions 8.0.8.1, 8.1.1.1, 8.1.2.3, 8.1.2.4
- Oracle Financial Services Retail Performance Analytics, version 8.0.7.8.1
- Oracle Financial Services Revenue Management and Billing, versions 2.7, 2.7.1, 2.8, 2.9, 2.9.1, 3.0, 3.1, 3.2, 4.0
- Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8.0.0
- Oracle Golden-Gate Studio, version [Fusion Middleware] 12.2.1.4.0
- Oracle Golden-Gate, versions prior to 19.1.0.0.230418, prior to 21.10.0.0.0
- Oracle Graal-VM Enterprise Edition, versions 20.3.8, 20.3.9, 21.3.4, 21.3.5, 22.3.0, 22.3.1
- Oracle Graph Server and Client, versions prior to 23.1.0, prior to 23.2.0
- Oracle HTTP Server, version 12.2.1.4.0
- Oracle Health Sciences In-Form, versions prior to 6.3.1.3, prior to 7.0.0.1
- Oracle Healthcare Foundation, versions 8.1.0, 8.1.1, 8.2.0, 8.2.1, 8.2.2
- Oracle Healthcare Master Person Index, versions 5.0.05.0.4
- Oracle Healthcare Translational Research, versions 4.1.0, 4.1.1
- Oracle Hospitality OPERA 5 Property Services, version 5.6
- Oracle Hyperion Financial Reporting, version 11.2.12
- Oracle Hyperion Infrastructure Technology, version 11.2.12
- Oracle Identity Manager, version 12.2.1.4.0
- Oracle Insurance Policy Administration Operational Data Store for Life and Annuity, version 1.0.1.8
- Oracle JDeveloper, version 12.2.1.4.0
- Oracle Java SE, versions 8u361, 8u361perf, 11.0.18, 17.0.6, 20
- Oracle Managed File Transfer, version 12.2.1.4.0
- Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0
- Oracle No-SQL Database, versions prior to 19.5.32
- Oracle Outside In Technology, version 8.5.6
- Oracle REST Data Services, versions prior to 23.1.0
- Oracle Retail Customer Management and Segmentation Foundation, versions 18.0.0.12, 19.0.0.6
- Oracle Retail Fiscal Management, version 14.2
- Oracle Retail Invoice Matching, versions 15.0.3, 16.0.3
- Oracle Retail Merchandising System, versions 15.0.3.1, 16.0.2, 16.0.3
- Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3
- Oracle Retail Price Management, versions 14.1.3.2, 15.0.3.1, 16.0.3
- Oracle Retail Sales Audit, version 15.0.3.1
- Oracle Retail Xstore Office Cloud Service, versions 18.0.5, 19.0.4, 20.0.3, 21.0.2
- Oracle Retail Xstore Point of Service, versions 17.0.6, 18.0.5, 19.0.4, 20.0.3, 21.0.2
- Oracle SDWAN Aware, version 9.0.1.6.0
- Oracle SDWAN Edge, versions 9.1.1.3.0, 9.1.1.4.0
- Oracle SOA Suite, version 12.2.1.4.0
- Oracle SQL Developer, versions prior to 22.4.0, prior to 23.1.0
- Oracle Solaris, versions 10, 11
- Oracle Times-Ten In-Memory Database, versions prior to 22.1.1.7.0
- Oracle Utilities Application Framework, versions 4.2.0.3.0, 4.3.0.1.04.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0
- Oracle Utilities Network Management System, versions 2.3.0.2, 2.4.0.1, 2.5.0.0, 2.5.0.1, 2.5.0.2
- Oracle VM Virtual-Box, versions prior to 6.1.44, prior to 7.0.8
- Oracle Web-Center Portal, version 12.2.1.4.0
- Oracle Web-Center Sites, version 12.2.1.4.0
- Oracle Web-Logic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0
- Oracle i-Learning, version 6.3.1
- People-Soft Enterprise HCM Human Resources, version 9.2
- People-Soft Enterprise People-Tools, versions 8.58, 8.59, 8.60
- Primavera P6 Enterprise Project Portfolio Management, versions 18.8.018.8.26, 19.12.019.12.21, 20.12.020.12.18, 21.12.021.12.12, 22.12.022.12.3
- Primavera Unifier, versions 18.8.018.8.18, 19.12.019.12.16, 20.12.020.12.16, 21.12.021.12.14, 22.12.022.12.3
- Siebel Applications, versions 21.10 and prior, 22.10 and prior, 23.3 and prior
RISK:
Home Users:
LOW
RECOMMENDATIONS:
We recommend the following actions be taken:
- Apply appropriate patches or appropriate mitigations provided by Oracle to vulnerable systems immediately after appropriate testing. (M1051: Update Software)o Safeguard 7.1: Establish and Maintain a Vulnerability Management Process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard.o Safeguard 7.4: Perform Automated Application Patch Management: Perform application updates on enterprise assets through automated patch management on a monthly, or more frequent, basis.
- Apply the Principle of Least Privilege to all systems and services, and run all software as a non-privileged user (one without administrative rights) to diminish the effects of a successful attack. (M1026: Privileged Account Management)o Safeguard 4.7: Manage Default Accounts on Enterprise Assets and Software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Example implementations can include: disabling default accounts or making them unusable.o Safeguard 5.4: Restrict Administrator Privileges to Dedicated Administrator Accounts: Restrict administrator privileges to dedicated administrator accounts on enterprise assets. Conduct general computing activities, such as internet browsing, email, and productivity suite use, from the user’s primary, non-privileged account.
- Remind all users not to visit untrusted websites or follow links/open files provided by unknown or untrusted sources. (M1017: User Training)o Safeguard 14.1: Establish and Maintain a Security Awareness Program: Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard.o Safeguard 14.2: Train Workforce Members to Recognize Social Engineering Attacks: Train workforce members to recognize social engineering attacks, such as phishing, pre-texting, and tailgating.
- Use capabilities to prevent suspicious behavior patterns from occurring on endpoint systems. This could include suspicious process, file, API call, etc. behavior. (M1040 : Behavior Prevention on Endpoint)o Safeguard 13.2 : Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where appropriate and/or supported.Safeguard 13.7 : Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, where appropriate and/or supported. Example implementations include use of an Endpoint Detection and Response (EDR) client or host-based IPS agent.
REFERENCES:
Post Disclaimer
The information provided in our posts or blogs are for educational and informative purposes only. We do not guarantee the accuracy, completeness or suitability of the information. We do not provide financial or investment advice. Readers should always seek professional advice before making any financial or investment decisions based on the information provided in our content. We will not be held responsible for any losses, damages or consequences that may arise from relying on the information provided in our content.