Oracle Quarterly Critical Patches Released July 16, 2024


MS-ISAC NOTICE NUMBER:

2024-082

PUBLICATION DATES:

07/18/2024

PREVIEW:

Multiple vulnerabilities have been discovered in Oracle products, the most serious of which could allow remote code execution.

AFFECTED SYSTEMS:

  • JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.8.3
  • JD Edwards EnterpriseOne Tools, versions prior to 9.2.8.2
  • JD Edwards World Security, version A9.4
  • Management Pack for Oracle GoldenGate, version 12.2.1.2
  • MySQL Cluster, versions 7.5.34 and prior, 7.6.30 and prior, 8.0.37 and prior, 8.1.0 and prior, 8.3.0 and prior, 8.4.0 and prior
  • MySQL Connectors, versions 8.4.0 and prior
  • MySQL Enterprise Monitor, versions 8.0.38 and prior
  • MySQL Server, versions 8.0.37 and prior, 8.0.38, 8.2.0 and prior, 8.3.0 and prior, 8.4.0 and prior, 8.4.1, 9.0.0
  • MySQL Workbench, versions 8.0.36 and prior
  • Oracle Access Manager, version 12.2.1.4.0
  • Oracle Agile Engineering Data Management, versions 6.2.1.0-6.2.1.9
  • Oracle Analytics Desktop, versions prior to 7.7.0, prior to 7.8.0
  • Oracle Application Express, version 23.2
  • Oracle Application Testing Suite, version 13.3.0.1
  • Oracle Autovue for Agile Product Lifecycle Management, version 21.0.2
  • Oracle Banking Branch, versions 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
  • Oracle Banking Cash Management, versions 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
  • Oracle Banking Corporate Lending Process Management, versions 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
  • Oracle Banking Credit Facilities Process Management, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
  • Oracle Banking Deposits and Lines of Credit Servicing, version 2.12.0.0.0
  • Oracle Banking Liquidity Management, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
  • Oracle Banking Origination, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
  • Oracle Banking Platform, version 2.4.0.0.0
  • Oracle Banking Party Management, version 2.7.0.0.0
  • Oracle Banking Virtual Account Management, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
  • Oracle Big Data Spatial and Graph, version 3.0.6
  • Oracle Business Activity Monitoring, version 12.2.1.4.0
  • Oracle Business Intelligence Enterprise Edition, versions 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0
  • Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0
  • Oracle Commerce Guided Search, version 11.3.2
  • Oracle Commerce Platform, versions 11.3.0, 11.3.1, 11.3.2
  • Oracle Communications ASAP, version 7.4
  • Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0
  • Oracle Communications BRM – Elastic Charging Engine, versions 12.0.0.4-12.0.0.8, 15.0.0.0
  • Oracle Communications Cloud Native Core Automated Test Suite, versions 23.1.0, 23.4.0
  • Oracle Communications Cloud Native Core Binding Support Function, versions 23.4.0-23.4.3
  • Oracle Communications Cloud Native Core Console, versions 23.4.0, 23.4.1
  • Oracle Communications Cloud Native Core Network Data Analytics Function, version 24.2.0
  • Oracle Communications Cloud Native Core Network Exposure Function, version 23.4.3
  • Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 23.4.0, 24.1.0
  • Oracle Communications Cloud Native Core Network Repository Function, version 23.4.2
  • Oracle Communications Cloud Native Core Policy, versions 23.4.0-23.4.4
  • Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 23.4.0, 24.1.0
  • Oracle Communications Cloud Native Core Service Communication Proxy, versions 23.4.0, 23.4.1, 23.4.2, 24.1.0
  • Oracle Communications Cloud Native Core Unified Data Repository, versions 23.4.1, 23.4.2
  • Oracle Communications Converged Charging System, versions 2.0.0.0.0, 2.0.0.1.0
  • Oracle Communications Convergent Charging Controller, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0
  • Oracle Communications Diameter Signaling Router, versions 8.6.0.4-8.6.0.8
  • Oracle Communications EAGLE Element Management System, versions 46.6.4, 46.6.5
  • Oracle Communications Element Manager, versions 9.0.0-9.0.3
  • Oracle Communications Network Analytics Data Director, versions 23.4.0, 24.1.0
  • Oracle Communications Network Charging and Control, versions 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0
  • Oracle Communications Operations Monitor, versions 5.1, 5.2
  • Oracle Communications Performance Intelligence, version 10.5
  • Oracle Communications Policy Management, versions 12.6.1.0.0, 15.0.0.0.0
  • Oracle Communications Pricing Design Center, versions 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0
  • Oracle Communications Service Catalog and Design, versions 7.4.0-7.4.2, 8.0.0
  • Oracle Communications Session Border Controller, versions 4.1.0, 4.2.0, 9.2.0, 9.3.0
  • Oracle Communications Session Report Manager, versions 9.0.0-9.0.3
  • Oracle Communications Unified Assurance, versions 5.5.0-5.5.21, 6.0.0-6.0.4
  • Oracle Communications Unified Inventory Management, versions 7.4.1, 7.4.2
  • Oracle Communications User Data Repository, versions 12.11.0, 12.11.3, 12.11.4
  • Oracle Data Integrator, version 12.2.1.4.0
  • Oracle Database Server, versions 19.3-19.23, 21.3-21.14, 23.4
  • Oracle Documaker, versions 12.6.4-12.7.1
  • Oracle E-Business Suite, versions 12.2.3-12.2.13
  • Oracle Enterprise Data Quality, version 12.2.1.4.0
  • Oracle Enterprise Manager Base Platform, version 13.5.0.0
  • Oracle Essbase, version 21.5.6
  • Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7, 8.0.8, 8.1.1, 8.1.2
  • Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.7.3, 8.0.8.3
  • Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.7.3, 8.0.8.3
  • Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.1.1, 8.1.2.6, 8.1.2.7
  • Oracle Financial Services Compliance Studio, versions 8.1.2.6, 8.1.2.7
  • Oracle Financial Services Enterprise Case Management, versions 8.0.8.2.8, 8.1.1.1.18, 8.1.2.6.4, 8.1.2.7.3
  • Oracle Financial Services Model Management and Governance, versions 8.1.2.5, 8.1.2.6
  • Oracle Financial Services Revenue Management and Billing, versions 6.0.0.0.0, 6.1.0.0.0
  • Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8.0
  • Oracle FLEXCUBE Investor Servicing, versions 14.5.0.0.0, 14.7.0.0.0
  • Oracle FLEXCUBE Universal Banking, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0Oracle FLEXCUBE Universal Banking, versions 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
  • Oracle Fusion Middleware, version 12.2.1.4.0
  • Oracle Global Lifecycle Management NextGen OUI Framework, version 12.2.1.4.0
  • Oracle GoldenGate, versions 19.1.0.0.0-19.23.0.0.240716, 21.3-21.14
  • Oracle GoldenGate Big Data and Application Adapters, versions 19.1.0.0.0-19.1.0.0.18, 21.3-21.14.0.0.0
  • Oracle GoldenGate Studio, version 12.2.0.4.0
  • Oracle GraalVM Enterprise Edition, versions 20.3.14, 21.3.10
  • Oracle GraalVM for JDK, versions 17.0.11, 21.0.3, 22.0.1
  • Oracle Graph Server and Client, versions 22.4.7 and prior, 23.4.2 and prior, 24.1.0 and prior
  • Oracle Healthcare Data Repository, versions 8.1.4, 8.2.0
  • Oracle Healthcare Foundation, versions 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4
  • Oracle Healthcare Master Person Index, versions 5.0.0-5.0.9
  • Oracle HTTP Server, version 12.2.1.4.0
  • Oracle Hyperion Data Relationship Management, version 11.2.17.0.0
  • Oracle Hyperion Financial Close Management, version 11.2.17.0.0
  • Oracle Hyperion Infrastructure Technology, version 11.2.17.0.0
  • Oracle Identity Manager, version 12.2.1.4.0
  • Oracle Insurance Policy Administration J2EE, versions 11.2.12, 11.3.0-11.3.2
  • Oracle Java SE, versions 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1
  • Oracle JDeveloper, version 12.2.1.4.0
  • Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0
  • Oracle NoSQL Database, versions 1.4, 1.5, prior to 19.5.42, prior to 20.3.40, prior to 21.2.27, prior to 22.3.46, prior to 23.3.32
  • Oracle Outside In Technology, version 8.5.7
  • Oracle Reports Developer, versions 12.2.1.4.0, 12.2.1.19.0
  • Oracle REST Data Services, versions prior to 23.3.1, prior to 24.1.0
  • Oracle Retail Assortment Planning, versions 15.0.3, 16.0.3
  • Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
  • Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
  • Oracle Retail Predictive Application Server, versions 15.0.3, 16.0.3
  • Oracle Retail Xstore Office, versions 19.0.5, 20.0.3, 20.0.4, 22.0.0, 23.0.1
  • Oracle Service Bus, version 12.2.1.4.0
  • Oracle Solaris, version 11
  • Oracle TimesTen In-Memory Database, versions 22.1.1.1.0-22.1.1.24.0
  • Oracle Unified Directory, version 12.2.1.4.0
  • Oracle Utilities Application Framework, versions 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1-4.5.0.1.3, 24.1.0.0.0, 24.2.0.0.0
  • Oracle VM VirtualBox, versions prior to 7.0.20
  • Oracle WebCenter Content, version 12.2.1.4.0
  • Oracle WebCenter Portal, version 12.2.1.4.0
  • Oracle WebCenter Sites, version 12.2.1.4.0
  • Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0
  • Oracle ZFS Storage Appliance Kit, version 8.8
  • PeopleSoft Enterprise HCM Human Resources, version 9.2
  • PeopleSoft Enterprise HCM Shared Components, version 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.59, 8.60, 8.61
  • Primavera Gateway, versions 19.12.0-19.12.19, 20.12.0-20.12.14, 21.12.0-21.12.12
  • Primavera Unifier, versions 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.13, 23.12.0-23.12.6
  • Siebel Applications, versions 22.12 and prior, 23.12 and prior, 24.6 and prior

RISK:

Government:

Large and medium government entitiesHIGH

Small governmentHIGH

Companies:

Large and medium business entitiesHIGH

Small business entitiesHIGH

RECOMMENDATIONS:

We recommend taking the following measures:

  • Apply appropriate patches or mitigations provided by Oracle to vulnerable systems immediately after appropriate testing.M1051:Software Update)
    • Safeguard 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually or when significant changes in the business may impact this safeguard.
    • Safeguard measure 7.2: Establish and maintain a remediation process: Establish and maintain a risk-based remediation strategy, documented in a remediation process, with monthly or more frequent reviews.
    • Safeguard 7.4: Perform automated application patch management: Perform application updates on enterprise assets with automated patch management on a monthly or more frequent basis.
    • Safeguard 7.5: Perform automated vulnerability scans of internal enterprise assets: Perform automated vulnerability scans of internal enterprise assets on a quarterly or more frequent basis. Perform authenticated and unauthenticated scans using a SCAP-enabled vulnerability scanning tool.
    • Backup 7.7: Address detected vulnerabilities: Remediate vulnerabilities detected in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
    • Safeguard 12.1: Ensure that the network infrastructure is up to date: Ensure that network infrastructure is kept up to date. Examples of implementation include running the latest stable software release and/or using currently supported Network as a Service (NaaS) offerings. Check software releases monthly, or more frequently, to verify software support.
    • Protective Measure 18.1: Establish and maintain a penetration testing program: Establish and maintain a penetration testing program that is appropriate for the size, complexity, and maturity of the organization. Penetration testing program characteristics include scope, such as network, web application, application programming interface (API), hosted services, and physical premises controls; frequency; limitations, such as acceptable times and excluded attack types; contact point information; remediation, such as how results will be routed internally; and retrospective requirements.
    • Protective measure 18.2: Carry out periodic external penetration tests: Conduct periodic external penetration testing based on program requirements, at least annually. External penetration testing should include reconnaissance of the business and environment to detect actionable information. Penetration testing requires specialized skills and experience and should be performed by a qualified third party. Testing can be transparent or opaque.
    • Safeguard 18.3: Remediate Penetration Test Results: Correct penetration test results based on company policy on scope and prioritization of remediation.
  • Vulnerability scanning is used to find potentially exploitable software vulnerabilities in order to patch them.M1016: Vulnerability analysis)
    • Protective Measure 16.13: Perform Application Penetration Testing: Perform application penetration testing. For critical applications, authenticated penetration testing is better suited to finding business logic vulnerabilities than code analysis and automated security testing. Penetration testing relies on the tester’s ability to manually manipulate an application as both an authenticated and unauthenticated user.
  • Apply the principle of least privilege to all systems and services and run all software as an unprivileged user (without administrative rights) to reduce the effects of a successful attack.M1026:Management of privileged accounts)
    • Safeguard 4.7: Manage default accounts on company assets and software: Manage default accounts on enterprise assets and software, such as root, administrator, and other pre-configured vendor accounts. Implementation examples may include: disabling default accounts or preventing them from being used.
    • Safeguard 5.4: Restrict administrator privileges to dedicated administrator accounts: Limit administrator privileges to dedicated administrator accounts on company assets. Perform general computing activities, such as Internet browsing, email, and productivity suite use, from users' primary, non-privileged accounts.
    • Safeguard 5.5: Establish and maintain an inventory of service accounts: Establish and maintain an inventory of service accounts. The inventory must contain at a minimum the name of the service owner, the review date, and the purpose. Conduct service account reviews to validate that all active accounts are authorized, on a recurring schedule at least quarterly, or more frequently
  • Remind all users not to visit untrustworthy websites or follow any links/open files provided by unknown or untrustworthy sources.M1017: User training)
    • Safeguard 14.1: Establish and maintain a security awareness program: Establish and maintain a security awareness program. The goal of a security awareness program is to educate company personnel on how to interact with company assets and data securely. Provide training upon hire and, at a minimum, annually. Review and update the content annually or when significant changes to the business may impact this safeguard.
    • Safeguard 14.2: Train staff to recognize social engineering attacks: Train staff to recognize social engineering attacks, such as phishing, pretexting, and tailgating.
  • Use features to prevent suspicious behavior from occurring on endpoint systems. This could be suspicious behavior related to processes, files, API calls, etc.M1040: Prevention of behaviors on terminals)
    • Safeguard 13.2: Deploy a host-based intrusion detection solution: Deploy a host-based intrusion detection solution on enterprise assets where appropriate and/or supported.
    • Safeguard 13.7: Deploying a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets, if applicable and/or supported. Examples of implementations include using an Endpoint Detection and Response (EDR) client or a host-based IPS agent.
  • Use features to detect and block conditions that may lead to or indicate that software exploitation is occurring.M1050:Exploit Protection)
    • Safeguard 10.5: Enable Anti-Exploit Features: Enable anti-exploitation features on enterprise assets and software where possible, such as Microsoft Data Execution Prevention (DEP), Windows Defender Exploit Guard (WDEG), or Apple System Integrity Protection (SIP) and Gatekeeper.
Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *

Related News

CISA publishes seven advice on industrial control systemsCISA publishes seven advice on industrial control systems

CISA publishes seven advice on industrial control systems

July 1, 2025
Several vulnerabilities in Citrix products could allow the disclosure of sensitive dataSeveral vulnerabilities in Citrix products could allow the disclosure of sensitive data

Several vulnerabilities in Citrix products could allow the disclosure of sensitive data

June 27, 2025

You may have missed

CISA publishes seven advice on industrial control systemsCISA publishes seven advice on industrial control systems

CISA publishes seven advice on industrial control systems

July 1, 2025
Several vulnerabilities in Citrix products could allow the disclosure of sensitive dataSeveral vulnerabilities in Citrix products could allow the disclosure of sensitive data

Several vulnerabilities in Citrix products could allow the disclosure of sensitive data

June 27, 2025
CISA publishes five advice from industrial control systemsCISA publishes five advice from industrial control systems

CISA publishes five advice from industrial control systems

June 17, 2025
Ransomware actors use unrefined surveillance and remote management to compromise the provider of public services billing softwareRansomware actors use unrefined surveillance and remote management to compromise the provider of public services billing software

Ransomware actors use unrefined surveillance and remote management to compromise the provider of public services billing software

June 12, 2025
Several vulnerabilities in Adobe products could allow an arbitrary code executionSeveral vulnerabilities in Adobe products could allow an arbitrary code execution

Several vulnerabilities in Adobe products could allow an arbitrary code execution

June 10, 2025
Cisa publishes four reviews of industrial control systemsCisa publishes four reviews of industrial control systems

Cisa publishes four reviews of industrial control systems

June 10, 2025