Oracle Quarterly Critical Patches Released January 21, 2025

MS-ISAC NOTICE NUMBER:

2025-008

ISSUE DATE(S):

01/21/2025

PREVIEW:

Several vulnerabilities have been discovered in Oracle products, the most serious of which could allow remote code execution.

SYSTEMS AFFECTED:

Enterprise Manager for MySQL Database, version 13.5.2.0.0
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.9.2
JD Edwards EnterpriseOne Tools, versions prior to 9.2.9.2
MySQL Cluster, versions 7.6.32 and prior, 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior
MySQL Connectors, versions 9.1.0 and prior
MySQL Enterprise Backup, versions 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior
MySQL Enterprise Firewall, versions 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior
MySQL Server, versions 8.0.40 and prior, 8.4.3 and prior, 9.0.1 and prior, 9.1.0 and prior
MySQL Shell, versions 8.0.40 and prior, 8.4.3 and prior, 9.1.0 and prior
Oracle Agile Engineering Data Management, version 6.2.1
Oracle Agile PLM Framework, version 9.3.6
Oracle Analytics Desktop, versions prior to 8.1.0
Oracle Application Express, versions 23.2, 24.1
Oracle Application Testing Suite, version 13.3.0.1
Oracle Banking Corporate Lending Process Management, versions 14.4.0.0.0-14.7.0.0.0
Oracle Banking Liquidity Management, version 14.7.5.0.0
Oracle Banking Origination, versions 14.5.0.0.0-14.7.0.0.0
Oracle BI Publisher, versions 7.0.0.0.0, 7.6.0.0.0
Oracle Big Data Spatial and Graph, version 3.7
Oracle Blockchain Platform, versions 21.1.2, 24.1.3
Oracle Business Activity Monitoring, version 12.2.1.4.0
Oracle Business Intelligence Enterprise Edition, versions 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0
Oracle Business Process Management Suite, version 12.2.1.4.0
Oracle Coherence, versions 12.2.1.4.0, 14.1.1.0.0
Oracle Commerce Guided Search, version 11.3.2
Oracle Communications Billing and Revenue Management, versions 12.0.0.4-12.0.0.8, 15.0.0.0-15.0.0.1
Oracle Communications BRM – Elastic Charging Engine, versions 12.0.0.4-12.0.0.8, 15.0.0.0, 15.0.1.0
Oracle Communications Cloud Native Core Automated Test Suite, version 24.2.0
Oracle Communications Cloud Native Core Binding Support Function, versions 24.2.0, 24.2.1
Oracle Communications Cloud Native Core Certificate Management, version 24.2.1
Oracle Communications Cloud Native Core Console, version 24.2.1
Oracle Communications Cloud Native Core DBTier, version 24.3.0
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versions 24.2.0, 24.3.0
Oracle Communications Cloud Native Core Network Repository Function, version 24.2.2
Oracle Communications Cloud Native Core Policy, versions 24.2.0-24.2.2
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 23.4.0, 24.2.0, 24.2.1, 24.2.2
Oracle Communications Cloud Native Core Service Communication Proxy, versions 24.2.0, 24.3.0
Oracle Communications Cloud Native Core Unified Data Repository, versions 23.4.4, 24.1.1, 24.2.2, 24.2.3, 24.3.0
Oracle Communications Converged Application Server, versions 8.0, 8.1
Oracle Communications Convergence, versions 3.0.2.0.0, 3.0.3.0.0, 3.0.3.3.0
Oracle Communications Diameter Signaling Router, versions 8.2.3.0.0, 8.6.0.4.0, 9.0, 9.0.0.0.0-9.0.2.0.0
Oracle Communications EAGLE Element Management System, version 47.0.0.0.0
Oracle Communications Messaging Server, version 8.1.0.26
Oracle Communications Network Analytics Data Director, versions 24.1.0, 24.2.0
Oracle Communications Offline Mediation Controller, versions 12.0.0.8, 15.0.0.0, 15.0.1.0
Oracle Communications Operations Monitor, versions 5.1, 5.2
Oracle Communications Order and Service Management, versions 7.4.0, 7.4.1, 7.5.0
Oracle Communications Policy Management, version 15.0.0.0.0
Oracle Communications Service Catalog and Design, versions 8.0.0.3, 8.1.0.1
Oracle Communications Session Border Controller, versions 9.2.0, 9.3.0
Oracle Communications Unified Assurance, versions 6.0.0-6.0.5
Oracle Communications Unified Inventory Management, versions 7.4.1, 7.4.2, 7.5.1, 7.6.0
Oracle Communications User Data Repository, versions 12.11, 14.0, 15.0
Oracle Database Server, versions 19.1, 19.3-19.25, 21.3-21.16, 23.4-23.6
Oracle Documaker, versions 12.7.1, 12.7.2, 13.0.0
Oracle E-Business Suite, versions 12.2.3-12.2.14
Oracle Enterprise Communications Broker, versions 4.1.0, 4.2.0
Oracle Enterprise Manager Base Platform, version 13.5.0.0
Oracle Enterprise Session Border Controller, versions 9.2.0, 9.3.0
Oracle Essbase, version 21.7
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.7.8, 8.0.8.6, 8.1.2.5
Oracle Financial Services Behavior Detection Platform, versions 8.0.8.1, 8.1.2.7, 8.1.2.8
Oracle Financial Services Compliance Studio, versions 8.1.2.5, 8.1.2.6
Oracle Financial Services Enterprise Case Management, versions 8.0.8.2, 8.1.2.7, 8.1.2.8
Oracle Financial Services Model Management and Governance, versions 8.1.2.6, 8.1.2.7, 8.1.3.0
Oracle Financial Services Regulatory Reporting, versions 8.1.2.7, 8.1.2.8
Oracle Financial Services Revenue Management and Billing, versions 2.9.0.0.0-7.0.0.0.0
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, version 8.0.8
Oracle Fusion Middleware MapViewer, version 12.2.1.4.0
Oracle GoldenGate, versions 19.1.0.0.0-19.25.0.0.241015, 21.3-21.16, 23.4-23.6
Oracle GoldenGate Big Data and Application Adapters, versions 19.1.0.0.0-19.1.0.0.18, 21.3.0.0.0-21.16.0.0.0, 23.4-23.6
Oracle GoldenGate Studio, version 12.2.0.4.0
Oracle GoldenGate Veridata, versions 12.2.1.4.0-12.2.1.4.240430
Oracle GraalVM Enterprise Edition, versions 20.3.16, 21.3.12
Oracle GraalVM for JDK, versions 17.0.13, 21.0.5, 23.0.1
Oracle Graph Server and Client, versions 23.4.4, 24.4.0
Oracle Hospitality OPERA 5, versions 5.6.19.20, 5.6.25.8, 5.6.26.6, 5.6.27.1
Oracle HTTP Server, version 12.2.1.4.0
Oracle Hyperion Data Relationship Management, version 11.2.19.0.0
Oracle Identity Manager, version 12.2.1.4.0
Oracle Java SE, versions 8u431, 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1
Oracle Life Sciences Argus Safety, version 8.2.3
Oracle Life Sciences Empirica Signal, versions prior to 9.2.3
Oracle Managed File Transfer, version 12.2.1.4.0
Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0
Oracle Outside In Technology, version 8.5.7
Oracle Policy Automation, versions 12.2.18-12.2.36
Oracle REST Data Services, versions 23.3.0.289.1830, 23.3.1.305.1055, 23.4.0.346.1619, 23.4.1.38.1857, 24.1.0.108.942, 24.1.1.120.1228, 24.1.2.163.1158, 24.2.0, 24.2.0.169.2208, 24.2.1.180.1634, 24.2.2.187.1943, 24.3.0
Oracle Retail Financial Integration, versions 14.1.3.2, 15.0.3.1, 16.0.3.0, 19.0.1.0
Oracle Retail Integration Bus, versions 14.1.3.2, 15.0.3.1, 16.0.3.0, 19.0.1.0
Oracle SD-WAN Edge, versions 9.1.1.0-9.1.1.9
Oracle Secure Backup, versions 18.1.0.1.0, 18.1.0.2.0, 19.1.0.0.0
Oracle Security Service, version 12.2.1.4.0
Oracle Solaris, version 11
Oracle TimesTen In-Memory Database, versions 18.1, 22.1
Oracle Utilities Application Framework, versions 4.3.0.3.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1, 4.5.0.1.3, 24.1.0.0.0-24.3.0.0.0
Oracle Utilities Network Management System, versions 2.5.0.1.14, 2.5.0.1.15, 2.5.0.2.9, 2.6.0.1.5, 2.6.0.1.7
Oracle Utilities Testing Accelerator, versions 6.0.0.1.0-6.0.0.3.0, 7.0.0.0.0-7.0.0.1.0
Oracle VM VirtualBox, versions prior to 7.0.24, prior to 7.1.6
Oracle WebCenter Portal, version 12.2.1.4.0
Oracle WebLogic Server, versions 12.2.1.4.0, 14.1.1.0.0, 14.1.2.0.0
PeopleSoft Enterprise CC Common Application Objects, version 9.2
PeopleSoft Enterprise FIN Cash Management, version 9.2
PeopleSoft Enterprise FIN eSettlements, version 9.2
PeopleSoft Enterprise PeopleTools, versions 8.60, 8.61
PeopleSoft Enterprise SCM Purchasing, version 9.2
Primavera Gateway, versions 20.12.0-20.12.15, 21.12.0-21.12.13
Primavera P6 Enterprise Project Portfolio Management, versions 20.12.1.0-20.12.21.5, 21.12.1.0-21.12.20.0, 22.12.1.0-22.12.16.0, 23.12.1.0-23.12.10.0
Primavera Unifier, versions 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.15, 23.12.0-23.12.12, 24.12.0
Siebel Applications, versions 24.11 and prior

RISK:

Government:

Large and medium government entitiesHIGH

Small governmentHIGH

Companies:

Large and medium business entitiesHIGH

Small business entitiesHIGH

RECOMMENDATIONS:

We recommend that the following actions be taken:

Apply appropriate patches or mitigations provided by Oracle to vulnerable systems immediately after appropriate testing. (M1051: Update software)
Backup 7.1: Establish and maintain a vulnerability management process: Establish and maintain a documented vulnerability management process for company assets. Review and update documentation annually or when significant changes within the business occur that could impact this protection.
Safeguard 7.2: Establish and maintain a remediation process: Establish and maintain a risk-based remediation strategy, documented in a remediation process, with monthly or more frequent reviews.
Backup 7.4: Perform automated application patch management: Perform application updates on enterprise assets with automated patch management on a monthly or more frequent basis.
Backup 7.5: Perform automated vulnerability scans of internal company assets: Perform automated vulnerability scans of internal company assets on a quarterly or more frequent basis. Perform authenticated and unauthenticated scans using a SCAP-compliant vulnerability scanning tool.
Backup 7.7: Fix detected vulnerabilities: Remediate detected vulnerabilities in software through processes and tools on a monthly or more frequent basis, depending on the remediation process.
Backup 12.1: Ensure network infrastructure is up to date: Make sure the network infrastructure is kept up to date. Example implementations include running the latest stable version of the software and/or using currently supported Network as a Service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support.
Backup 18.1: Establish and maintain a penetration testing program: Establish and maintain a penetration testing program appropriate to the size, complexity and maturity of the company. Penetration testing program characteristics include scope, such as network, web application, application programming interface (API), hosted services, and physical premises controls; frequency; limitations, such as acceptable hours and excluded types of attacks; contact details; corrective actions, such as how results will be communicated internally; and retrospective requirements.
Backup 18.2: Perform periodic external penetration tests: Perform periodic external penetration testing based on program requirements, at least annually. External penetration testing should include reconnaissance of the business and environment to detect actionable information. Penetration testing requires specialist skills and experience and should be carried out by a qualified party. The test can be carried out in a transparent box or an opaque box.
Backup 18.3: Results of corrective penetration tests: Remediate penetration test results based on company policy for scoping and prioritization of remedial actions.

Vulnerability scanning is used to find potentially exploitable software vulnerabilities for remediation. (M1016: Vulnerability Analysis)
Backup 16.13: Perform application penetration testing: Perform application penetration testing. For mission-critical applications, authenticated penetration testing is better suited to detecting business logic vulnerabilities than code analysis and automated security testing. Penetration testing relies on the tester's ability to manually manipulate an application as an authenticated and unauthenticated user.

Apply the principle of least privilege to all systems and services and run all software as an unprivileged user (without administrator rights) to lessen the effects of a successful attack. (M1026: Privileged account management)
Backup 4.7: Manage default accounts on company assets and software: Manage default accounts on company assets and software, such as root, administrator, and other preconfigured vendor accounts. Example implementations may include: disabling default accounts or rendering them unusable.
Backup 5.4: Restrict administrator privileges to dedicated administrator accounts: Limit administrator privileges to dedicated administrator accounts on company assets. Conduct general computing activities, such as browsing the Internet, emailing, and using the Productivity Suite, from the user's primary, non-privileged account.
Backup 5.5: Establish and maintain an inventory of service accounts: Establish and maintain an inventory of service accounts. The inventory must at a minimum contain the service owner, review date and purpose. Perform service account reviews to verify that all active accounts are authorized, on a recurring schedule at least quarterly or more frequently.

Remind all users not to visit untrustworthy websites or follow open links/files provided by unknown or untrustworthy sources. (M1017: User training)
Safeguarding 14.1: Establish and maintain a security awareness program: Establish and maintain a security awareness program. The goal of a security awareness program is to educate company personnel on how to interact with company assets and data securely. Organize training upon hiring and, at a minimum, once a year. Review and update the content annually or when significant changes within the business occur that could impact this protection.
Safeguard 14.2: Train staff to recognize social engineering attacks: Train your staff to recognize social engineering attacks, such as phishing, fake text, and tailgating.

Use features to prevent suspicious behavior patterns from appearing on endpoint systems. This could include a suspicious process, file, API call, etc. (M1040 : Preventing Endpoint Behaviors)
Backup 13.2: Deploy a Host-Based Intrusion Detection Solution: Deploy a host-based intrusion detection solution on enterprise assets, where applicable and/or supported.
Backup 13.7: Deploy a Host-Based Intrusion Prevention Solution: Deploy a host-based intrusion prevention solution on enterprise assets where applicable and/or supported. Example implementations include using an Endpoint Detection and Response (EDR) client or a host-based IPS agent.

Use features to detect and block conditions that could lead to or indicate the occurrence of a software exploit. (M1050: Exploit Protection)
Backup 10.5: Enable anti-exploitation features: Enable anti-exploitation features on company assets and software where possible, such as Microsoft Data Execution Prevention (DEP), Windows Defender Exploit Guard (WDEG) or Apple System Integrity Protection (SIP) and Gatekeeper.