预警编号:NS-2018-0031
2018-10-17
TAG: | Oracle、Weblogic、CVE-2018-2893、CVE-2018-2628 |
---|---|
危害等级: | 高,此次补丁更新修复了301个不同程度的漏洞,包括7月份CPU中未被完全修复的Weblogic反序列化远程代码执行漏洞(CVE-2018-2893)。 |
版本: | 1.0 |
1
综述
2018年10月16日,Oracle官方发布了2018年10月(第三季度)关键补丁更新公告CPU(Critical Patch Update),安全通告以及第三方安全公告等公告内容,修复了301个不同程度的漏洞。其中4、7月份CPU被绕过的Weblogic反序列化远程代码执行漏洞(CVE-2018-2628、CVE-2018-2893),也在此次更新中得到了修复,新修复的漏洞编号为CVE-2018-3245。
参考链接:https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
SEE MORE →
2CPU漏洞修复总结
此次关键补丁更新(CPU)修复了301个不同程度的漏洞,其中CVSS评分为9.8及以上的漏洞45个,影响Database Server、GoldenGate等产品。并且此次更新修复了之前未被完全修复的Weblogic反序列化远程代码执行漏洞,关于Weblogic反序列化远程代码执行漏洞(CVE-2018-2893、CVE-2018-2628)的详细信息可参考:http://blog.nsfocus.net/cve-2018-2628-weblogic/#weblogic。
Oracle官方10月关键补丁更新漏洞详情如下:
产品 | 漏洞个数 | 未授权远程利用个数 | 最高CVSS评分 |
---|---|---|---|
Oracle Database server | 7 | 6 | 9.8 |
Oracle Communications Applications | 14 | 9 | 9.8 |
Oracle Constructions and Engineering Suite | 10 | 9 | 9.8 |
Oracle E-Business Suite | 16 | 14 | 8.2 |
Oracle Enterprise Manager Products Suite | 4 | 3 | 9.8 |
Oracle Financial Services Applications | 2 | 2 | 8.1 |
Oracle Food and Beverage Applications | 4 | 1 | 8.1 |
Oracle Fusion Middleware | 65 | 56 | 9.8 |
Oracle Health Sciences Applications | 1 | 1 | 6.1 |
Oracle Hospitality Applications | 9 | 2 | 8.8 |
Oracle Hyperion | 9 | 6 | 7.7 |
Oracle iLearning | 1 | 1 | 8.2 |
Oracle Insurance Applications | 5 | 5 | 9.8 |
Oracle Java SE | 12 | 11 | 9.0 |
Oracle JD Edwards | 6 | 6 | 9.8 |
Oracle MySQL | 38 | 3 | 9.8 |
Oracle PeopleSoft Products | 24 | 21 | 7.5 |
Oracle Retail Applications | 31 | 21 | 9.8 |
Oracle Siebel CRM | 3 | 2 | 9.8 |
Oracle Sun Systems Products | 19 | 9 | 9.8 |
Oracle Supply Chain Products Suite | 6 | 1 | 8.8 |
Oracle Support Tools | 1 | 1 | 6.5 |
Oracle Virtualization | 14 | 1 | 9.0 |
受影响产品及版本号 | 可用补丁 |
---|---|
Application Management Pack for Oracle E-Business Suite, versions 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 | https://support.oracle.com/rs?type=doc&id=2445688.1 |
Enterprise Manager Base Platform, versions 12.1.0.5, 13.2 | https://support.oracle.com/rs?type=doc&id=2445688.1 |
Enterprise Manager for MySQL Database, version 13.2 | https://support.oracle.com/rs?type=doc&id=2445688.1 |
Enterprise Manager Ops Center, versions 12.2.2, 12.3.3 | https://support.oracle.com/rs?type=doc&id=2445688.1 |
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions Prior to XCP2352 and Prior to XCP3050 | https://support.oracle.com/rs?type=doc&id=2451130.1 |
Hyperion BI+, version 11.1.2.4 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Hyperion Common Events, version 11.1.2.4 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Hyperion Data Relationship Management, version 11.1.2.4.345 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Hyperion Essbase Administration Services, version 11.1.2.4 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3 | https://support.oracle.com/rs?type=doc&id=2450272.1 |
JD Edwards EnterpriseOne Orchestrator, version 9.2 | https://support.oracle.com/rs?type=doc&id=2453322.1 |
JD Edwards EnterpriseOne Tools, version 9.2 | https://support.oracle.com/rs?type=doc&id=2453322.1 |
MICROS Lucas, version 2.9.5 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
MICROS PC Workstation 2015, versions Prior to BIOS 01.3.0.2i | https://support.oracle.com/rs?type=doc&id=2440534.1 |
MICROS Relate CRM Software, versions 10.8, 11.4 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
MICROS Retail-J, versions 12.1.2, 13.0.0 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
MICROS XBRi, versions 10.5.0, 10.6.0, 10.7.0, 10.8.1, 10.8.2, 10.8.3 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
MySQL Connectors, versions 8.0.12 and prior | https://support.oracle.com/rs?type=doc&id=2451036.1 |
MySQL Enterprise Monitor, versions 3.4.9.4237 and prior, 4.0.6.5281 and prior, 8.0.2.8191 and prior | https://support.oracle.com/rs?type=doc&id=2451036.1 |
MySQL Server, versions 5.5.61 and prior, 5.6.41 and prior, 5.7.23 and prior, 8.0.12 and prior | https://support.oracle.com/rs?type=doc&id=2451036.1 |
Oracle Adaptive Access Manager, versions 11.1.1.7.0, 11.1.2.3.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1 | https://support.oracle.com/rs?type=doc&id=2453322.1 |
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6 | https://support.oracle.com/rs?type=doc&id=2453322.1 |
Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0 | https://support.oracle.com/rs?type=doc&id=2453322.1 |
Oracle API Gateway, version 11.1.2.4.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Banking Platform, versions 2.5.0, 2.6.0, 2.6.1, 2.6.2 | https://support.oracle.com/rs?type=doc&id=2450072.1 |
Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Big Data Discovery, version 1.6.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Communications Application Session Controller, versions Prior to 3.7.1M0 | https://support.oracle.com/rs?type=doc&id=2451363.1 |
Oracle Communications Instant Messaging Server, versions prior to 10.0.1 | https://support.oracle.com/rs?type=doc&id=2450339.1 |
Oracle Communications Messaging Server, versions prior to 8.0.2 | https://support.oracle.com/rs?type=doc&id=2450354.1 |
Oracle Communications MetaSolv Solution, version 6.3.0 | https://support.oracle.com/rs?type=doc&id=2450340.1 |
Oracle Communications Performance Intelligence Center (PIC) Software, versions prior to 10.2.1 | https://support.oracle.com/rs?type=doc&id=2452772.1 |
Oracle Communications User Data Repository, versions prior to 12.2.0 | https://support.oracle.com/rs?type=doc&id=2451007.1 |
Oracle Configuration Manager, versions 12.1.2.0.2, 12.1.2.0.5 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Demantra Demand Management, versions 7.3.5, 12.2 | https://support.oracle.com/rs?type=doc&id=2453322.1 |
Oracle Directory Server Enterprise Edition, version 11.1.1.7 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 | https://support.oracle.com/rs?type=doc&id=2445688.1 |
Oracle Endeca Information Discovery Integrator, versions 3.1.0, 3.2.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Endeca Information Discovery Studio, versions 3.1.0, 3.2.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Endeca Server, versions 7.6.1, 7.7.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Fusion Middleware MapViewer, versions 12.1.3.0, 12.2.1.3 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle GlassFish Server, version 3.1.2 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle GoldenGate, versions 12.1.2.1.0, 12.2.0.2.0, 12.3.0.1.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle GoldenGate for Big Data, versions 12.2.0.1, 12.3.1.1, 12.3.2.1 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Healthcare Translational Research, version 3.1.0 | https://support.oracle.com/rs?type=doc&id=2451330.1 |
Oracle Hospitality Cruise Fleet Management, version 9.0 | https://support.oracle.com/rs?type=doc&id=2442696.1 |
Oracle Hospitality Cruise Shipboard Property Management System, version 8.0 | https://support.oracle.com/rs?type=doc&id=2442638.1 |
Oracle Hospitality Gift and Loyalty, version 9.0 | https://support.oracle.com/rs?type=doc&id=2427283.1 |
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1 | https://support.oracle.com/rs?type=doc&id=2439115.1 |
Oracle Hospitality Materials Control, version 18.1 | https://support.oracle.com/rs?type=doc&id=2439882.1 |
Oracle Hospitality Reporting and Analytics, version 9.0 | https://support.oracle.com/rs?type=doc&id=2427283.1 |
Oracle HTTP Server, version 12.2.1.3 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Identity Analytics, version 11.1.1.5.8 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Identity Management Suite, versions 11.1.2.3.0, 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Identity Manager, versions 11.1.2.3.0, 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle iLearning, versions 6.1, 6.2 | https://support.oracle.com/rs?type=doc&id=2453322.1 |
Oracle Insurance Calculation Engine, versions 10.1.1, 10.2.1 | https://support.oracle.com/rs?type=doc&id=2450233.1 |
Oracle Insurance Rules Palette, versions 10.0, 10.1, 10.2, 11.0, 11.1 | https://support.oracle.com/rs?type=doc&id=2450233.1 |
Oracle Java SE, versions 6u201, 7u191, 8u182, 11 | https://support.oracle.com/rs?type=doc&id=2455624.1 |
Oracle Java SE Embedded, versions 8u18, 8u181 | https://support.oracle.com/rs?type=doc&id=2455624.1 |
Oracle JRockit, version R28.3.19 | https://support.oracle.com/rs?type=doc&id=2455624.1 |
Oracle Outside In Technology, version 8.5.3 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Real-Time Decision Server, version 3.2.1 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Retail Allocation, versions 15.0, 16.0 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Assortment Planning, versions 14.1, 15.0, 16.0 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Back Office, versions 13.3, 13.4, 14, 14.1 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Central Office, version 14.1 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Extract Transform and Load, versions 13.0, 13.1, 13.2 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Financial Integration, versions 13.2, 14.0, 14.1, 15.0, 16.0 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Integration Bus, version 14.1.2 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Invoice Matching, versions 15.0, 16.0 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Open Commerce Platform, versions 5.3, 6.0, 6.0.1 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Order Broker, versions 5.0, 5.1, 5.2, 15.0, 16.0 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Point-of-Service, versions 13.4, 14.0, 14.1 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Predictive Application Server, versions 14.0, 14.1, 15.0, 16.0 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Returns Management, version 14.1 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Sales Audit, versions 15.0, 16.0 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Retail Xstore Point of Service, versions 6.5.12, 7.0.7, 7.1.7, 15.0.2, 16.0.4, 17.0.2 | https://support.oracle.com/rs?type=doc&id=2448662.1 |
Oracle Service Bus, versions 12.1.3.0.0, 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Transportation Management, version 6.3.7 | https://support.oracle.com/rs?type=doc&id=2453322.1 |
Oracle Tuxedo, version 12.1.1.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle Virtual Directory, versions 11.1.1.7.0, 11.1.1.9.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle VM VirtualBox, versions prior to 5.2.20 | https://support.oracle.com/rs?type=doc&id=2455529.1 |
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle WebCenter Sites, versions 11.1.1.8.0, 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.3, prior to Docker 12.2.1.3.20180913 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
OSS Support Tools, versions prior to 18.4 | https://support.oracle.com/rs?type=doc&id=2451131.1 |
PeopleSoft Enterprise Interaction Hub, version 9.1.0.0 | https://support.oracle.com/rs?type=doc&id=2453322.1 |
PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56, 8.57 | https://support.oracle.com/rs?type=doc&id=2453322.1 |
Primavera Gateway, versions 15.2, 16.2, 17.12 | https://support.oracle.com/rs?type=doc&id=2450272.1 |
Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.1, 15.2, 16.1, 16.2, 18.8, 17.7 - 17.12 | https://support.oracle.com/rs?type=doc&id=2450272.1 |
Primavera Unifier, versions 15.1, 15.2, 16.1, 16.2, 17.1-17.12, 18.1-18.8 | https://support.oracle.com/rs?type=doc&id=2450272.1 |
Siebel Applications, versions 18.7, 18.8, 18.9 | https://support.oracle.com/rs?type=doc&id=2453322.1 |
Solaris, versions 10, 11.3, 11.4 | https://support.oracle.com/rs?type=doc&id=2451130.1 |
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, versions prior to XCP 1123 | https://support.oracle.com/rs?type=doc&id=2451130.1 |
Spatial, versions 2.0, 2.1, 2.2 | https://support.oracle.com/rs?type=doc&id=2433477.1 |
END
作者:绿盟科技安全服务部
声明
本安全公告仅用来描述可能存在的安全问题,绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,绿盟科技以及安全公告作者不为此承担任何责任。
绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告,必须保证此安全公告的完整性,包括版权声明等全部内容。未经绿盟科技允许,不得任意修改或者增减此安全公告内容,不得以任何方式将其用于商业目的。