【漏洞预警】Oracle全系产品2019年10月关键补丁更新处置手册
【漏洞预警】Oracle全系产品2019年10月关键补丁更新处置手册
预警编号:NS-2019-0044
2019-10-16
TAG: | Oracle、CPU、关键补丁更新 |
|---|---|
漏洞危害: | 高,此次补丁更新修复了240个不同程度的漏洞,涉及多个常用产品。 |
版本: | 1.0 |
1
概述
2019年10月15日,Oracle官方发布2019年10月关键补丁更新公告(Critical Patch Update,简称CPU),此次更新修复了240个不同程度的安全漏洞。其中161个漏洞可被远程未经身份认证的攻击者利用。此次更新涉及Oracle Database Server、Oracle Weblogic Server、Oracle Java SE、Oracle MySQL等多个产品。Oracle强烈建议客户尽快应用关键补丁更新修复程序,对漏洞进行修复。
参考链接:
https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html
SEE MORE →
2CPU修复漏洞总结
此次关键补丁更新(CPU)修复的漏洞中CVSS评分为9.8的漏洞156个,涉及Oracle Enterprise manager Products Suite、Oracle Fusion Middleware、Oracle Knowledge、Oracle MySQL等多个产品。
其中Weblogic Serve存在多个高危漏洞,(CVE-2019-2887) 与(CVE-2019-2890)导致攻击者可以在未授权的情况下通过T3协议对存在漏洞的WebLogic组件进行远程攻击,禁用T3协议操作方式进行防护可参考链接https://mp.weixin.qq.com/s/YWTSyEVunQUordwxThrGwA;(CVE-2019-2891)可导致攻击者能发送HTTP请求攻击WebLogic Server;此外还有以下WebLogic Server漏洞需要进行关注:( CVE-2019-2888),( CVE-2019-2889),( CVE-2015-9251),( CVE-2019-11358),( CVE-2019-17091)。
Oracle官方10月关键补丁更新漏洞总结如下:
产品 | 漏洞个数 | 未授权远程利用个数 | 最高CVSS评分 |
|---|---|---|---|
Oracle Database server | 10 | 2 | 6.8 |
Oracle NoSQL Database | 1 | 1 | 10 |
Oracle Construction and Engineering Suite | 13 | 11 | 9.8 |
Oracle E-Business Suite | 10 | 10 | 8.2 |
Oracle Enterprise manager Products Suite | 7 | 5 | 9.8 |
Oracle Financial Services Applications | 7 | 4 | 9.8 |
Oracle Food and Beverage Applications | 7 | 3 | 9.0 |
Oracle Fusion Middleware | 37 | 31 | 9.8 |
Oracle Health Sciences Applications | 2 | 2 | 6.1 |
Oracle Hospitality Applications | 3 | 2 | 7.5 |
Oracle Hyperion | 3 | 0 | 6.4 |
Oracle Java SE | 20 | 20 | 6.8 |
Oracle GraalVM | 3 | 2 | 7.7 |
Oracle JD Edwards Products | 1 | 1 | 9.8 |
Oracle Knowledge | 17 | 16 | 9.8 |
Oracle MySQL | 34 | 9 | 9.8 |
Oracle PeopleSoft Products | 13 | 10 | 9.8 |
Oracle Policy Automation | 4 | 4 | 7.5 |
Oracle Retail Applications | 12 | 9 | 9.8 |
Oracle Siebel CRM | 4 | 4 | 7.5 |
Oracle Sun Systems Products Suite | 12 | 7 | 9.8 |
Oracle Supply Chain Products | 3 | 3 | 9.8 |
Oracle Support Tools | 2 | 2 | 6.1 |
Oracle Virtualization | 15 | 3 | 8.8 |
3漏洞防护
请用户参考本文附录“受影响产品及补丁信息”及时下载受影响产品更新补丁,并参照补丁安装包中的readme文件进行安装更新,以保证长期有效的防护。
注:Oracle官方补丁需要用户持有正版软件的许可账号,使用该账号登陆https://support.oracle.com后,可以下载最新补丁。
附录受影响产品及补丁信息
受影响产品及版本号 | 可用补丁 |
|---|---|
Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4 | https://support.oracle.com/rs?type=doc&id=2585367.1 |
Diagnostic Assistant, version 2.12.36 | https://support.oracle.com/rs?type=doc&id=2594574.1 |
Enterprise Manager Base Platform, versions 13.2, 13.3 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Enterprise Manager for Exadata, versions 12.1.0.5.0, 13.2.2.0.0, 13.3.1.0.0, 13.3.2.0.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2361, prior to XCP3071 | https://support.oracle.com/rs?type=doc&id=2592433.1 |
Hyperion Data Relationship Management, version 11.1.2.4 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Hyperion Enterprise Performance Management Architect, version 11.1.2.4 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Hyperion Financial Reporting, version 11.1.2.4 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3 | https://support.oracle.com/rs?type=doc&id=2593049.1 |
JD Edwards EnterpriseOne Tools, version 4.0.1.0 | https://support.oracle.com/rs?type=doc&id=2585367.1 |
MICROS Relate CRM Software, versions 7.1.0, 11.4, 15.0.0, 16.0.0, 17.0.0, 18.0.0 | https://support.oracle.com/rs?type=doc&id=2578292.1 |
MICROS Retail XBRi Loss Prevention, version 10.8.3 | https://support.oracle.com/rs?type=doc&id=2578292.1 |
MySQL Connectors, versions 5.3.13 and prior, 8.0.17 and prior | https://support.oracle.com/rs?type=doc&id=2593658.1 |
MySQL Enterprise Monitor, versions 8.0.17 and prior | https://support.oracle.com/rs?type=doc&id=2593658.1 |
MySQL Server, versions 5.6.45 and prior, 5.7.27 and prior, 8.17 and prior | https://support.oracle.com/rs?type=doc&id=2593658.1 |
MySQL Workbench, versions 8.0.17 and prior | https://support.oracle.com/rs?type=doc&id=2593658.1 |
Oracle Agile PLM, versions 9.3.3-9.3.6 | https://support.oracle.com/rs?type=doc&id=2585367.1 |
Oracle Agile Product Lifecycle Management for Process, versions 6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0 | https://support.oracle.com/rs?type=doc&id=2585367.1 |
Oracle API Gateway, version 11.1.2.4.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle Application Testing Suite, versions 13.2, 13.3 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1 | https://support.oracle.com/ |
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1 | https://support.oracle.com/rs?type=doc&id=2594124.1 |
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle Clusterware, version 19.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=2594574.1 |
Oracle Data Integrator, version 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9 | https://support.oracle.com/rs?type=doc&id=2586423.1 |
Oracle Enterprise Repository, version 12.1.3.0.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.2-8.0.8 | https://support.oracle.com/rs?type=doc&id=2592361.1 |
Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.6, 8.0.7 | https://support.oracle.com/rs?type=doc&id=2593398.1 |
Oracle Financial Services Retail Performance Analytics, versions 8.0.6, 8.0.7 | https://support.oracle.com/rs?type=doc&id=2593398.1 |
Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3 | https://support.oracle.com/ |
Oracle Forms, version 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle GoldenGate Application Adapters, version 12.3.2.1.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle GraalVM Enterprise Edition, version 19.2.0 | https://support.oracle.com/rs?type=doc&id=2591613.1 |
Oracle Healthcare Foundation, versions 7.1.1, 7.2.2 | https://support.oracle.com/rs?type=doc&id=2583502.1 |
Oracle Healthcare Translational Research, versions 3.1.0, 3.2.1, 3.3.1 | https://support.oracle.com/rs?type=doc&id=2583502.1 |
Oracle Hospitality Cruise Dining Room Management, version 8.0.80 | https://support.oracle.com/rs?type=doc&id=2584050.1 |
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1 | https://support.oracle.com/rs?type=doc&id=2584235.1 |
Oracle Hospitality Materials Control, version 18.1 | https://support.oracle.com/rs?type=doc&id=2592505.1 |
Oracle Hospitality Reporting and Analytics, version 9.1.0 | https://support.oracle.com/rs?type=doc&id=2592453.1 |
Oracle Hospitality RES 3700, version 5.7 | https://support.oracle.com/rs?type=doc&id=2582546.1 |
Oracle Java SE, versions 7u231, 8u221, 11.0.4, 13 | https://support.oracle.com/rs?type=doc&id=2589853.1 |
Oracle Java SE Embedded, version 8u221 | https://support.oracle.com/rs?type=doc&id=2589853.1 |
Oracle JDeveloper and ADF, versions 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle NoSQL Database, versions prior to 19.3.12 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle Outside In Technology, version 8.5.4 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle Policy Automation, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0-12.2.15 | https://support.oracle.com/rs?type=doc&id=2593361.1 |
Oracle Policy Automation Connector for Siebel, version 10.4.6 | https://support.oracle.com/rs?type=doc&id=2593361.1 |
Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.15 | https://support.oracle.com/rs?type=doc&id=2593361.1 |
Oracle Retail Customer Insights, versions 15.0, 16.0 | https://support.oracle.com/rs?type=doc&id=2578292.1 |
Oracle Retail Customer Management and Segmentation Foundation, version 17.0 | https://support.oracle.com/rs?type=doc&id=2578292.1 |
Oracle Retail Integration Bus, versions 15.0, 16.0 | https://support.oracle.com/rs?type=doc&id=2578292.1 |
Oracle Retail Xstore Office, version 7.1 | https://support.oracle.com/rs?type=doc&id=2578292.1 |
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 17.0.3, 18.0, 18.0.1, 19.0.0 | https://support.oracle.com/rs?type=doc&id=2578292.1 |
Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle SOA Suite, version 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle Solaris, versions 10, 11 | https://support.oracle.com/rs?type=doc&id=2592433.1 |
Oracle Virtual Directory, version 11.1.1.9.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle VM VirtualBox, versions prior to 5.2.34, prior to 6.0.14 | https://support.oracle.com/rs?type=doc&id=2592169.1 |
Oracle Web Services, version 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle WebCenter Portal, version 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 | https://support.oracle.com/rs?type=doc&id=2568292.1 |
PeopleSoft Enterprise HCM Human Resources, version 9.2 | https://support.oracle.com/rs?type=doc&id=2585367.1 |
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57 | https://support.oracle.com/rs?type=doc&id=2585367.1 |
PeopleSoft Enterprise SCM eProcurement, version 9.2 | https://support.oracle.com/rs?type=doc&id=2585367.1 |
Primavera Gateway, versions 15.2, 16.2, 17.12, 18.8 | https://support.oracle.com/rs?type=doc&id=2593049.1 |
Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.13 | https://support.oracle.com/rs?type=doc&id=2593049.1 |
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8 | https://support.oracle.com/rs?type=doc&id=2593049.1 |
Siebel Applications, versions 19.8 and prior | https://support.oracle.com/rs?type=doc&id=2585367.1 |
END
作者:绿盟科技安全服务部
声明
本安全公告仅用来描述可能存在的安全问题,绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,绿盟科技以及安全公告作者不为此承担任何责任。
绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告,必须保证此安全公告的完整性,包括版权声明等全部内容。未经绿盟科技允许,不得任意修改或者增减此安全公告内容,不得以任何方式将其用于商业目的。