阅读: 1,336
当地时间2018年1月16日,Oracle官方发布了2018年1月关键补丁更新公告(cpu),安全通告以及第三方安全公告等公告内容,修复了237个不同程度的漏洞,包括针对Intel处理器漏洞(Meltdown,Spectre)的相关修复。各产品受影响情况以及可用补丁情况见附录表格。
详情见如下链接:
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Oracle数据库服务器(Database Server)
此重要补丁更新包含5个针对Oracle数据库服务器的新安全修复程序。 这些漏洞中的3个可以在没有认证的情况下被远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
Oracle通信应用程序(Communications Applications)
此重要补丁更新包含10个适用于Oracle通信应用程序的新安全修复程序。 其中8个漏洞无需身份验证即可远程利用,即可以在不需要用户凭证的情况下通过网络利用这些漏洞。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#CGBU
Oracle构造和工程套件(Construction and Engineering Suite)
此重要补丁更新包含1个针对Oracle构建和工程套件的新安全修复程序。此漏洞无法远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#PVA
Oracle电子商务套件(E-Business Suite)
此重要补丁更新包含针对Oracle电子商务套件的7个新安全修复程序。 其中4个漏洞无需认证即可被远程利用。
Oracle电子商务套件产品包括受Oracle数据库和Oracle Fusion中间件部分中列出的漏洞影响的Oracle数据库和Oracle融合中间件组件。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#EBS
Oracle金融服务应用(Financial Services Applications)
此重要补丁更新包含针对Oracle Financial Services应用程序的34个新的安全修复程序。 其中13个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#IFLX
Oracle Fusion中间件(Fusion Middleware)
此重要补丁更新包含27个适用于Oracle融合中间件的新安全修复程序。 其中21个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#FMW
Oracle Health科学应用(Health Sciences Applications)
此重要补丁更新包含7个针对Oracle Health Sciences应用程序的新安全修复程序。 其中5个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#HCAR
Oracle招待应用(Hospitality Applications)
此重要补丁更新包含针对Oracle Hospitality应用程序的21个新安全修复程序。 其中15个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#HOSP
Oracle Hyperion
此重要补丁更新包含4个适用于Oracle Hyperion的新安全修复程序。 其中1个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#HYP
Oracle Java Micro Edition
此重要补丁更新包含1个针对Oracle Java Micro Edition的新安全修复程序。 未经身份验证时,此漏洞无法远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#JME
Oracle Java SE
此重要补丁更新包含针对Oracle Java SE的21个新的安全修复程序。 其中18个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#JAVA
Oracle JD Edwards产品
此重要补丁更新包含2个适用于Oracle JD Edwards产品的新安全修复程序。 这两个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#JDE
Oracle MySQL
此重要补丁更新包含针对Oracle MySQL的25个新的安全修复程序。 其中6个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#MSQL
Oracle PeopleSoft产品
此重要补丁更新包含针对Oracle PeopleSoft产品的15个新安全修复程序。 其中8个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#PS
Oracle 零售应用(Retail Applications)
此重要补丁更新包含针对Oracle零售应用程序的11个新安全修复程序。 其中8个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#RAPP
Oracle Siebel CRM
此重要补丁更新包含2个针对Oracle Siebel CRM的新安全修复程序。 没有身份验证,这些漏洞都不能被远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#SECR
Oracle Sun系统产品套件(Sun Systems Products Suite)
此重要补丁更新包含针对Oracle Sun系统产品套件的13个新的安全修复程序。 其中7个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#SUNS
Oracle供给链产品套件(Supply Chain Products Suite)
此重要补丁更新包含针对Oracle Supply Chain产品套件的14个新安全修复程序。 其中12个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#SCP
Oracle支持工具(Support Tools)
此重要补丁更新包含3个针对Oracle支持工具的新安全修复程序。 其中1个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#TOOL
Oracle虚拟化产品(Virtualization)
此重要补丁更新包含14个针对Oracle虚拟化的新安全修复程序。 其中3个漏洞无需身份验证即可远程利用。
详情请参考:
http://www.oracle.com/technetwork/security-advisory/cpujan2018verbose-3236630.html#OVIR
关键补丁更新(cpu)
关键修补程序更新 (cpu) 是针对多个安全漏洞的修补程序集合。关键修补程序更新修补程序通常是累积的, 但每次都只描述自上一个关键修补程序更新咨询以来添加的安全修复补丁。因此, 应复查先前发布的安全修补程序的重要更新建议, 以了解有关早期版本的安全性修正的信息。
解决方案
鉴于成功攻击所造成的威胁,Oracle强烈建议客户尽快下载并安装重要补丁更新修复程序。
附录
受影响产品(含版本)以及相关补丁情况如下表:
Affected Products and Versions |
Patch Availability Document |
Agile Material and Equipment Management for Pharmaceuticals, versions 9.3.3, 9.3.4 |
Oracle Supply Chain Products |
Application Express, versions prior to 5.1.4.00.08 |
Database |
Converged Commerce, version 16.0.1 |
Retail Applications |
Hyperion BI+, version 11.1.2.4 |
Fusion Middleware |
Hyperion Data Relationship Management, version 11.1.2.4.330 |
Fusion Middleware |
Integrated Lights Out Manager (ILOM), versions 3.x, 4.x |
Systems |
Java Advanced Management Console, version 2.8 |
Java SE |
Java ME SDK, version 8.3 |
Java ME |
JD Edwards EnterpriseOne Tools, version 9.2 |
JD Edwards |
MICROS Handheld Terminal, versions Prior to BSP 02.13.0701 (070116) |
MICROS Handheld Terminal |
MICROS Relate CRM Software, versions 10.8.x, 11.4.x, 15.0.x |
Retail Applications |
MICROS Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1 |
Retail Applications |
MySQL Connectors, versions 5.3.9 and prior, 6.9.9 and prior, 6.10.4 and prior |
MySQL |
MySQL Enterprise Monitor, versions 3.3.6.3293 and prior, 3.4.4.4226 and prior, 4.0.0.5135 and prior |
MySQL |
MySQL Server, versions 5.5.58 and prior, 5.6.38 and prior, 5.7.20 and prior |
MySQL |
Oracle Access Manager, versions 10.1.4.3.0, 11.1.2.3.0 |
Fusion Middleware |
Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1 |
Oracle Supply Chain Products |
Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6 |
Oracle Supply Chain Products |
Oracle Agile PLM MCAD Connector, versions 3.3, 3.4, 3.5, 3.6 |
Oracle Supply Chain Products |
Oracle Argus Safety, versions 7.x, 8.0.x, 8.1 |
Health Sciences |
Oracle Autovue for Agile Product Lifecycle Management, versions 21.0.0, 21.0.1 |
Oracle Supply Chain Products |
Oracle Banking Corporate Lending, versions 12.3.0, 12.4.0 |
Oracle Financial Services Applications |
Oracle Banking Payments, versions 12.3.0, 12.4.0 |
Oracle Financial Services Applications |
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0 |
Fusion Middleware |
Oracle Communications Application Session Controller, version 3.x |
Oracle Communications Application Session Controller |
Oracle Communications BRM – Elastic Charging Engine, version 7.5 |
Oracle Communications BRM – Elastic Charging Engine |
Oracle Communications Convergent Charging Controller, version 6.0 |
Oracle Communications Convergent Charging Controller |
Oracle Communications Network Charging and Control, version 6.0 |
Oracle Communications Network Charging and Control |
Oracle Communications Order and Service Management, versions 7.2.4.1.x, 7.2.4.2.x, 7.3.0.1.x, 7.3.0.x.x |
Oracle Communications Order and Service Management |
Oracle Communications Services Gatekeeper, versions 5.1, 6.0 |
Oracle Communications Services Gatekeeper |
Oracle Communications Unified Inventory Management, versions 7.2.4.2.x, 7.3 |
Oracle Communications Unified Inventory Management |
Oracle Communications User Data Repository, versions 10.x, 12.x |
Oracle Communications User Data Repository |
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1 |
Database |
Oracle Directory Server Enterprise Edition, version 11.1.1.7.0 |
Fusion Middleware |
Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7 |
E-Business Suite |
Oracle Endeca Information Discovery Integrator, versions 3.1.0, 3.2.0 |
Fusion Middleware |
Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.5.x, 8.0.x |
Oracle Financial Services Analytical Applications Infrastructure |
Oracle Financial Services Analytical Applications Reconciliation Framework, version 8.0.x |
Oracle Financial Services Analytical Applications Reconciliation Framework |
Oracle Financial Services Asset Liability Management, versions 6.1.x, 8.0.x |
Oracle Financial Services Asset Liability Management |
Oracle Financial Services Balance Sheet Planning, version 8.0.x |
Oracle Financial Services Balance Sheet Planning |
Oracle Financial Services Funds Transfer Pricing, versions 6.1.x, 8.0.x |
Oracle Financial Services Funds Transfer Pricing |
Oracle Financial Services Hedge Management and IFRS Valuations, version 8.0.x |
Oracle Financial Services Hedge Management and IFRS Valuations |
Oracle Financial Services Liquidity Risk Management, version 8.0.x |
Oracle Financial Services Liquidity Risk Management |
Oracle Financial Services Loan Loss Forecasting and Provisioning, version 8.0.x |
Oracle Financial Services Loan Loss Forecasting and Provisioning |
Oracle Financial Services Market Risk, version 8.0.x |
Oracle Financial Services Market Risk |
Oracle Financial Services Market Risk Measurement and Management, version 8.0.5 |
Oracle Financial Services Market Risk Mesurement and Management |
Oracle Financial Services Price Creation and Discovery, version 8.0.5 |
Oracle Financial Services Price Creation And Discovery |
Oracle Financial Services Profitability Management, versions 6.1.x, 8.0.x |
Oracle Financial Services Profitability Management |
Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3 |
Oracle Financial Services Applications |
Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 11.5.0, 11.6.0, 11.7.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0 |
Oracle Financial Services Applications |
Oracle Fusion Applications, versions 11.1.2 through 11.1.9 |
Fusion Applications |
Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.3, 12.1.3.0, 12.2.1.2, 12.2.1.3 |
Fusion Middleware |
Oracle Health Sciences Empirica Inspections, version 1.0.1.1 |
Health Sciences |
Oracle Health Sciences Empirica Signal, version 8.0.1.0 |
Health Sciences |
Oracle Hospitality Cruise Dining Room Management, version 8.0.78 |
Oracle Hospitality Cruise Dining Room Management |
Oracle Hospitality Cruise Fleet Management, version 9.0.4.0 |
Oracle Hospitality Cruise Fleet Management |
Oracle Hospitality Cruise Shipboard Property Management System, version 7.3.874 |
Oracle Hospitality Cruise Shipboard Property Management System |
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1 |
Oracle Hospitality Guest Access |
Oracle Hospitality Labor Management, versions 8.5.1, 9.0.0 |
Oracle Hospitality Labor Management |
Oracle Hospitality Reporting and Analytics, versions 8.5.1, 9.0.0 |
Oracle Hospitality Reporting and Analytics |
Oracle Hospitality Simphony, versions 2.7, 2.8, 2.9 |
Oracle Hospitality Simphony |
Oracle HTTP Server, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0 |
Fusion Middleware |
Oracle Hyperion Planning, version 11.1.2.4.007 |
Fusion Middleware |
Oracle Identity Manager, version 11.1.2.3.0 |
Fusion Middleware |
Oracle Identity Manager Connector, versions 9.0.4.20.6, 9.0.4.21.0, 9.0.4.25.4 |
Fusion Middleware |
Oracle Internet Directory, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0 |
Fusion Middleware |
Oracle iPlanet Web Server, version 7.0 |
Fusion Middleware |
Oracle Java SE, versions 6u171, 7u161, 8u152, 9.0.1 |
Java SE |
Oracle Java SE Embedded, version 8u151 |
Java SE |
Oracle JDeveloper, versions 11.1.1.2.4, 11.1.1.7.0, 11.1.1.7.1, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.2.0 |
Fusion Middleware |
Oracle JRockit, version R28.3.16 |
Java SE |
Oracle Mobile Security Suite, version 3.0.1 |
Fusion Middleware |
Oracle Retail Assortment Planning, versions 14.1.3, 15.0.3, 16.0.1 |
Retail Applications |
Oracle Retail Convenience and Fuel POS Software, version 2.1.132 |
Retail Applications |
Oracle Retail Customer Management and Segmentation Foundation, versions 10.8.x, 11.4.x, 15.0.x, 16.0.x |
Retail Applications |
Oracle Retail Fiscal Management, version 14.1 |
Retail Applications |
Oracle Retail Merchandising System, version 16.0 |
Retail Applications |
Oracle Retail Workforce Management, versions 1.60.7, 1.64.0 |
Retail Applications |
Oracle Secure Global Desktop (SGD), version 5.3 |
Virtualization |
Oracle Transportation Management, versions 6.2.11, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.1, 6.4.2, 6.4.3 |
Oracle Supply Chain Products |
Oracle Tuxedo System and Applications Monitor, version 12.1.3.0.0 |
Fusion Middleware |
Oracle VM VirtualBox, versions prior to 5.1.32, prior to 5.2.6 |
Virtualization |
Oracle WebCenter Content, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0 |
Fusion Middleware |
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0 |
Fusion Middleware |
Oracle WebCenter Sites, version 11.1.1.8.0 |
Fusion Middleware |
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0 |
Fusion Middleware |
Oracle X86 Servers, versions SW 1.x, SW 2.x |
Systems |
OSS Support Tools, versions prior to 2.11.33 |
Support Tools |
PeopleSoft Enterprise FIN Supply Chain Portal Pack Argentina, version 9.1 |
PeopleSoft |
PeopleSoft Enterprise FIN Supply Chain Portal Pack Brazil, version 9.1 |
PeopleSoft |
PeopleSoft Enterprise FSCM, version 9.2 |
PeopleSoft |
PeopleSoft Enterprise HCM Human Resources, versions 9.1, 9.2 |
PeopleSoft |
PeopleSoft Enterprise PeopleTools, versions 8.54, 8.55, 8.56 |
PeopleSoft |
PeopleSoft Enterprise PRTL Interaction Hub, version 9.1.00 |
PeopleSoft |
PeopleSoft Enterprise SCM eProcurement, versions 9.1, 9.2 |
PeopleSoft |
PeopleSoft Enterprise SCM Purchasing, version 9.2 |
PeopleSoft |
Primavera Unifier, versions 10.x, 15.x, 16.x, 17.x |
Oracle Construction and Engineering Suite |
Siebel Applications, versions 16.0, 17.0 |
Siebel |
Solaris, versions 10, 11.3 |
Systems |
Sun ZFS Storage Appliance Kit (AK), versions prior to 8.7.13 |
Systems |
声 明
=============
本安全公告仅用来描述可能存在的安全问题,绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,绿盟科技以及安全公告作者不为此承担任何责任。绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告,必须保证此安全公告的完整性,包括版权声明等全部内容。未经绿盟科技允许,不得任意修改或者增减此安全公告内容,不得以任何方式将其用于商业目的。
关于绿盟科技
==============
北京神州绿盟信息安全科技股份有限公司(简称绿盟科技)成立于2000年4月,总部位于北京。在国内外设有30多个分支机构,为政府、运营商、金融、能源、互联网以及教育、医疗等行业用户,提供具有核心竞争力的安全产品及解决方案,帮助客户实现业务的安全顺畅运行。
基于多年的安全攻防研究,绿盟科技在网络及终端安全、互联网基础安全、合规及安全管理等领域,为客户提供入侵检测/防护、抗拒绝服务攻击、远程安全评估以及Web安全防护等产品以及专业安全服务。
北京神州绿盟信息安全科技股份有限公司于2014年1月29日起在深圳证券交易所创业板上市交易,股票简称:绿盟科技,股票代码:300369。