一、概述
2023年1月19日,绿盟科技CERT监测发现Oracle官方发布了1月重要补丁更新公告CPU(Critical Patch Update),此次共修复了327个不同程度的漏洞,此次安全更新涉及Oracle WebLogic Server、Oracle Fusion Middleware、Oracle MySQL、Oracle Java SE、Oracle Retail Applications、Oracle Database Server等多个常用产品。Oracle强烈建议客户尽快应用关键补丁更新修复程序,对漏洞进行修复。
参考链接:
https://www.oracle.com/security-alerts/cpujan2023.html
二、重点漏洞概述
根据产品流行度和漏洞重要性筛选出此次更新中包含影响较大的漏洞,请相关用户重点进行关注:
Oracle WebLogic Server 远程代码执行漏洞(CVE-2023-21839):
由于Weblogic IIOP/T3协议存在缺陷,未经身份验证的攻击者通过IIOP/T3协议向受影响的服务器发送恶意的请求,最终导致在目标服务器上访问敏感信息并执行任意代码,目前该漏洞技术细节已公开。
Oracle WebLogic Server 远程代码执行漏洞(CVE-2022-42920):
由于Oracle WebLogic Server中引用了第三方软件“Apache Commons BCEL”,且其中有许多通常只允许更改特定类特征的 API,由于存在越界写入缺陷,未经身份验证的攻击者可利用多个API发送恶意数据进行攻击,最终可造成拒绝服务或任意代码执行。
Oracle Fusion Middleware多个漏洞:
此次安全更新针对Oracle MySQL发布了50个安全补丁, 其中的39个漏洞在未经用户身份验证的情况下即可远程进行利用,即无需用户凭据即可通过网络利用。严重漏洞编号如下:
CVE-2022-45047
CVE-2022-42889
CVE-2022-23305
CVE-2022-25236
CVE-2022-31813
CVE-2022-2274
CVE-2022-27404
Oracle MySQL多个漏洞:
此次安全更新针对Oracle MySQL发布了37个安全补丁, 其中的8个漏洞在未经用户身份验证的情况下即可远程进行利用,即无需用户凭据即可通过网络利用。高危漏洞编号如下:
CVE-2022-31692
CVE-2022-32221
CVE-2022-37434
CVE-2020-36242
CVE-2022-24407
Oracle Financial Services Applications多个漏洞:
此次安全更新针对Oracle Financial Services Applications发布了16个安全补丁。其中的12个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞编号如下:
CVE-2022-33980
Oracle Communications Applications多个漏洞:
此次安全更新针对Oracle Communications发布了39个安全补丁,其中的31个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞编号如下:
CVE-2022-42889
CVE-2022-33980
CVE-2022-22978
CVE-2022-37454
CVE-2022-31692
Oracle E-Business Suite多个漏洞:
此次安全更新针对Oracle E-Business Suite发布了12个安全补丁,其中的10个漏洞在未经用户身份验证的情况下即可远程进行利用。攻击者可以通过HTTP访问网络,从而破坏套件中的产品,从而对关键数据的未授权访问或对所有套件中产品可访问数据的完全访问。高危漏洞编号如下:
CVE-2023-21849
CVE-2023-21858
CVE-2023-21857
CVE-2023-21856
CVE-2023-21852
CVE-2023-21851
CVE-2023-21853
CVE-2023-21855
CVE-2023-21854
Oracle官方1月关键补丁更新漏洞总结如下:
产品 | 漏洞个数 | 未授权远程利用个数 | 最高CVSS评分 |
Oracle Communications | 79 | 63 | 9.9 |
Oracle Big Data Graph | 2 | 1 | 9.8 |
Oracle Essbase | 2 | 1 | 9.8 |
Oracle Commerce | 2 | 2 | 9.8 |
Oracle Communications Applications | 39 | 31 | 9.8 |
Oracle Construction and Engineering | 7 | 4 | 9.8 |
Oracle Enterprise Manager | 3 | 2 | 9.8 |
Oracle Financial Services Applications | 16 | 12 | 9.8 |
Oracle Fusion Middleware | 50 | 39 | 9.8 |
Oracle Health Sciences Applications | 2 | 2 | 9.8 |
Oracle HealthCare Applications | 4 | 2 | 9.8 |
Oracle Hyperion | 2 | 2 | 9.8 |
Oracle JD Edwards | 2 | 1 | 9.8 |
Oracle MySQL | 37 | 8 | 9.8 |
Oracle PeopleSoft | 12 | 10 | 9.8 |
Oracle Siebel CRM | 2 | 1 | 9.8 |
Oracle Support Tools | 6 | 6 | 9.8 |
Oracle Systems | 2 | 1 | 9.8 |
Oracle Utilities Applications | 7 | 7 | 9.8 |
Oracle Hospitality Applications | 1 | 0 | 8.8 |
Oracle Food and Beverage Applications | 7 | 2 | 8.3 |
Oracle Java SE | 4 | 4 | 8.1 |
Oracle Virtualization | 6 | 1 | 8.1 |
Oracle Supply Chain | 8 | 5 | 7.8 |
Oracle Database Products Risk Matrices | 9 | 1 | 7.5 |
Oracle Database Server | 9 | 1 | 7.5 |
Oracle E-Business Suite | 12 | 10 | 7.5 |
Oracle Retail Applications | 1 | 1 | 7.5 |
Oracle Global Lifecycle Management | 3 | 0 | 6.5 |
Oracle GoldenGate | 3 | 0 | 6.5 |
Oracle Graph Server and Client | 1 | 0 | 6.5 |
Oracle Spatial Studio | 1 | 0 | 6.5 |
Oracle TimesTen In-Memory Database | 1 | 0 | 6.5 |
Oracle Insurance Applications | 1 | 1 | 6.5 |
三、漏洞防护
- 补丁更新
请用户参考本文附录“受影响产品及补丁信息”及时下载受影响产品更新补丁,并参照补丁安装包中的readme文件进行安装更新,以保证长期有效的防护。
注:Oracle官方补丁需要用户持有正版软件的许可账号,使用该账号登陆https://support.oracle.com后,可以下载最新补丁。
- Weblogic临时防护措施
3.2.1 限制T3协议访问
若相关用户暂时无法安装补丁或不通过T3协议进行JVM通信,可使用下列措施阻断针对利用T3协议漏洞的攻击:
WebLogic Server提供了名为 weblogic.security.net.ConnectionFilterImpl 的默认连接筛选器,此连接筛选器接受所有传入连接,可通过此连接筛选器配置规则,对T3及T3s协议进行访问控制,详细操作步骤如下:
- 进入WebLogic控制台,在base_domain的配置页面中,进入“安全”选项卡页面,点击“筛选器”,进入连接筛选器配置。
- 在连接筛选器中输入:weblogic.security.net.ConnectionFilterImpl,参考以下写法,在连接筛选器规则中配置符合企业实际情况的规则:
127.0.0.1 * * allow t3 t3s
本机IP ** allow t3 t3s 允许访问的IP * * allow t3 t3s * * * deny t3 t3s |
连接筛选器规则格式如下:target localAddress localPort action protocols,其中:
· target 指定一个或多个要筛选的服务器。 · localAddress 可定义服务器的主机地址。(如果指定为一个星号 (*),则返回的匹配结果将是所有本地 IP 地址。) · localPort 定义服务器正在监听的端口。(如果指定了星号,则匹配返回的结果将是服务器上所有可用的端口)。 · action 指定要执行的操作。(值必须为“allow”或“deny”。) · protocols 是要进行匹配的协议名列表。(必须指定下列其中一个协议:http、https、t3、t3s、giop、giops、dcom 或 ftp。) 如果未定义协议,则所有协议都将与一个规则匹配。 |
- 保存后若规则未生效,建议重新启动WebLogic服务(重启WebLogic服务会导致业务中断,建议相关人员评估风险后,再进行操作)。以Windows环境为例,重启服务的步骤如下:
进入域所在目录下的bin目录,在Windows系统中运行stopWebLogic.cmd文件终止WebLogic服务,Linux系统中则运行stopWebLogic.sh文件。
待终止脚本执行完成后,再运行startWebLogic.cmd或startWebLogic.sh文件启动WebLogic,即可完成WebLogic服务重启。
3.2.2 关闭IIOP协议
用户可通过关闭IIOP协议阻断针对利用IIOP协议漏洞的攻击,操作如下:
在WebLogic控制台中,选择“服务”->“AdminServer”->“协议”,取消“启用IIOP”的勾选。并重启WebLogic项目,使配置生效。
附录 受影响产品及补丁信息
受影响产品及版本号 | 可用补丁 |
Big Data Spatial and Graph, versions prior to 21.4.3, prior to 23.1.0 | https://support.oracle.com/rs?type=doc&id=2906899.1 |
Enterprise Manager Base Platform, versions 13.4.0.0, 13.5.0.0 | https://support.oracle.com/rs?type=doc&id=2906900.1 |
Enterprise Manager Ops Center, version 12.4.0.0 | https://support.oracle.com/rs?type=doc&id=2906900.1 |
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2411, prior to XCP3111, prior to XCP4011 | https://support.oracle.com/rs?type=doc&id=2920776.1 |
GoldenGate Stream Analytics, versions prior to 19.1.0.0.8 | https://support.oracle.com/rs?type=doc&id=2906899.1 |
GoldenGate Veridata, versions prior to 12.2.1.4.220831 | https://support.oracle.com/rs?type=doc&id=2906899.1 |
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.7.2 | https://support.oracle.com/rs?type=doc&id=2915506.1 |
JD Edwards EnterpriseOne Tools, versions prior to 9.2.7.2 | https://support.oracle.com/rs?type=doc&id=2915506.1 |
Management Cloud Engine, version 22.1.0.0.0 | https://support.oracle.com/rs?type=doc&id=2919078.1 |
Management Pack for Oracle GoldenGate, versions prior to 12.2.1.2.221115 | https://support.oracle.com/rs?type=doc&id=2906899.1 |
Middleware Common Libraries and Tools, versions 12.2.1.4.0, 14.1.1.0.0 | https://support.oracle.com/rs?type=doc&id=2917213.2 |
MySQL Cluster, versions 7.4.38 and prior, 7.5.28 and prior, 7.6.24 and prior, 8.0.31 and prior | https://support.oracle.com/rs?type=doc&id=2917170.1 |
MySQL Connectors, versions 8.0.31 and prior | https://support.oracle.com/rs?type=doc&id=2917170.1 |
MySQL Enterprise Monitor, versions 8.0.32 and prior | https://support.oracle.com/rs?type=doc&id=2917170.1 |
MySQL Server, versions 5.7.40 and prior, 8.0.31 and prior | https://support.oracle.com/rs?type=doc&id=2917170.1 |
MySQL Shell, versions 8.0.31 and prior | https://support.oracle.com/rs?type=doc&id=2917170.1 |
MySQL Workbench, versions 8.0.31 and prior | https://support.oracle.com/rs?type=doc&id=2917170.1 |
Oracle Access Manager, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2917213.2 |
Oracle Agile PLM, version 9.3.6 | https://support.oracle.com/rs?type=doc&id=2915508.1 |
Oracle AutoVue, versions prior to 21.0.2.6 | https://support.oracle.com/rs?type=doc&id=2915508.1 |
Oracle Banking Enterprise Default Management, versions 2.6.2, 2.7.0, 2.7.1, 2.12.0 | https://support.oracle.com/rs?type=doc&id=2917336.1 |
Oracle Banking Loans Servicing, versions 2.8.0, 2.12.0 | https://support.oracle.com/rs?type=doc&id=2917336.1 |
Oracle Banking Party Management, version 2.7.0 | https://support.oracle.com/rs?type=doc&id=2917336.1 |
Oracle Banking Platform, versions 2.6.2, 2.7.1, 2.9.0, 2.12.0 | https://support.oracle.com/rs?type=doc&id=2917336.1 |
Oracle BI Publisher, versions 5.9.0.0.0, 6.4.0.0.0, 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2917214.2 |
Oracle Business Intelligence Enterprise Edition, versions 5.9.0.0.0, 6.4.0.0.0 | https://support.oracle.com/rs?type=doc&id=2917214.2 |
Oracle Coherence, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | https://support.oracle.com/rs?type=doc&id=2917213.2 |
Oracle Commerce Guided Search, version 11.3.2 | https://support.oracle.com/rs?type=doc&id=2916255.1 |
Oracle Communications Billing and Revenue Management, versions 12.0.0.4.0-12.0.0.7.0 | https://support.oracle.com/rs?type=doc&id=2916540.1 |
Oracle Communications BRM – Elastic Charging Engine, versions 12.0.0.3.0-12.0.0.7.0 | https://support.oracle.com/rs?type=doc&id=2916540.1 |
Oracle Communications Calendar Server, version 8.0.0.6.0 | https://support.oracle.com/rs?type=doc&id=2916529.1 |
Oracle Communications Cloud Native Core Automated Test Suite, versions 22.2.2, 22.3.1, 22.4.0 | https://support.oracle.com/rs?type=doc&id=2919015.1 |
Oracle Communications Cloud Native Core Binding Support Function, versions 22.1.0, 22.1.1, 22.2.0, 22.2.1, 22.2.2, 22.2.4, 22.3.0-22.4.0 | https://support.oracle.com/rs?type=doc&id=2919016.1 |
Oracle Communications Cloud Native Core Console, versions 22.3.0, 22.4.0 | https://support.oracle.com/rs?type=doc&id=2919017.1 |
Oracle Communications Cloud Native Core Network Data Analytics Function, version 22.0.0.0.0 | https://support.oracle.com/rs?type=doc&id=2920604.1 |
Oracle Communications Cloud Native Core Network Exposure Function, versions 22.3.1, 22.4.0 | https://support.oracle.com/rs?type=doc&id=2919018.1 |
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, version 22.3.0 | https://support.oracle.com/rs?type=doc&id=2919019.1 |
Oracle Communications Cloud Native Core Network Repository Function, versions 22.3.0, 22.3.2 | https://support.oracle.com/rs?type=doc&id=2919001.1 |
Oracle Communications Cloud Native Core Network Slice Selection Function, versions 22.3.1, 22.4.1 | https://support.oracle.com/rs?type=doc&id=2919002.1 |
Oracle Communications Cloud Native Core Policy, versions 1.11.0, 22.3.0, 22.4.0 | https://support.oracle.com/rs?type=doc&id=2919044.1 |
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versions 22.3.1, 22.4.0 | https://support.oracle.com/rs?type=doc&id=2919045.1 |
Oracle Communications Cloud Native Core Unified Data Repository, versions 22.2.2, 22.2.3, 22.3.3, 22.3.4, 22.4.0 | https://support.oracle.com/rs?type=doc&id=2919035.1 |
Oracle Communications Contacts Server, version 8.0.0.7.0 | https://support.oracle.com/rs?type=doc&id=2916529.1 |
Oracle Communications Converged Application Server, versions 7.1.0, 8.0.0 | https://support.oracle.com/rs?type=doc&id=2919079.1 |
Oracle Communications Convergence, version 3.0.3.1.0 | https://support.oracle.com/rs?type=doc&id=2916529.1 |
Oracle Communications Design Studio, version 7.4.2 | https://support.oracle.com/rs?type=doc&id=2918168.1 |
Oracle Communications Diameter Intelligence Hub, version 8.2.3.0 | https://support.oracle.com/rs?type=doc&id=2919022.1 |
Oracle Communications Diameter Signaling Router, version 8.6.0.0 | https://support.oracle.com/rs?type=doc&id=2919053.1 |
Oracle Communications Elastic Charging Engine, versions 12.0.0.3.0-12.0.0.7.0 | https://support.oracle.com/rs?type=doc&id=2916540.1 |
Oracle Communications Instant Messaging Server, version 10.0.1.6.0 | https://support.oracle.com/rs?type=doc&id=2916529.1 |
Oracle Communications Messaging Server, version 8.1.0.20.0 | https://support.oracle.com/rs?type=doc&id=2916529.1 |
Oracle Communications MetaSolv Solution, version 6.3.1 | https://support.oracle.com/rs?type=doc&id=2916548.1 |
Oracle Communications Order and Service Management, version 7.4.0 | https://support.oracle.com/rs?type=doc&id=2916532.1 |
Oracle Communications Performance Intelligence Center (PIC) Software, version 10.4.0.4.1 | https://support.oracle.com/rs?type=doc&id=2920603.1 |
Oracle Communications Pricing Design Center, versions 12.0.0.5.0-12.0.0.7.0 | https://support.oracle.com/rs?type=doc&id=2916540.1 |
Oracle Communications Unified Assurance, versions 5.5.0-5.5.9, 6.0.0-6.0.1 | https://support.oracle.com/rs?type=doc&id=2916530.1 |
Oracle Communications Unified Inventory Management, versions 7.4.0-7.4.2, 7.5.0 | https://support.oracle.com/rs?type=doc&id=2916531.1 |
Oracle Database Server, versions 19c, 21c, [Perl] prior to 5.35 | https://support.oracle.com/rs?type=doc&id=2906899.1 |
Oracle Demantra Demand Management, versions 12.1, 12.2, 12.2.7, 12.2.8, 12.2.9, 12.2.10, 12.2.11, 12.2.12 | https://support.oracle.com/rs?type=doc&id=2915508.1 |
Oracle Documaker, versions 12.4.0-12.7.0 | https://support.oracle.com/rs?type=doc&id=2918819.1 |
Oracle E-Business Suite, versions 12.2.3-12.2.12 | https://support.oracle.com/rs?type=doc&id=2484000.1 |
Oracle Essbase, version 21.4 | https://support.oracle.com/rs?type=doc&id=2906899.1 |
Oracle Financial Services Crime and Compliance Management Studio, version 8.0.8.3.1 | https://support.oracle.com/rs?type=doc&id=2917625.1 |
Oracle Fusion Middleware MapViewer, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2917213.2 |
Oracle Global Lifecycle Management NextGen OUI Framework, versions prior to 13.9.4.2.11 | https://support.oracle.com/rs?type=doc&id=2917213.2 |
Oracle Global Lifecycle Management OPatchAuto, versions [DB] prior to 12.2.0.1.35 | https://support.oracle.com/rs?type=doc&id=2906899.1 |
Oracle GraalVM Enterprise Edition, versions 20.3.8, 21.3.4, 22.3.0 | https://support.oracle.com/rs?type=doc&id=2917310.1 |
Oracle Graph Server and Client, versions prior to 21.4.3, prior to 22.4.0, prior to 23.1.0 | https://support.oracle.com/rs?type=doc&id=2906899.1 |
Oracle Health Sciences Empirica Signal, versions 9.1.0.52, 9.2.0.52 | https://support.oracle.com/rs?type=doc&id=2916626.1 |
Oracle Healthcare Data Repository, versions 8.1.0.0-8.1.3.1 | https://support.oracle.com/rs?type=doc&id=2916773.1 |
Oracle Healthcare Translational Research, versions 4.1.0.0-4.1.1.1 | https://support.oracle.com/rs?type=doc&id=2916773.1 |
Oracle Hospitality Cruise Shipboard Property Management System, version 20.2.2 | https://support.oracle.com/rs?type=doc&id=2917992.1 |
Oracle Hospitality Gift and Loyalty, version 9.1.0 | https://support.oracle.com/rs?type=doc&id=2913273.1 |
Oracle Hospitality Labor Management, version 9.1.0 | https://support.oracle.com/rs?type=doc&id=2913273.1 |
Oracle Hospitality Reporting and Analytics, version 9.1.0 | https://support.oracle.com/rs?type=doc&id=2913273.1 |
Oracle Hospitality Simphony, versions 18.2.11, 19.3.4 | https://support.oracle.com/rs?type=doc&id=2913296.1 |
Oracle HTTP Server, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2917213.2 |
Oracle Hyperion Infrastructure Technology, version 11.2.10 | https://support.oracle.com/rs?type=doc&id=2775466.2 |
Oracle Java SE, versions 8u351, 8u351-perf, 11.0.17, 17.0.5, 19.0.1 | https://support.oracle.com/rs?type=doc&id=2917310.1 |
Oracle Middleware Common Libraries and Tools, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2917213.2 |
Oracle Outside In Technology, version 8.5.6 | https://support.oracle.com/rs?type=doc&id=2917213.2 |
Oracle Retail Service Backbone, versions 14.1.3.2, 15.0.3.1, 16.0.3 | https://support.oracle.com/rs?type=doc&id=2915671.1 |
Oracle SD-WAN Aware, versions 8.2.1.9.0, 9.0.1.4.0 | https://support.oracle.com/rs?type=doc&id=2920552.1 |
Oracle Solaris, versions 10, 11 | https://support.oracle.com/rs?type=doc&id=2920776.1 |
Oracle Spatial Studio, versions prior to 22.3.0 | https://support.oracle.com/rs?type=doc&id=2906899.1 |
Oracle Stream Analytics, versions prior to 19.1.0.0.8 | https://support.oracle.com/rs?type=doc&id=2906899.1 |
Oracle TimesTen In-Memory Database, versions prior to 11.2.2.8.65 | https://support.oracle.com/rs?type=doc&id=2906899.1 |
Oracle Utilities Framework, versions 4.3.0.5.0, 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0 | https://support.oracle.com/rs?type=doc&id=2915778.1 |
Oracle Utilities Network Management System, versions 2.3.0.2, 2.4.0.1, 2.5.0.0-2.5.0.2 | https://support.oracle.com/rs?type=doc&id=2915778.1 |
Oracle VM VirtualBox, versions prior to 6.1.42, prior to 7.0.6 | https://support.oracle.com/rs?type=doc&id=2919776.1 |
Oracle Web Services Manager, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2917213.2 |
Oracle WebCenter Content, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2917213.2 |
Oracle WebCenter Sites, version 12.2.1.4.0 | https://support.oracle.com/rs?type=doc&id=2917213.2 |
Oracle WebLogic Server, versions 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0 | https://support.oracle.com/rs?type=doc&id=2917213.2 |
OSS Support Tools, versions 2.12.43, 22.2.22.4.5, 22.4.22.10.18 | https://support.oracle.com/rs?type=doc&id=2919775.1 |
PeopleSoft Enterprise CC Common Application Objects, version 9.2 | https://support.oracle.com/rs?type=doc&id=2915481.1 |
PeopleSoft Enterprise CS Academic Advisement, version 9.2 | https://support.oracle.com/rs?type=doc&id=2915481.1 |
PeopleSoft Enterprise PeopleTools, versions 8.58, 8.59, 8.60 | https://support.oracle.com/rs?type=doc&id=2915481.1 |
Primavera Gateway, versions 18.8.0-18.8.15, 19.12.0-19.12.15, 20.12.0-20.12.10, 21.12.0-21.12.8 | https://support.oracle.com/rs?type=doc&id= 2917469.1 |
Primavera Unifier, versions 18.8, 19.12, 20.12, 21.12, 22.12 | https://support.oracle.com/rs?type=doc&id= 2917469.1 |
Siebel Applications, versions 22.10 and prior | https://support.oracle.com/rs?type=doc&id=2915482.1 |
声明
本安全公告仅用来描述可能存在的安全问题,绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,绿盟科技以及安全公告作者不为此承担任何责任。
绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告,必须保证此安全公告的完整性,包括版权声明等全部内容。未经绿盟科技允许,不得任意修改或者增减此安全公告内容,不得以任何方式将其用于商业目的。