Oracle全系产品2019年10月关键补丁更新(CPU)

2019年10月15日,Oracle官方发布2019年10月关键补丁更新公告(Critical Patch Update,简称CPU),此次更新修复了240个不同程度的安全漏洞。

概述

2019年10月15日,Oracle官方发布2019年10月关键补丁更新公告(Critical Patch Update,简称CPU),此次更新修复了240个不同程度的安全漏洞。其中161个漏洞可被远程未经身份认证的攻击者利用。此次更新涉及Oracle Database Server、Oracle Weblogic Server、Oracle Java SE、Oracle MySQL等多个产品。Oracle强烈建议客户尽快应用关键补丁更新修复程序,对漏洞进行修复。

参考链接:

https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html

修复漏洞总结

此次关键补丁更新(CPU)修复的漏洞中CVSS评分为9.8的漏洞156个,涉及Oracle Enterprise manager Products Suite、Oracle Fusion Middleware、Oracle Knowledge、Oracle MySQL等多个产品。

其中Weblogic Serve存在多个高危漏洞,(CVE-2019-2887) 与(CVE-2019-2890)导致攻击者可以在未授权的情况下通过T3协议对存在漏洞的WebLogic组件进行远程攻击,禁用T3协议操作方式进行防护可参考链接https://mp.weixin.qq.com/s/YWTSyEVunQUordwxThrGwA;(CVE-2019-2891)可导致攻击者能发送HTTP请求攻击WebLogic Server;此外还有以下WebLogic Server漏洞需要进行关注:( CVE-2019-2888),( CVE-2019-2889),( CVE-2015-9251),( CVE-2019-11358),( CVE-2019-17091)。

Oracle官方10月关键补丁更新漏洞总结如下:

产品 漏洞个数 未授权远程利用个数 最高CVSS评分
Oracle Database server 10 2 6.8
Oracle NoSQL Database 1 1 10
Oracle Construction and Engineering Suite 13 11 9.8
Oracle E-Business Suite 10 10 8.2
Oracle Enterprise manager Products Suite 7 5 9.8
Oracle Financial Services Applications 7 4 9.8
Oracle Food and Beverage Applications 7 3 9.0
Oracle Fusion Middleware 37 31 9.8
Oracle Health Sciences Applications 2 2 6.1
Oracle Hospitality Applications 3 2 7.5
Oracle Hyperion 3 0 6.4
Oracle Java SE 20 20 6.8
Oracle GraalVM 3 2 7.7
Oracle JD Edwards Products 1 1 9.8
Oracle Knowledge 17 16 9.8
Oracle MySQL 34 9 9.8
Oracle PeopleSoft Products 13 10 9.8
Oracle Policy Automation 4 4 7.5
Oracle Retail Applications 12 9 9.8
Oracle Siebel CRM 4 4 7.5
Oracle Sun Systems Products Suite 12 7 9.8
Oracle Supply Chain Products 3 3 9.8
Oracle Support Tools 2 2 6.1
Oracle Virtualization 15 3 8.8

漏洞防护

请用户参考本文附录“受影响产品及补丁信息”及时下载受影响产品更新补丁,并参照补丁安装包中的readme文件进行安装更新,以保证长期有效的防护。

注:Oracle官方补丁需要用户持有正版软件的许可账号,使用该账号登陆https://support.oracle.com后,可以下载最新补丁。

附录 受影响产品及补丁信息

受影响产品及版本号 可用补丁
Agile Recipe Management for Pharmaceuticals, versions 9.3.3, 9.3.4 https://support.oracle.com/rs?type=doc&id=2585367.1
Diagnostic Assistant, version 2.12.36 https://support.oracle.com/rs?type=doc&id=2594574.1
Enterprise Manager Base Platform, versions 13.2, 13.3 https://support.oracle.com/rs?type=doc&id=2568292.1
Enterprise Manager for Exadata, versions 12.1.0.5.0, 13.2.2.0.0, 13.3.1.0.0, 13.3.2.0.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Enterprise Manager Ops Center, versions 12.3.3, 12.4.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, versions prior to XCP2361, prior to XCP3071 https://support.oracle.com/rs?type=doc&id=2592433.1
Hyperion Data Relationship Management, version 11.1.2.4 https://support.oracle.com/rs?type=doc&id=2568292.1
Hyperion Enterprise Performance Management Architect, version 11.1.2.4 https://support.oracle.com/rs?type=doc&id=2568292.1
Hyperion Financial Reporting, version 11.1.2.4 https://support.oracle.com/rs?type=doc&id=2568292.1
Instantis EnterpriseTrack, versions 17.1, 17.2, 17.3 https://support.oracle.com/rs?type=doc&id=2593049.1
JD Edwards EnterpriseOne Tools, version 4.0.1.0 https://support.oracle.com/rs?type=doc&id=2585367.1
MICROS Relate CRM Software, versions 7.1.0, 11.4, 15.0.0, 16.0.0, 17.0.0, 18.0.0 https://support.oracle.com/rs?type=doc&id=2578292.1
MICROS Retail XBRi Loss Prevention, version 10.8.3 https://support.oracle.com/rs?type=doc&id=2578292.1
MySQL Connectors, versions 5.3.13 and prior, 8.0.17 and prior https://support.oracle.com/rs?type=doc&id=2593658.1
MySQL Enterprise Monitor, versions 8.0.17 and prior https://support.oracle.com/rs?type=doc&id=2593658.1
MySQL Server, versions 5.6.45 and prior, 5.7.27 and prior, 8.17 and prior https://support.oracle.com/rs?type=doc&id=2593658.1
MySQL Workbench, versions 8.0.17 and prior https://support.oracle.com/rs?type=doc&id=2593658.1
Oracle Agile PLM, versions 9.3.3-9.3.6 https://support.oracle.com/rs?type=doc&id=2585367.1
Oracle Agile Product Lifecycle Management for Process, versions 6.2.0.0, 6.2.1.0, 6.2.2.0, 6.2.3.0 https://support.oracle.com/rs?type=doc&id=2585367.1
Oracle API Gateway, version 11.1.2.4.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle Application Testing Suite, versions 13.2, 13.3 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle Banking Digital Experience, versions 18.1, 18.2, 18.3, 19.1 https://support.oracle.com/
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.5.0, 2.6.0, 2.6.1, 2.7.0, 2.7.1 https://support.oracle.com/rs?type=doc&id=2594124.1
Oracle BI Publisher, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle Business Intelligence Enterprise Edition, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle Clusterware, version 19.0.0.0.0 https://support.oracle.com/rs?type=doc&id=2594574.1
Oracle Data Integrator, version 12.2.1.3.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18c, 19c https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.9 https://support.oracle.com/rs?type=doc&id=2586423.1
Oracle Enterprise Repository, version 12.1.3.0.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.2-8.0.8 https://support.oracle.com/rs?type=doc&id=2592361.1
Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.6, 8.0.7 https://support.oracle.com/rs?type=doc&id=2593398.1
Oracle Financial Services Retail Performance Analytics, versions 8.0.6, 8.0.7 https://support.oracle.com/rs?type=doc&id=2593398.1
Oracle FLEXCUBE Direct Banking, versions 12.0.2, 12.0.3 https://support.oracle.com/
Oracle Forms, version 12.2.1.3.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle GoldenGate Application Adapters, version 12.3.2.1.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle GraalVM Enterprise Edition, version 19.2.0 https://support.oracle.com/rs?type=doc&id=2591613.1
Oracle Healthcare Foundation, versions 7.1.1, 7.2.2 https://support.oracle.com/rs?type=doc&id=2583502.1
Oracle Healthcare Translational Research, versions 3.1.0, 3.2.1, 3.3.1 https://support.oracle.com/rs?type=doc&id=2583502.1
Oracle Hospitality Cruise Dining Room Management, version 8.0.80 https://support.oracle.com/rs?type=doc&id=2584050.1
Oracle Hospitality Guest Access, versions 4.2.0, 4.2.1 https://support.oracle.com/rs?type=doc&id=2584235.1
Oracle Hospitality Materials Control, version 18.1 https://support.oracle.com/rs?type=doc&id=2592505.1
Oracle Hospitality Reporting and Analytics, version 9.1.0 https://support.oracle.com/rs?type=doc&id=2592453.1
Oracle Hospitality RES 3700, version 5.7 https://support.oracle.com/rs?type=doc&id=2582546.1
Oracle Java SE, versions 7u231, 8u221, 11.0.4, 13 https://support.oracle.com/rs?type=doc&id=2589853.1
Oracle Java SE Embedded, version 8u221 https://support.oracle.com/rs?type=doc&id=2589853.1
Oracle JDeveloper and ADF, versions 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.3.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle NoSQL Database, versions prior to 19.3.12 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle Outside In Technology, version 8.5.4 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle Policy Automation, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0-12.2.15 https://support.oracle.com/rs?type=doc&id=2593361.1
Oracle Policy Automation Connector for Siebel, version 10.4.6 https://support.oracle.com/rs?type=doc&id=2593361.1
Oracle Policy Automation for Mobile Devices, versions 12.2.0-12.2.15 https://support.oracle.com/rs?type=doc&id=2593361.1
Oracle Retail Customer Insights, versions 15.0, 16.0 https://support.oracle.com/rs?type=doc&id=2578292.1
Oracle Retail Customer Management and Segmentation Foundation, version 17.0 https://support.oracle.com/rs?type=doc&id=2578292.1
Oracle Retail Integration Bus, versions 15.0, 16.0 https://support.oracle.com/rs?type=doc&id=2578292.1
Oracle Retail Xstore Office, version 7.1 https://support.oracle.com/rs?type=doc&id=2578292.1
Oracle Retail Xstore Point of Service, versions 7.1, 15.0, 16.0, 17.0, 17.0.3, 18.0, 18.0.1, 19.0.0 https://support.oracle.com/rs?type=doc&id=2578292.1
Oracle Service Bus, versions 11.1.1.9.0, 12.1.3.0.0, 12.2.1.3.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle SOA Suite, version 12.2.1.3.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle Solaris, versions 10, 11 https://support.oracle.com/rs?type=doc&id=2592433.1
Oracle Virtual Directory, version 11.1.1.9.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle VM VirtualBox, versions prior to 5.2.34, prior to 6.0.14 https://support.oracle.com/rs?type=doc&id=2592169.1
Oracle Web Services, version 12.2.1.3.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle WebCenter Portal, version 12.2.1.3.0 https://support.oracle.com/rs?type=doc&id=2568292.1
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0 https://support.oracle.com/rs?type=doc&id=2568292.1
PeopleSoft Enterprise HCM Human Resources, version 9.2 https://support.oracle.com/rs?type=doc&id=2585367.1
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57 https://support.oracle.com/rs?type=doc&id=2585367.1
PeopleSoft Enterprise SCM eProcurement, version 9.2 https://support.oracle.com/rs?type=doc&id=2585367.1
Primavera Gateway, versions 15.2, 16.2, 17.12, 18.8 https://support.oracle.com/rs?type=doc&id=2593049.1
Primavera P6 Enterprise Project Portfolio Management, versions 15.1.0-15.2.18, 16.1.0-16.2.18, 17.1.0-17.12.14, 18.1.0-18.8.13 https://support.oracle.com/rs?type=doc&id=2593049.1
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8 https://support.oracle.com/rs?type=doc&id=2593049.1
Siebel Applications, versions 19.8 and prior https://support.oracle.com/rs?type=doc&id=2585367.1

声明

本安全公告仅用来描述可能存在的安全问题,绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,绿盟科技以及安全公告作者不为此承担任何责任。

绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告,必须保证此安全公告的完整性,包括版权声明等全部内容。未经绿盟科技允许,不得任意修改或者增减此安全公告内容,不得以任何方式将其用于商业目的。

关于绿盟科技                                                

北京神州绿盟信息安全科技股份有限公司(简称绿盟科技)成立于2000年4月,总部位于北京。在国内外设有30多个分支机构,为政府、运营商、金融、能源、互联网以及教育、医疗等行业用户,提供具有核心竞争力的安全产品及解决方案,帮助客户实现业务的安全顺畅运行。

基于多年的安全攻防研究,绿盟科技在网络及终端安全、互联网基础安全、合规及安全管理等领域,为客户提供入侵检测/防护、抗拒绝服务攻击、远程安全评估以及Web安全防护等产品以及专业安全服务。

北京神州绿盟信息安全科技股份有限公司于2014年1月29日起在深圳证券交易所创业板上市,股票简称:绿盟科技,股票代码:300369。

Spread the word. Share this post!

Meet The Author

Leave Comment