Oracles kritiske sikkerhetsoppdateringer for Q1 i 2017

Publisert: 18.01.2017

De mest kritiske sårbarhetene tillater ekstern kjøring av kode og krever ikke autentisering.

Oracle har sluppet sin planlagte "Critical Patch Update" for første kvartal 2017 [1]. Totalt 270 sårbarheter ble rettet i denne oppdateringen.

Blant de påvirkede produktene:

  • Oracle Database Server
  • Enterprise Manager Grid Control
  • E-Business Suite
  • Industry Applications
  • Fusion Middleware
  • Sun Products
  • Java SE
  • MySQL

Se fullstendig liste lenger ned.

For de som har supportavtale med Oracle kan man lese mer om sårbarhetene hos Oracle Support[2].

De mest kritiske sårbarhetene tillater ekstern kjøring av kode og krever ikke autentisering.

NorCERT er ikke kjent med aktive utnyttelse av sårbarhetene, men basert på omfang og alvorlighet anbefaler vi å oppdatere systemene så raskt som mulig.

  1. [1] http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html
  2. [2] https://support.oracle.com/rs?type=doc&id=2194543.1

Påvirkede versjoner

  • Oracle Database Server (11.2.0.4, 12.1.0.2)
  • Oracle Secure Backup (prior to 12.1.0.3)
  • Spatial (prior to 1.2)
  • Oracle Fusion Middleware (11.1.1.7, 11.1.1.9, 11.1.2.3, 11.1.2.4, 12.1.3.0, 12.2.1.0, 12.2.1.1)
  • Oracle GlassFish Server (2.1.1, 3.0.1, 3.1.2)
  • Oracle JDeveloper (11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0)
  • Oracle Outside In Technology (8.5.2, 8.5.3)
  • Oracle Tuxedo (12.1.1)
  • Oracle WebLogic Server (10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1)
  • Application Testing Suite (12.4.0.2, 12.5.0.2, 12.5.0.3)
  • Enterprise Manager Base Platform (12.1.0.5, 13.1, 13.2)
  • Enterprise Manager Ops Center (12.1.4, 12.2.2, 12.3.2)
  • Oracle E-Business Suite (12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6)
  • Oracle Transportation Management (6.1, 6.2)
  • PeolpeSoft Enterprise HCM ePerformance (9.2)
  • PeopleSoft Enterprise PeopleTools (8.54, 8.55)
  • JD Edwards EnterpriseOne Tools (9.2.1.1)
  • Siebel Applications (16.1)
  • Oracle Commerce Platform (10.0.3.5, 10.2.0.5, 11.2.0.2)
  • Oracle Fusion Applications (11.1.2 through 11.1.9)
  • Oracle Communications Indexing and Search Service (prior to 1.0.5.28.0)
  • Oracle Communications Network Charging and Control (4.4.1.5, 5.0.0.1, 5.0.0.2, 5.0.1.0, 5.0.2.0)
  • Oracle Communications Network Intelligence (7.3.0.0)
  • Oracle FLEXCUBE Core Banking (5.1.0, 5.2.0, 11.5.0)
  • Oracle FLEXCUBE Direct Banking (12.0.0, 12.0.1, 12.0.2, 12.0.3)
  • Oracle FLEXCUBE Enterprise Limits and Collateral Management (12.0.0, 12.0.2)
  • Oracle FLEXCUBE Investor Servicing (12.0.1, 12.0.2, 12.0.4, 12.1.0, 12.3.0)
  • Oracle FLEXCUBE Private Banking (2.0.1, 2.2.0, 12.0.1)
  • Oracle FLEXCUBE Universal Banking (11.3.0, 11.4.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0)
  • MICROS Lucas (2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5)
  • Oracle Retail Allocation (12.0, 13.0, 13.1, 13.2, 13.3, 14.0, 14.1)
  • Oracle Retail Assortment Planning (14.1, 15.0)
  • Oracle Retail Order Broker (4.1, 5.1, 5.2, 15.0, 16.0)
  • Oracle Retail Predictive Application Server (13.1, 13.2, 13.3, 13.4, 14.0, 14.1, 15.0)
  • Oracle Retail Price Management (13.1, 13.2, 14.0, 14.1)
  • Primavera P6 Enterprise Project Portfolio Management (8.2, 8.3, 8.4, 15.1, 15.2, 16.1, 16.2)
  • Oracle Java SE (6u131, 7u121, 8u112)
  • Oracle Java SE Embedded (8u111)
  • Oracle JRockit (R28.3.12)
  • Oracle VM Server for Sparc (3.2, 3.4)
  • Solaris (11.3)
  • Oracle VM VirtualBox (prior to 5.0.32, prior to 5.1.14)
  • MySQL Cluster (7.2.26 and prior, 7.3.14 and prior, 7.4.12 and prior)
  • MySQL Enterprise Monitor (3.1.3.7856 and prior, 3.1.4.7895 and prior, 3.1.5.7958 and prior, 3.2.1.1049 and prior, 3.2.4.1102 and prior, 3.3.0.1098 and prior)
  • MySQL Server (5.5.53 and prior, 5.6.34 and prior, 5.7.16 and prior)

CVE referanser

CVE-2017-3310, CVE-2017-3240, CVE-2016-1903, CVE-2015-1791,
CVE-2015-1788, CVE-2015-1789, CVE-2015-1790, CVE-2015-1792,
CVE-2015-3253, CVE-2016-6303, CVE-2017-3248, CVE-2016-5528,
CVE-2015-7501, CVE-2017-3266, CVE-2017-3267, CVE-2017-3268,
CVE-2017-3269, CVE-2017-3270, CVE-2017-3271, CVE-2017-3293,
CVE-2017-3294, CVE-2017-3295, CVE-2017-3250, CVE-2017-3249,
CVE-2017-3255, CVE-2017-3247, CVE-2017-3239, CVE-2016-7052,
CVE-2016-5019, CVE-2016-5019, CVE-2016-6304, CVE-2015-3237,
CVE-2015-7940, CVE-2015-5505, CVE-2016-0734, CVE-2017-3311,
CVE-2016-3607, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179,
CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183,
CVE-2016-6302, CVE-2016-6303, CVE-2016-6305, CVE-2016-6306,
CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, CVE-2016-7052,
CVE-2016-8325, CVE-2017-3373, CVE-2017-3418, CVE-2017-3327,
CVE-2017-3328, CVE-2017-3326, CVE-2017-3443, CVE-2017-3359,
CVE-2017-3440, CVE-2017-3274, CVE-2017-3275, CVE-2017-3284,
CVE-2017-3361, CVE-2017-3372, CVE-2017-3362, CVE-2017-3279,
CVE-2017-3333, CVE-2017-3278, CVE-2017-3421, CVE-2017-3285,
CVE-2017-3415, CVE-2017-3303, CVE-2017-3368, CVE-2017-3287,
CVE-2017-3369, CVE-2017-3246, CVE-2017-3286, CVE-2017-3277,
CVE-2017-3280, CVE-2017-3282, CVE-2017-3283, CVE-2017-3334,
CVE-2017-3335, CVE-2017-3336, CVE-2017-3338, CVE-2017-3339,
CVE-2017-3340, CVE-2017-3341, CVE-2017-3343, CVE-2017-3344,
CVE-2017-3346, CVE-2017-3348, CVE-2017-3349, CVE-2017-3350,
CVE-2017-3351, CVE-2017-3352, CVE-2017-3353, CVE-2017-3354,
CVE-2017-3357, CVE-2017-3358, CVE-2017-3360, CVE-2017-3363,
CVE-2017-3364, CVE-2017-3365, CVE-2017-3366, CVE-2017-3367,
CVE-2017-3370, CVE-2017-3371, CVE-2017-3374, CVE-2017-3375,
CVE-2017-3376, CVE-2017-3377, CVE-2017-3378, CVE-2017-3379,
CVE-2017-3380, CVE-2017-3381, CVE-2017-3382, CVE-2017-3383,
CVE-2017-3384, CVE-2017-3385, CVE-2017-3386, CVE-2017-3387,
CVE-2017-3388, CVE-2017-3389, CVE-2017-3390, CVE-2017-3391,
CVE-2017-3392, CVE-2017-3394, CVE-2017-3395, CVE-2017-3396,
CVE-2017-3397, CVE-2017-3398, CVE-2017-3399, CVE-2017-3400,
CVE-2017-3401, CVE-2017-3402, CVE-2017-3403, CVE-2017-3404,
CVE-2017-3405, CVE-2017-3406, CVE-2017-3407, CVE-2017-3408,
CVE-2017-3409, CVE-2017-3410, CVE-2017-3411, CVE-2017-3412,
CVE-2017-3413, CVE-2017-3414, CVE-2017-3416, CVE-2017-3417,
CVE-2017-3419, CVE-2017-3420, CVE-2017-3422, CVE-2017-3423,
CVE-2017-3424, CVE-2017-3425, CVE-2017-3426, CVE-2017-3427,
CVE-2017-3428, CVE-2017-3429, CVE-2017-3430, CVE-2017-3431,
CVE-2017-3433, CVE-2017-3435, CVE-2017-3436, CVE-2017-3437,
CVE-2017-3438, CVE-2017-3439, CVE-2017-3441, CVE-2017-3442,
CVE-2016-6303, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179,
CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183,
CVE-2016-6302, CVE-2016-6304, CVE-2016-6305, CVE-2016-6306,
CVE-2016-6307, CVE-2016-6308, CVE-2016-6309, CVE-2016-7052,
CVE-2016-6303, CVE-2016-8329, CVE-2017-3300, CVE-2017-3298,
CVE-2017-3299, CVE-2017-3292, CVE-2017-3315, CVE-2016-2177,
CVE-2016-2178, CVE-2016-2179, CVE-2016-2180, CVE-2016-2181,
CVE-2016-2182, CVE-2016-2183, CVE-2016-6302, CVE-2016-6304,
CVE-2016-6305, CVE-2016-6306, CVE-2016-6307, CVE-2016-6308,
CVE-2016-6309, CVE-2016-7052, CVE-2016-6303, CVE-2016-2107,
CVE-2016-2177, CVE-2016-2178, CVE-2016-2179, CVE-2016-2180,
CVE-2016-2181, CVE-2016-2182, CVE-2016-2183, CVE-2016-6302,
CVE-2016-6304, CVE-2016-6305, CVE-2016-6306, CVE-2016-6307,
CVE-2016-6308, CVE-2016-6309, CVE-2016-7052, CVE-2017-3325,
CVE-2017-3330, CVE-2017-3264, CVE-2017-3296, CVE-2016-6303
CVE-2015-7501, CVE-2016-0635, CVE-2015-7940, CVE-2016-2177,
CVE-2016-2178, CVE-2016-2180, CVE-2016-2182, CVE-2016-2183,
CVE-2016-6304, CVE-2016-6306, CVE-2016-7052, CVE-2016-8300
CVE-2017-3245, CVE-2017-3236, CVE-2016-8305, CVE-2016-8322,
CVE-2016-8309, CVE-2016-5614, CVE-2016-8308, CVE-2016-5623,
CVE-2016-8301, CVE-2016-8313, CVE-2017-3235, CVE-2016-8314,
CVE-2016-5509, CVE-2015-7501, CVE-2016-0635, CVE-2015-7940,
CVE-2015-0250, CVE-2016-5000, CVE-2017-3324, CVE-2017-3263,
CVE-2016-7052, CVE-2016-1182, CVE-2016-6304, CVE-2017-3289,
CVE-2017-3272, CVE-2017-3241, CVE-2017-3260, CVE-2017-3253,
CVE-2016-5546, CVE-2016-5549, CVE-2016-5548, CVE-2017-3252,
CVE-2017-3262, CVE-2016-5547, CVE-2016-5552, CVE-2017-3231,
CVE-2017-3261, CVE-2017-3259, CVE-2016-8328, CVE-2016-0635,
CVE-2015-7501, CVE-2016-0714, CVE-2016-6304, CVE-2016-5590,
CVE-2016-8318, CVE-2017-3312, CVE-2017-3258, CVE-2017-3273,
CVE-2017-3244, CVE-2017-3257, CVE-2017-3238, CVE-2017-3256,
CVE-2017-3291, CVE-2017-3265, CVE-2017-3251, CVE-2016-5541,
CVE-2017-3313, CVE-2017-3243, CVE-2016-8327, CVE-2017-3317,
CVE-2017-3318, CVE-2017-3321, CVE-2017-3323, CVE-2017-3322,
CVE-2017-3319, CVE-2017-3320, CVE-2015-5351, CVE-2016-0706,
CVE-2016-0763, CVE-2016-2177, CVE-2016-2178, CVE-2016-2179,
CVE-2016-2180, CVE-2016-2181, CVE-2016-2182, CVE-2016-2183,
CVE-2016-6302, CVE-2016-6303, CVE-2016-6306