MyCERT Advisories


MyCERT Advisories, Alerts and Summaries for the year 2017

MA-645.012017: MyCERT Advisory – Oracle Releases Security Bulletin for January 2017

Date first published: 26/1/2017


1.0    Introduction
Oracle has released its Critical Patch Update for January 2017 to address 270 vulnerabilities across multiple products.

2.0 Impact
Exploitation of some of these vulnerabilities may allow a remote attacker to take control of an affected system.

3.0 Affected Products
•    Oracle Database Server, version(s) 11.2.0.4, 12.1.0.2
•    Oracle Secure Backup, version(s) prior to 12.1.0.3
•    Spatial, version(s) prior to 1.2
•    Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9, 11.1.2.3, 11.1.2.4, 12.1.3.0, 12.2.1.0, 12.2.1.1
•    Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2
•    Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0
•    Oracle Outside In Technology, version(s) 8.5.2, 8.5.3
•    Oracle Tuxedo, version(s) 12.1.1
•    Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1
•    Application Testing Suite, version(s) 12.4.0.2, 12.5.0.2, 12.5.0.3
•    Enterprise Manager Base Platform, version(s) 12.1.0.5, 13.1, 13.2
•    Enterprise Manager Ops Center, version(s) 12.1.4, 12.2.2, 12.3.2
•    Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
•    Oracle Transportation Management, version(s) 6.1, 6.2
•    PeolpeSoft Enterprise HCM ePerformance, version(s) 9.2
•    PeopleSoft Enterprise PeopleTools, version(s) 8.54, 8.55
•    JD Edwards EnterpriseOne Tools, version(s) 9.2
•    Siebel Applications, version(s) 16.1
•    Oracle Commerce Platform, version(s) 10.0.3.5, 10.2.0.5, 11.2.0.2
•    Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
•    Oracle Communications Indexing and Search Service, version(s) prior to 1.0.5.28.0
•    Oracle Communications Network Charging and Control, version(s) 4.4.1.5, 5.0.0.1, 5.0.0.2, 5.0.1.0, 5.0.2.0
•    Oracle Communications Network Intelligence, version(s) 7.3.0.0
•    Oracle FLEXCUBE Core Banking, version(s) 5.1.0, 5.2.0, 11.5.0
•    Oracle FLEXCUBE Direct Banking, version(s) 12.0.0, 12.0.1, 12.0.2, 12.0.3
•    Oracle FLEXCUBE Enterprise Limits and Collateral Management, version(s) 12.0.0, 12.0.2
•    Oracle FLEXCUBE Investor Servicing, version(s) 12.0.1, 12.0.2, 12.0.4, 12.1.0, 12.3.0
•    Oracle FLEXCUBE Private Banking, version(s) 2.0.1, 2.2.0, 12.0.1
•    Oracle FLEXCUBE Universal Banking, version(s) 11.3.0, 11.4.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0
•    MICROS Lucas, version(s) 2.9.1, 2.9.2, 2.9.3, 2.9.4, 2.9.5
•    Oracle Retail Allocation, version(s) 12.0, 13.0, 13.1, 13.2, 13.3, 14.0, 14.1
•    Oracle Retail Assortment Planning, version(s) 14.1, 15.0
•    Oracle Retail Order Broker, version(s) 4.1, 5.1, 5.2, 15.0, 16.0
•    Oracle Retail Predictive Application Server, version(s) 13.1, 13.2, 13.3, 13.4, 14.0, 14.1, 15.0
•    Oracle Retail Price Management, version(s) 13.1, 13.2, 14.0, 14.1
•    Primavera P6 Enterprise Project Portfolio Management, version(s) 8.2, 8.3, 8.4, 15.1, 15.2, 16.1, 16.2
•    Oracle Java SE, version(s) 6u131, 7u121, 8u112
•    Oracle Java SE Embedded, version(s) 8u111
•    Oracle JRockit, version(s) R28.3.12
•    Oracle VM Server for Sparc, version(s) 3.2, 3.4
•    Solaris, version(s) 11.3
•    Oracle VM VirtualBox, version(s) prior to 5.0.32, prior to 5.1.14
•    MySQL Cluster, version(s) 7.2.26 and prior, 7.3.14 and prior, 7.4.12 and prior
•    MySQL Enterprise Monitor, version(s) 3.1.3.7856 and prior, 3.1.4.7895 and prior, 3.1.5.7958 and prior, 3.2.1.1049 and prior, 3.2.4.1102 and prior, 3.3.0.1098 and prior
•    MySQL Server, version(s) 5.5.53 and prior, 5.6.34 and prior, 5.7.16 and prior

4.0 Recommendations
Users and administrators are advised to refer the URL provided below for Oracle’s advisories and links to software patches:
URL: http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html

Generally, MyCERT advises the users of this software to be updated with the latest security announcements by the vendor and follow best practices and security policies to determine the necessary updates that should be in place.

For further enquiries, please contact MyCERT through the following channels:
E-mail: cyber999@cybersecurity.my or mycert@mycert.org.my
Phone: 1-300-88-2999 (monitored during business hours)
Fax: +603 89453442
Mobile: +60192665850 (24x7 call incident reporting)
SMS: CYBER999 REPORT EMAIL COMPLAINT to 15888
Business Hours: Mon - Fri 09:00 AM - 18:00 PM MYT
Web: http://www.mycert.org.my
Twitter: http://www.twitter.com/mycert
Facebook: http://www.facebook.com/mycert.org.my
Cyber999 Mobile Apps: IOS Users or Android Users


5.0    References
•    https://www.us-cert.gov/ncas/current-activity/2017/01/18/Oracle-Releases-Security-Bulletin
•    http://www.oracle.com/technetwork/security-advisory/cpujan2017-2881727.html