Oracle全系产品2018年7月关键补丁更新 远程代码执行漏洞CVE-2018-2893

  当地时间2018年7月17日,Oracle官方发布了2018年7月(第二季度)关键补丁更新公告CPU(Critical Patch Update),安全通告以及第三方安全公告等公告内容,修复了334个不同程度的漏洞。各产品受影响情况以及可用补丁情况见附录表格。

25个产品漏洞被修复

产品

漏洞个数

未授权远程利用个数

最高CVSS评分

Oracle Database server

3

1

9.8

Oracle Communications Applications

14

10

9.8

Oracle Constructions and Engineering Suite

11

6

7.4

Oracle E-Business Suite

14

13

8.2

Oracle Enterprise Manager Products Suite

16

16

9.8

Oracle Financial Services Applications

56

21

9.8

Oracle Fusion Middleware

40

36

9.8

Oracle Hospitality Applications

24

7

8.1

Oracle Hyperion

2

2

8.6

Oracle iLearning

1

1

8.2

Oracle Insurance Applications

2

2

9.8

Oracle Java SE

8

8

9.0

Oracle JD Edwards

10

9

7.5

Oracle MySQL

31

7

9.8

Oracle PerpleSoft Products

18

13

9.8

Oracle Policy Automation

3

3

9.8

Oracle Retail Applications

32

27

9.8

Oracle Siebel CRM

1

1

4.3

Oracle Sun Systems Products

22

10

9.8

Oracle Supply Chain Products Suite

8

6

9.8

Oracle Support Tools

1

1

7.5

Oracle Utilities Applications

4

3

9.8

Oracle Virtualization

12

2

8.6

绿盟科技研究员发现CVE-2018-2893

该漏洞由绿盟科技研究员发现并提交,通过该漏洞攻击者可以在未授权的情况下远程执行任意代码。该漏洞通过JRMP 协议利用RMI机制的缺陷达到执行任意反序列化代码的目的。攻击者可以在未授权的情况下将payload封装在T3协议中,通过对T3协议中的payload进行反序列化,从而实现对存在漏洞的WebLogic组件进行远程攻击,执行任意代码并可获取目标系统的所有权限。

漏洞影响范围

WebLogic 10.3.6.0

WebLogic 12.1.3.0

WebLogic 12.2.1.2

WebLogic 12.2.1.3

以上均为官方支持的版本。

Oracle官方已经在本次的关键补丁更新(CPU)中修复了该漏洞,强烈建议受影响的用户尽快升级更新进行防护。

注:Oracle官方补丁需要用户持有正版软件的许可账号,使用该账号登陆https://support.oracle.com后,可以下载最新补丁。

受影响的产品及版本

受影响的产品及版本信息请参考文末附录。

关键补丁更新(cpu)

    关键修补程序更新 (cpu) 是针对多个安全漏洞的修补程序集合。关键修补程序更新修补程序通常是累积的, 但每次都只描述自上一个关键修补程序更新咨询以来添加的安全修复补丁。因此, 应复查先前发布的安全修补程序的重要更新建议, 以了解有关早期版本的安全性修正的信息。

解决方案

鉴于成功攻击所造成的威胁,Oracle强烈建议客户尽快下载并安装重要补丁更新修复程序。

详情见如下链接:

http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html

 

附录

受影响产品(含版本)以及相关补丁情况如下表:

Affected Products and Versions

Patch Availability Document

Agile Recipe Management for Pharmaceuticals, version 9.3.4

Oracle Supply Chain Products

Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.x

Enterprise Manager

Enterprise Manager for Fusion Middleware, versions 12.1.0.5, 13.2.x

Enterprise Manager

Enterprise Manager for MySQL Database, versions 13.2.2.0.0 and prior

Enterprise Manager

Enterprise Manager for Oracle Database, versions 12.1.0.8, 13.2.2

Enterprise Manager

Enterprise Manager for Peoplesoft, versions 13.1.1.1, 13.2.1.1

Enterprise Manager

Enterprise Manager for Virtualization, versions 13.2.2, 13.2.3

Enterprise Manager

Enterprise Manager Ops Center, versions 12.2.2, 12.3.3

Enterprise Manager

FMW Platform, versions 12.2.1.2.0, 12.2.1.3.0

Fusion Middleware

Hardware Management Pack, version 11.3

Systems

Hyperion Data Relationship Management, version 11.1.2.4.330

Fusion Middleware

Hyperion Financial Reporting, version 11.1.2

Fusion Middleware

JD Edwards EnterpriseOne Tools, version 9.2

JD Edwards

JD Edwards World Security, versions A9.3, A9.3.1, A9.4

JD Edwards

MICROS 700 Series Tablet, versions Prior to BIOS 0.00.13ORC, Prior to BIOS 0.01.25ORC

MICROS 700 Series Tablet

MICROS Handheld Terminal, versions 2018, Android 4.4.4 Security Patch Bulletin prior to February 1

MICROS Handheld Terminal

MICROS Kitchen Display Controller, versions Prior to BIOS 0.00.16ORC

MICROS Kitchen Display System Hardware

MICROS Lucas, versions 2.9.5.3, 2.9.5.4, 2.9.5.5, 2.9.5.6

Retail Applications

MICROS Relate CRM Software, versions 10.8.x, 11.4.x

Retail Applications

MICROS Retail-J, versions 10.2.x, 11.0.x, 12.0.x, 12.1.x, 12.1.1.x, 12.1.2.x, 13.1.x

Retail Applications

MICROS Workstation 6, versions prior to BIOS 1.3.1.0, prior to BIOS 1.5.2.0, prior to BIOS 2.3.1.0

MICROS Workstation

MICROS XBR, versions 7.0.2, 7.0.4

Retail Applications

MySQL Client, versions 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior

MySQL

MySQL Connectors, versions 5.3.10 and prior, 8.0.11 and prior

MySQL

MySQL Enterprise Monitor, versions 3.4.7.4297 and prior, 4.0.4.5235 and prior, 8.0.0.8131 and prior

MySQL

MySQL Server, versions 5.5.60 and prior, 5.6.40 and prior, 5.7.22 and prior, 8.0.11 and prior

MySQL

MySQL Workbench, versions 6.3.10 and prior, 8.0.11 and prior

MySQL

Oracle Agile Engineering Data Management, versions 6.1.3, 6.2.0, 6.2.1

Oracle Supply Chain Products

Oracle Agile PLM, versions 9.3.3, 9.3.4, 9.3.5, 9.3.6

Oracle Supply Chain Products

Oracle Agile PLM MCAD Connector, versions 3.3, 3.4, 3.5, 3.6

Oracle Supply Chain Products

Oracle Agile Product Lifecycle Management for Process, version 6.2.0.0

Oracle Supply Chain Products

Oracle API Gateway, version 11.1.2.4.0

Fusion Middleware

Oracle Application Testing Suite, version 10.1

Enterprise Manager

Oracle AutoVue VueLink Integration, versions 21.0.0, 21.0.1

Oracle Supply Chain Products

Oracle Banking Corporate Lending, versions 12.3.0, 12.4.0, 12.5.0, 14.0.0, 14.1.0

Oracle Financial Services Applications

Oracle Banking Payments, versions 12.2.0, 12.3.0, 12.4.0, 12.5.0, 14.1.0

Oracle Financial Services Applications

Oracle Banking Platform, versions 2.6.0, 2.6.1, 2.6.2

Oracle Banking Platform

Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0

Fusion Middleware

Oracle Business Process Management Suite, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0

Fusion Middleware

Oracle Communications Diameter Signaling Router (DSR), versions 7.x, 8.x

Oracle Communications Diameter Signaling Router

Oracle Communications EAGLE LNP Application Processor, version 10.x

Oracle Communications EAGLE LNP Application Processor

Oracle Communications Interactive Session Recorder, versions 5.x, 6.x

Oracle Communications Interactive Session Recorder

Oracle Communications Messaging Server, version 3.x

Oracle Communications Convergence

Oracle Communications Network Charging and Control, versions 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0

Oracle Communications Network Charging and Control

Oracle Communications Policy Management, version 12.x

Oracle Communications Policy Management

Oracle Communications Session Border Controller, versions ECz7.x, ECz8.x

Oracle Communications Session Border Controller

Oracle Communications User Data Repository, versions 10.x, 12.x

Oracle Communications User Data Repository

Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1, 18.1, 18.2

Database

Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7

E-Business Suite

Oracle Endeca Information Discovery Studio, versions 3.1, 3.2

Fusion Middleware

Oracle Enterprise Data Quality, version 12.2.1.3.0

Fusion Middleware

Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0

Fusion Middleware

Oracle Financial Services Analytical Applications Infrastructure, versions 7.3.3.x, 8.0.x

Oracle Financial Services Analytical Applications Infrastructure

Oracle Financial Services Behavior Detection Platform, version 8.0.x

Oracle Financial Services Behavior Detection Platform

Oracle Financial Services Funds Transfer Pricing, versions 6.1.1, 8.0.x

Oracle Financial Services Funds Transfer Pricing

Oracle Financial Services Hedge Management and IFRS Valuations, versions 8.0.4, 8.0.5

Oracle Financial Services Hedge Management and IFRS Valuations

Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 8.0.4, 8.0.5

Oracle Financial Services Loan Loss Forecasting and Provisioning

Oracle Financial Services Profitability Management, versions 6.1.1, 8.0.x

Oracle Financial Services Profitability Management

Oracle Financial Services Revenue Management and Billing, versions 2.3.0.2.0, 2.4.0.0.0, 2.4.0.1.0, 2.5.0.1.0, 2.5.0.2.0, 2.5.0.3.0

Oracle Financial Services Revenue Management and Billing

Oracle FLEXCUBE Enterprise Limits and Collateral Management, versions 12.3.0, 14.0.0, 14.1.0

Oracle Financial Services Applications

Oracle FLEXCUBE Investor Servicing, versions 12.0.4, 12.1.0, 12.3.0, 12.4.0

Oracle Financial Services Applications

Oracle FLEXCUBE Universal Banking, versions 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.3.0, 12.4.0, 14.0.0, 14.1.0

Oracle Financial Services Applications

Oracle Fusion Middleware, versions 12.2.1.2, 12.2.1.3

Fusion Middleware

Oracle Fusion Middleware MapViewer, versions 12.2.1.2, 12.2.1.3

Fusion Middleware

Oracle Global Lifecycle Management OPatchAuto, version All

Oracle Global Lifecycle Management OPatchAuto

Oracle Hospitality Cruise Fleet Management System, version 9.x

Oracle Hospitality Cruise Fleet Management

Oracle Hospitality Cruise Shipboard Property Management System, version 8.x

Oracle Hospitality Cruise Shipboard Property Management System

Oracle Hospitality Gift and Loyalty, version 9.0.0

Oracle Hospitality Gift and Loyalty

Oracle Hospitality OPERA 5 Property Services, version 5.5.x

Oracle Hospitality OPERA 5 Property Services

Oracle Hospitality Reporting and Analytics, version 9.0.0

Oracle Hospitality Reporting and Analytics

Oracle Hospitality Simphony, versions 2.8, 2.9, 2.10

Oracle Hospitality Simphony

Oracle iLearning, version 6.2

iLearning

Oracle Insurance Policy Administration, versions 10.0, 10.1, 10.2, 11.0

Oracle Insurance Applications

Oracle Internet Directory, version 11.1.1.9.0

Fusion Middleware

Oracle Java SE, versions 6u191, 7u181, 8u172, 10.0.1

Java SE

Oracle Java SE Embedded, version 8u171

Java SE

Oracle JDeveloper, versions 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0

Fusion Middleware

Oracle JRockit, version R28.3.18

Java SE

Oracle Outside In Technology, version 8.5.3

Fusion Middleware

Oracle Policy Automation, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10

Oracle Policy Automation

Oracle Policy Automation Connector for Siebel, version 10.4.6

Oracle Policy Automation

Oracle Policy Automation for Mobile Devices, versions 10.4.7, 12.1.0, 12.1.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7, 12.2.8, 12.2.9, 12.2.10

Oracle Policy Automation

Oracle Retail Back Office, versions 14.0, 14.1

Retail Applications

Oracle Retail Bulk Data Integration, version 16.0

Retail Applications

Oracle Retail Central Office, versions 14.0, 14.1

Retail Applications

Oracle Retail Clearance Optimization Engine, version 14.0.5

Retail Applications

Oracle Retail Convenience and Fuel POS Software, version 2.1.132

Retail Applications

Oracle Retail Customer Management and Segmentation Foundation, versions 16.x, 17.x

Retail Applications

Oracle Retail Financial Integration, versions 13.2.x, 14.0.x, 14.1.x, 15.0.x, 16.0.x

Retail Applications

Oracle Retail Integration Bus, versions 12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.0 14.1.0, 14.0.x, 14.1.x, 15.0, 15.0.x, 16.0, 16.0.x

Retail Applications

Oracle Retail Order Broker, versions 5.2, 15.0, 16.0

Retail Applications

Oracle Retail Point-of-Sale, versions 14.0, 14.1

Retail Applications

Oracle Retail Point-of-Service, versions 14.0, 14.1

Retail Applications

Oracle Retail Predictive Application Server, version 15.0.3

Retail Applications

Oracle Retail Returns Management, versions 14.0, 14.1

Retail Applications

Oracle Retail Service Backbone, versions 14.0.x, 14.1.x, 15.0.x, 16.0.x

Retail Applications

Oracle Retail Service Layer, versions 12.0.x, 13.0.x, 13.1.x, 13.2.x, 14.0.x

Retail Applications

Oracle Secure Global Desktop, versions 5.3, 5.4

Virtualization

Oracle SOA Suite, versions 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0

Fusion Middleware

Oracle SuperCluster Specific Software, versions prior to 2.5.0

Systems

Oracle Transportation Management, versions 6.2, 6.3.7, 6.4.1

Oracle Supply Chain Products

Oracle Tuxedo, versions 12.1.1, 12.1.3, 12.2.2

Fusion Middleware

Oracle Utilities Framework, version 4.3.x

Oracle Utilities Applications

Oracle Utilities Network Management System, versions 1.12.x, 2.3.x

Oracle Utilities Applications

Oracle Utilities Work and Asset Management, version 1.9.1.2.12

Oracle Utilities Applications

Oracle VM VirtualBox, versions prior to 5.2.16

Virtualization

Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0

Fusion Middleware

Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.2, 12.2.1.3

Fusion Middleware

OSS Support Tools, versions prior to 18.3

Support Tools

PeopleSoft Enterprise CS Financial Aid, versions 9.0, 9.2

PeopleSoft

PeopleSoft Enterprise FIN Install, version 9.2

PeopleSoft

PeopleSoft Enterprise HCM Human Resources, version 9.2

PeopleSoft

PeopleSoft Enterprise PeopleTools, versions 8.55, 8.56

PeopleSoft

PeopleSoft HRMS, version 9.2

PeopleSoft

Primavera P6 Enterprise Project Portfolio Management, versions 8.4, 15.x, 16.x, 17.x

Oracle Construction and Engineering Suite

Primavera Unifier, versions 16.x, 17.x, 18.x

Oracle Construction and Engineering Suite

Siebel Applications, version 18.0

Siebel

Solaris, versions 10, 11.2, 11.3

Systems

Solaris Cluster, versions 3.3, 4.3

Systems

Sun ZFS Storage Appliance Kit (AK), versions prior to 8.7.20

Systems

Tape Library ACSLS, versions Prior to ACSLS 8.4.0-3

Systems

 

附录下载

 

发表评论