Oracle has released 219 new security patches as a part of the quarterly update cycle. 142 vulnerabilities are remotely exploitable without user credentials.

Oracle MySQL received 34 security patches. 9 vulnerabilities allow an attacker to exploit the underlying flaws over the network without any form of authentication. CVE-2019-8457 is considered to be the most critical of them all. CVE-2019-8457 affects the ‘SQLite‘ componenet of MySQL Workbench. Successful exploitation of this vulnerability can lead to a takeover of MySQL Workbench.

Oracle Java SE received 20 security patches. All the 20 vulnerabilities allow remote exploitation over multiple protocols without any form of authentication. These vulnerabilities though are remotely exploitable have not been rated critical due to high Attack Complexity. CVE-2019-2949 and CVE-2019-2989 have been rated highest in the list.

CVE-2019-2949 affects the ‘Kerberos’ component of Java SE and Java SE Embedded. Successful exploitation of this vulnerability gives an unauthorized attacker complete access to critical Java SE and Java SE Embedded accessible data. CVE-2019-2989 affects the ‘Networking’ component of Java SE and Java SE Embedded. Successful exploitation of this vulnerability allows an unauthorized attacker to create, delete or modify access to critical data or all Java SE, Java SE Embedded accessible data.

Oracle VM VirtualBox received 11 security patches. None of the vulnerabilities can be exploited remotely without authentication. CVE-2019-3028 and CVE-2019-3017 are rated high and affect the ‘Core‘ component of Oracle VM VirtualBox. Successful exploitation can lead to a takeover of Oracle VM VirtualBox and impact certain other products too.

The other products which also received security updates are: Oracle Database Server, Oracle NoSQL, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, Oracle Industry Applications (Construction and Engineering, Financial Services, Health Sciences, Hospitality, Food & Beverage, Retail), Oracle Support Tools, Oracle Graal VM, and Oracle Sun Systems Products Suite. We strongly recommend that these security updates be installed at the earliest.


Oracle Critical Patch Update October 2019 Summary

Oracle MySQL
Products : MySQL Connectors, MySQL Enterprise Monitor, MySQL Server, MySQL Workbench

Affected Components : Client programs, Connector/ODBC, Connector/ODBC (OpenSSL), Information Schema, InnoDB, Monitoring: General (Apache Tomcat), MySQL Workbench (SQLite), Server: C API, Server: Compiling (cURL), Server: Connection, Server: DDL, Server: Optimizer, Server: PS, Server: Parser, Server: Replication, Server: Security: Encryption, Workbench: Security: Encryption (OpenSSL)
CVEs : CVE-2019-10072, CVE-2019-1543, CVE-2019-1549, CVE-2019-2910, CVE-2019-2911, CVE-2019-2914, CVE-2019-2920, CVE-2019-2922, CVE-2019-2923, CVE-2019-2924, CVE-2019-2938, CVE-2019-2946, CVE-2019-2948, CVE-2019-2950, CVE-2019-2957, CVE-2019-2960, CVE-2019-2963, CVE-2019-2966, CVE-2019-2967, CVE-2019-2968, CVE-2019-2969, CVE-2019-2974, CVE-2019-2982, CVE-2019-2991, CVE-2019-2993, CVE-2019-2997, CVE-2019-2998, CVE-2019-3003, CVE-2019-3004, CVE-2019-3009, CVE-2019-3011, CVE-2019-3018, CVE-2019-5443, CVE-2019-8457


Oracle Java SE
Products : Java SE, Java SE Embedded

Affected Components : 2D, Concurrency, Deployment, Hotspot, JAXP, JavaFX (libxslt), Javadoc, Kerberos, Libraries, Networking, Scripting, Security, Serialization
CVEs : CVE-2019-11068, CVE-2019-2894, CVE-2019-2933, CVE-2019-2945, CVE-2019-2949, CVE-2019-2958, CVE-2019-2962, CVE-2019-2964, CVE-2019-2973, CVE-2019-2975, CVE-2019-2977, CVE-2019-2978, CVE-2019-2981, CVE-2019-2983, CVE-2019-2987, CVE-2019-2988, CVE-2019-2989, CVE-2019-2992, CVE-2019-2996, CVE-2019-2999


Oracle Virtualization
Products : Oracle VM VirtualBox

Affected Components : Core, Core (OpenSSL)
CVEs : CVE-2019-1547, CVE-2019-2926, CVE-2019-2944, CVE-2019-2984, CVE-2019-3002, CVE-2019-3005, CVE-2019-3017, CVE-2019-3021, CVE-2019-3026, CVE-2019-3028, CVE-2019-3031


Oracle Database Server
Affected Components : Core RDBMS, Core RDBMS (jackson-databind), Java VM, WLM (Apache Tomcat)
CVEs : CVE-2019-2909, CVE-2019-2956, CVE-2019-2913, CVE-2019-2939, CVE-2018-2875, CVE-2019-2734, CVE-2018-11784, CVE-2019-2954, CVE-2019-2955, CVE-2019-2940


Oracle NoSQL Database
Products : Oracle NoSQL Database
Affected Components : NoSQL (jackson-databind)
CVEs : CVE-2018-14721


Oracle Construction and Engineering
Products : Instantis EnterpriseTrack, Primavera Gateway, Primavera P6 Enterprise Project Portfolio Management, Primavera Unifier
Affected Components : Admin (Apache POI), Admin (jackson-databind), Core (Apache POI), Core (Apache Tomcat), Core (jQuery), Core (jackson-databind), Generic (Apache Axis), Generic (Apache HTTP Server), Generic (Apache POI), Generic (Apache Tomcat), Web Access, Web Access (Apache POI)
CVEs : CVE-2017-6056, CVE-2019-14379, CVE-2019-14379, CVE-2019-3020, CVE-2019-0232, CVE-2019-0211, CVE-2019-0227, CVE-2017-12626, CVE-2017-12626, CVE-2017-12626, CVE-2017-12626, CVE-2019-2976, CVE-2019-11358


Oracle E-Business Suite
Products : Oracle Advanced Outbound Telephony, Oracle Application Object Library, Oracle Content Manager, Oracle Field Service, Oracle Installed Base, Oracle Marketing, Oracle Workflow, Oracle iStore
Affected Components : Content, Engineering Change Order, Login Help, Marketing Administration, Order Tracker, User Interface, Wireless, Worklist
CVEs : CVE-2019-2942, CVE-2019-2990, CVE-2019-2994, CVE-2019-2995, CVE-2019-3000, CVE-2019-3022, CVE-2019-3027, CVE-2019-2930, CVE-2019-3024, CVE-2019-2925


Oracle Enterprise Manager
Products : Enterprise Manager Base Platform, Enterprise Manager Ops Center, Enterprise Manager for Exadata, Oracle Application Testing Suite
Affected Components : Agent Next Gen (Eclipse Jetty), Command Line Interface (Jython), Exadata Plug-In Deploy and Ins, Load Testing for Web Apps (jQuery), Networking (cURL), Networking (jQuery), OS Provisioning (Apache HTTP Server)
CVEs : CVE-2016-4000, CVE-2019-5443, CVE-2019-2895, CVE-2019-9517, CVE-2019-11358, CVE-2019-11358, CVE-2019-10247


Oracle Financial Services Applications
Products : Oracle Banking Digital Experience, Oracle Banking Platform, Oracle FLEXCUBE Direct Banking, Oracle Financial Services Analytical Applications Infrastructure, Oracle Financial Services Enterprise Financial Performance Analytics, Oracle Financial Services Retail Performance Analytics

Affected Components : Infrastructure (jackson-databind), Loan Calculator, Payments, UI (jQuery), eMail
CVEs : CVE-2019-11358, CVE-2019-14379, CVE-2019-2979, CVE-2019-2980, CVE-2019-3019


Oracle Food and Beverage Applications
Products : Oracle Hospitality Materials Control, Oracle Hospitality RES 3700, Oracle Hospitality Reporting and Analytics
CVEs : CVE-2019-11358, CVE-2019-2934, CVE-2019-2936, CVE-2019-2937, CVE-2019-2947, CVE-2019-2952, CVE-2019-3025


Oracle Fusion Middleware
Products : BI Publisher (formerly XML Publisher), Oracle API Gateway, Oracle Business Intelligence Enterprise Edition, Oracle Data Integrator, Oracle Enterprise Repository, Oracle Forms, Oracle GoldenGate Application Adapters, Oracle JDeveloper and ADF, Oracle Outside In Technology, Oracle SOA Suite, Oracle Service Bus, Oracle Virtual Directory, Oracle Web Services, Oracle WebCenter Portal, Oracle WebLogic Server
Affected Components : 3rd Party (Spring Framework), ADF Faces, ADF Faces (jQuery), Analytics Actions, BI Platform Security, BI Platform Security (JQuery), BI Publisher Security, BPEL Service Engine and Fabric Layer (Apache Commons FileUpload), Console, Console (jQuery), EJB Container, Installation, Mobile Service, OAM, Oracle API Gateway (OpenSSL), Outside In Filters, SOAP with Attachments API for Java, Sample apps, Sample apps (jQuery), Secure Store (OpenSSL), Security Framework (jackson-databind), Security Subsystem – 12c (Apache Camel), Security Subsystem – 12c (Apache POI), Services, Studio, Virtual Directory Server (Apache Commons FileUpload), Web Container (JavaServer Faces), Web Container (jQuery), Web Services, Web Services (jQuery)
CVEs : CVE-2015-9251, CVE-2016-1000031, CVE-2016-7103, CVE-2017-12626, CVE-2018-15756, CVE-2019-0188, CVE-2019-11358, CVE-2019-12086, CVE-2019-1559, CVE-2019-17091, CVE-2019-2886, CVE-2019-2887, CVE-2019-2888, CVE-2019-2889, CVE-2019-2890, CVE-2019-2891, CVE-2019-2897, CVE-2019-2898, CVE-2019-2899, CVE-2019-2900, CVE-2019-2901, CVE-2019-2902, CVE-2019-2903, CVE-2019-2904, CVE-2019-2905, CVE-2019-2906, CVE-2019-2907, CVE-2019-2943, CVE-2019-2970, CVE-2019-2971, CVE-2019-2972, CVE-2019-3012


Oracle GraalVM
Products : Oracle GraalVM Enterprise Edition
Affected Components : Java, JavaScript (Node.js), LLVM Interpreter
CVEs : CVE-2019-2986, CVE-2019-2989, CVE-2019-9511


Oracle Health Sciences Applications
Products : Oracle Healthcare Foundation, Oracle Healthcare Translational Research
Affected Components : Cohort Explorer (jQuery), Security (jQuery)
CVEs : CVE-2019-11358


Oracle Hospitality Applications
Products : Oracle Hospitality Cruise Dining Room Management, Oracle Hospitality Guest Access

Affected Components : Base (Apache Axis), Base (Eclipse Jetty), Web Service

CVEs : CVE-2019-0227, CVE-2019-10247, CVE-2019-2953


Oracle Hyperion
Products : Hyperion Data Relationship Management, Hyperion Enterprise Performance Management Architect, Hyperion Financial Reporting

Affected Components : Access and Security, Security Models, Workspace
CVEs : CVE-2019-2927, CVE-2019-2941, CVE-2019-2959


Oracle JD Edwards
Products : JD Edwards EnterpriseOne Tools

Affected Components : Deployment (Log4j)
CVEs : CVE-2017-5645


Oracle PeopleSoft
Products : PeopleSoft Enterprise HCM Human Resources, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise SCM eProcurement

Affected Components : File Processing (libssh2), Fluid Core, Integration Broker, Integration Broker (Apache Xerces), Performance Monitor, Portal, Portal, Charting (jQuery), Stylesheet, Tree Manager, US Federal Specific, eProcurement
CVEs : CVE-2016-0729, CVE-2019-11358, CVE-2019-2915, CVE-2019-2929, CVE-2019-2931, CVE-2019-2932, CVE-2019-2951, CVE-2019-2985, CVE-2019-3001, CVE-2019-3014, CVE-2019-3015, CVE-2019-3023, CVE-2019-3862


Oracle Policy Automation

Products : Oracle Policy Automation, Oracle Policy Automation Connector for Siebel, Oracle Policy Automation for Mobile Devices

Affected Components : Core (Apache Axis), Core (jQuery), Determinations Engine (jQuery)
CVEs : CVE-2019-0227, CVE-2019-11358


Oracle Retail Applications
Products : CROS Retail XBRi Loss Prevention, MICROS Relate CRM Software, Oracle Retail Customer Insights, Oracle Retail Customer Management and Segmentation Foundation, Oracle Retail Integration Bus, Oracle Retail Xstore Office, Oracle Retail Xstore Point of Service

Affected Components : Dataloader (jackson-databind), Internal Operations, Internal Operations (Apache Tomcat), Point of Sale, RIB Kernal (Spring Framework), Retail (jackson-databind), Retail Science Engine (jQuery), Segment, Xenvironment (jackson-databind)
CVEs : CVE-2018-15756, CVE-2018-19362, CVE-2018-3300, CVE-2019-0232, CVE-2019-10247, CVE-2019-11358, CVE-2019-12086, CVE-2019-14379, CVE-2019-2872, CVE-2019-2883, CVE-2019-2884, CVE-2019-2896


Oracle Siebel CRM
Products : Siebel Core – DB Deployment and Configuration, Siebel Mobile Applications, Siebel UI Framework

Affected Components : CG Mobile Connected (jQuery), Customizable Prod/Configurator (Apache Tomcat), EAI, Install – Configuration
CVEs : CVE-2018-8037, CVE-2019-11358, CVE-2019-2935, CVE-2019-2965


Oracle Systems
Products : Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, Oracle Solaris

Affected Components : Filesystem, LDAP Library, SMF services & legacy daemons, XCP Firmware (NSS), XCP Firmware (NTP), XCP Firmware (Net SNMP), XCP Firmware (OpenSSH), XCP Firmware (OpenSSL), XCP Firmware (USB Driver), XCP Firmware (cURL), XCP Firmware (glibc), XScreenSaver
CVEs : CVE-2015-5180, CVE-2017-17558, CVE-2018-0732, CVE-2018-1000007, CVE-2018-12404, CVE-2018-18066, CVE-2018-7185, CVE-2019-2765, CVE-2019-2961, CVE-2019-3008, CVE-2019-3010, CVE-2019-6109


Oracle Supply Chain
Products : Agile Recipe Management for Pharmaceuticals, Oracle Agile PLM, Oracle Agile Product Lifecycle Management for Process

Affected Components : Recipe (Apache Groovy), Security (Apache Tomcat), Supplier Portal (jQuery)
CVEs : CVE-2016-6814, CVE-2019-0232, CVE-2019-11358


Oracle Support Tools
Products : Diagnostic Assistant, Oracle Clusterware

Affected Components : Libraries (jQuery), Trace File Analyzer (TFA) Collector (jackson-databind)
CVEs : CVE-2019-11358, CVE-2019-12814


 

Summary
Oracle Critical Updates October 2019
Article Name
Oracle Critical Updates October 2019
Author
Publisher Name
SecPod Technologies
Publisher Logo

Leave a Reply

Your email address will not be published. Required fields are marked *