Oracle Critical Updates October 2019

Oracle has released 219 new security patches as a part of the quarterly update cycle. 142 vulnerabilities are remotely exploitable without user credentials.

Oracle MySQL received 34 security patches. 9 vulnerabilities allow an attacker to exploit the underlying flaws over the network without any form of authentication. CVE-2019-8457 is considered to be the most critical of them all. CVE-2019-8457 affects the ‘SQLite‘ componenet of MySQL Workbench. Successful exploitation of this vulnerability can lead to a takeover of MySQL Workbench.

Oracle Java SE received 20 security patches. All the 20 vulnerabilities allow remote exploitation over multiple protocols without any form of authentication. These vulnerabilities though are remotely exploitable have not been rated critical due to high Attack Complexity. CVE-2019-2949 and CVE-2019-2989 have been rated highest in the list.

CVE-2019-2949 affects the ‘Kerberos’ component of Java SE and Java SE Embedded. Successful exploitation of this vulnerability gives an unauthorized attacker complete access to critical Java SE and Java SE Embedded accessible data. CVE-2019-2989 affects the ‘Networking’ component of Java SE and Java SE Embedded. Successful exploitation of this vulnerability allows an unauthorized attacker to create, delete or modify access to critical data or all Java SE, Java SE Embedded accessible data.

Oracle VM VirtualBox received 11 security patches. None of the vulnerabilities can be exploited remotely without authentication. CVE-2019-3028 and CVE-2019-3017 are rated high and affect the ‘Core‘ component of Oracle VM VirtualBox. Successful exploitation can lead to a takeover of Oracle VM VirtualBox and impact certain other products too.

The other products which also received security updates are: Oracle Database Server, Oracle NoSQL, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, Oracle Industry Applications (Construction and Engineering, Financial Services, Health Sciences, Hospitality, Food & Beverage, Retail), Oracle Support Tools, Oracle Graal VM, and Oracle Sun Systems Products Suite. We strongly recommend that these security updates be installed at the earliest.

Oracle Critical Patch Update October 2019 Summary

Oracle MySQL
Products : MySQL Connectors, MySQL Enterprise Monitor, MySQL Server, MySQL Workbench

Affected Components : Client programs, Connector/ODBC, Connector/ODBC (OpenSSL), Information Schema, InnoDB, Monitoring: General (Apache Tomcat), MySQL Workbench (SQLite), Server: C API, Server: Compiling (cURL), Server: Connection, Server: DDL, Server: Optimizer, Server: PS, Server: Parser, Server: Replication, Server: Security: Encryption, Workbench: Security: Encryption (OpenSSL)
CVEs : CVE-2019-10072, CVE-2019-1543, CVE-2019-1549, CVE-2019-2910, CVE-2019-2911, CVE-2019-2914, CVE-2019-2920, CVE-2019-2922, CVE-2019-2923, CVE-2019-2924, CVE-2019-2938, CVE-2019-2946, CVE-2019-2948, CVE-2019-2950, CVE-2019-2957, CVE-2019-2960, CVE-2019-2963, CVE-2019-2966, CVE-2019-2967, CVE-2019-2968, CVE-2019-2969, CVE-2019-2974, CVE-2019-2982, CVE-2019-2991, CVE-2019-2993, CVE-2019-2997, CVE-2019-2998, CVE-2019-3003, CVE-2019-3004, CVE-2019-3009, CVE-2019-3011, CVE-2019-3018, CVE-2019-5443, CVE-2019-8457

Oracle Java SE
Products : Java SE, Java SE Embedded

Affected Components : 2D, Concurrency, Deployment, Hotspot, JAXP, JavaFX (libxslt), Javadoc, Kerberos, Libraries, Networking, Scripting, Security, Serialization
CVEs : CVE-2019-11068, CVE-2019-2894, CVE-2019-2933, CVE-2019-2945, CVE-2019-2949, CVE-2019-2958, CVE-2019-2962, CVE-2019-2964, CVE-2019-2973, CVE-2019-2975, CVE-2019-2977, CVE-2019-2978, CVE-2019-2981, CVE-2019-2983, CVE-2019-2987, CVE-2019-2988, CVE-2019-2989, CVE-2019-2992, CVE-2019-2996, CVE-2019-2999

Oracle Virtualization
Products : Oracle VM VirtualBox

Affected Components : Core, Core (OpenSSL)
CVEs : CVE-2019-1547, CVE-2019-2926, CVE-2019-2944, CVE-2019-2984, CVE-2019-3002, CVE-2019-3005, CVE-2019-3017, CVE-2019-3021, CVE-2019-3026, CVE-2019-3028, CVE-2019-3031

Oracle Database Server
Affected Components : Core RDBMS, Core RDBMS (jackson-databind), Java VM, WLM (Apache Tomcat)
CVEs : CVE-2019-2909, CVE-2019-2956, CVE-2019-2913, CVE-2019-2939, CVE-2018-2875, CVE-2019-2734, CVE-2018-11784, CVE-2019-2954, CVE-2019-2955, CVE-2019-2940

Oracle NoSQL Database
Products : Oracle NoSQL Database
Affected Components : NoSQL (jackson-databind)
CVEs : CVE-2018-14721

Oracle Construction and Engineering
Products : Instantis EnterpriseTrack, Primavera Gateway, Primavera P6 Enterprise Project Portfolio Management, Primavera Unifier
Affected Components : Admin (Apache POI), Admin (jackson-databind), Core (Apache POI), Core (Apache Tomcat), Core (jQuery), Core (jackson-databind), Generic (Apache Axis), Generic (Apache HTTP Server), Generic (Apache POI), Generic (Apache Tomcat), Web Access, Web Access (Apache POI)
CVEs : CVE-2017-6056, CVE-2019-14379, CVE-2019-14379, CVE-2019-3020, CVE-2019-0232, CVE-2019-0211, CVE-2019-0227, CVE-2017-12626, CVE-2017-12626, CVE-2017-12626, CVE-2017-12626, CVE-2019-2976, CVE-2019-11358

Oracle E-Business Suite
Products : Oracle Advanced Outbound Telephony, Oracle Application Object Library, Oracle Content Manager, Oracle Field Service, Oracle Installed Base, Oracle Marketing, Oracle Workflow, Oracle iStore
Affected Components : Content, Engineering Change Order, Login Help, Marketing Administration, Order Tracker, User Interface, Wireless, Worklist
CVEs : CVE-2019-2942, CVE-2019-2990, CVE-2019-2994, CVE-2019-2995, CVE-2019-3000, CVE-2019-3022, CVE-2019-3027, CVE-2019-2930, CVE-2019-3024, CVE-2019-2925

Oracle Enterprise Manager
Products : Enterprise Manager Base Platform, Enterprise Manager Ops Center, Enterprise Manager for Exadata, Oracle Application Testing Suite
Affected Components : Agent Next Gen (Eclipse Jetty), Command Line Interface (Jython), Exadata Plug-In Deploy and Ins, Load Testing for Web Apps (jQuery), Networking (cURL), Networking (jQuery), OS Provisioning (Apache HTTP Server)
CVEs : CVE-2016-4000, CVE-2019-5443, CVE-2019-2895, CVE-2019-9517, CVE-2019-11358, CVE-2019-11358, CVE-2019-10247

Oracle Financial Services Applications
Products : Oracle Banking Digital Experience, Oracle Banking Platform, Oracle FLEXCUBE Direct Banking, Oracle Financial Services Analytical Applications Infrastructure, Oracle Financial Services Enterprise Financial Performance Analytics, Oracle Financial Services Retail Performance Analytics

Affected Components : Infrastructure (jackson-databind), Loan Calculator, Payments, UI (jQuery), eMail
CVEs : CVE-2019-11358, CVE-2019-14379, CVE-2019-2979, CVE-2019-2980, CVE-2019-3019

Oracle Food and Beverage Applications
Products : Oracle Hospitality Materials Control, Oracle Hospitality RES 3700, Oracle Hospitality Reporting and Analytics
CVEs : CVE-2019-11358, CVE-2019-2934, CVE-2019-2936, CVE-2019-2937, CVE-2019-2947, CVE-2019-2952, CVE-2019-3025

Oracle Fusion Middleware
Products : BI Publisher (formerly XML Publisher), Oracle API Gateway, Oracle Business Intelligence Enterprise Edition, Oracle Data Integrator, Oracle Enterprise Repository, Oracle Forms, Oracle GoldenGate Application Adapters, Oracle JDeveloper and ADF, Oracle Outside In Technology, Oracle SOA Suite, Oracle Service Bus, Oracle Virtual Directory, Oracle Web Services, Oracle WebCenter Portal, Oracle WebLogic Server
Affected Components : 3rd Party (Spring Framework), ADF Faces, ADF Faces (jQuery), Analytics Actions, BI Platform Security, BI Platform Security (JQuery), BI Publisher Security, BPEL Service Engine and Fabric Layer (Apache Commons FileUpload), Console, Console (jQuery), EJB Container, Installation, Mobile Service, OAM, Oracle API Gateway (OpenSSL), Outside In Filters, SOAP with Attachments API for Java, Sample apps, Sample apps (jQuery), Secure Store (OpenSSL), Security Framework (jackson-databind), Security Subsystem – 12c (Apache Camel), Security Subsystem – 12c (Apache POI), Services, Studio, Virtual Directory Server (Apache Commons FileUpload), Web Container (JavaServer Faces), Web Container (jQuery), Web Services, Web Services (jQuery)
CVEs : CVE-2015-9251, CVE-2016-1000031, CVE-2016-7103, CVE-2017-12626, CVE-2018-15756, CVE-2019-0188, CVE-2019-11358, CVE-2019-12086, CVE-2019-1559, CVE-2019-17091, CVE-2019-2886, CVE-2019-2887, CVE-2019-2888, CVE-2019-2889, CVE-2019-2890, CVE-2019-2891, CVE-2019-2897, CVE-2019-2898, CVE-2019-2899, CVE-2019-2900, CVE-2019-2901, CVE-2019-2902, CVE-2019-2903, CVE-2019-2904, CVE-2019-2905, CVE-2019-2906, CVE-2019-2907, CVE-2019-2943, CVE-2019-2970, CVE-2019-2971, CVE-2019-2972, CVE-2019-3012

Oracle GraalVM
Products : Oracle GraalVM Enterprise Edition
Affected Components : Java, JavaScript (Node.js), LLVM Interpreter
CVEs : CVE-2019-2986, CVE-2019-2989, CVE-2019-9511

Oracle Health Sciences Applications
Products : Oracle Healthcare Foundation, Oracle Healthcare Translational Research
Affected Components : Cohort Explorer (jQuery), Security (jQuery)
CVEs : CVE-2019-11358

Oracle Hospitality Applications
Products : Oracle Hospitality Cruise Dining Room Management, Oracle Hospitality Guest Access

Affected Components : Base (Apache Axis), Base (Eclipse Jetty), Web Service

CVEs : CVE-2019-0227, CVE-2019-10247, CVE-2019-2953

Oracle Hyperion
Products : Hyperion Data Relationship Management, Hyperion Enterprise Performance Management Architect, Hyperion Financial Reporting

Affected Components : Access and Security, Security Models, Workspace
CVEs : CVE-2019-2927, CVE-2019-2941, CVE-2019-2959

Oracle JD Edwards
Products : JD Edwards EnterpriseOne Tools

Affected Components : Deployment (Log4j)
CVEs : CVE-2017-5645

Oracle PeopleSoft
Products : PeopleSoft Enterprise HCM Human Resources, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise SCM eProcurement

Affected Components : File Processing (libssh2), Fluid Core, Integration Broker, Integration Broker (Apache Xerces), Performance Monitor, Portal, Portal, Charting (jQuery), Stylesheet, Tree Manager, US Federal Specific, eProcurement
CVEs : CVE-2016-0729, CVE-2019-11358, CVE-2019-2915, CVE-2019-2929, CVE-2019-2931, CVE-2019-2932, CVE-2019-2951, CVE-2019-2985, CVE-2019-3001, CVE-2019-3014, CVE-2019-3015, CVE-2019-3023, CVE-2019-3862

Oracle Policy Automation

Products : Oracle Policy Automation, Oracle Policy Automation Connector for Siebel, Oracle Policy Automation for Mobile Devices

Affected Components : Core (Apache Axis), Core (jQuery), Determinations Engine (jQuery)
CVEs : CVE-2019-0227, CVE-2019-11358

Oracle Retail Applications
Products : CROS Retail XBRi Loss Prevention, MICROS Relate CRM Software, Oracle Retail Customer Insights, Oracle Retail Customer Management and Segmentation Foundation, Oracle Retail Integration Bus, Oracle Retail Xstore Office, Oracle Retail Xstore Point of Service

Affected Components : Dataloader (jackson-databind), Internal Operations, Internal Operations (Apache Tomcat), Point of Sale, RIB Kernal (Spring Framework), Retail (jackson-databind), Retail Science Engine (jQuery), Segment, Xenvironment (jackson-databind)
CVEs : CVE-2018-15756, CVE-2018-19362, CVE-2018-3300, CVE-2019-0232, CVE-2019-10247, CVE-2019-11358, CVE-2019-12086, CVE-2019-14379, CVE-2019-2872, CVE-2019-2883, CVE-2019-2884, CVE-2019-2896

Oracle Siebel CRM
Products : Siebel Core – DB Deployment and Configuration, Siebel Mobile Applications, Siebel UI Framework

Affected Components : CG Mobile Connected (jQuery), Customizable Prod/Configurator (Apache Tomcat), EAI, Install – Configuration
CVEs : CVE-2018-8037, CVE-2019-11358, CVE-2019-2935, CVE-2019-2965

Oracle Systems
Products : Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, Oracle Solaris

Affected Components : Filesystem, LDAP Library, SMF services & legacy daemons, XCP Firmware (NSS), XCP Firmware (NTP), XCP Firmware (Net SNMP), XCP Firmware (OpenSSH), XCP Firmware (OpenSSL), XCP Firmware (USB Driver), XCP Firmware (cURL), XCP Firmware (glibc), XScreenSaver
CVEs : CVE-2015-5180, CVE-2017-17558, CVE-2018-0732, CVE-2018-1000007, CVE-2018-12404, CVE-2018-18066, CVE-2018-7185, CVE-2019-2765, CVE-2019-2961, CVE-2019-3008, CVE-2019-3010, CVE-2019-6109

Oracle Supply Chain
Products : Agile Recipe Management for Pharmaceuticals, Oracle Agile PLM, Oracle Agile Product Lifecycle Management for Process

Affected Components : Recipe (Apache Groovy), Security (Apache Tomcat), Supplier Portal (jQuery)
CVEs : CVE-2016-6814, CVE-2019-0232, CVE-2019-11358

Oracle Support Tools
Products : Diagnostic Assistant, Oracle Clusterware

Affected Components : Libraries (jQuery), Trace File Analyzer (TFA) Collector (jackson-databind)
CVEs : CVE-2019-11358, CVE-2019-12814


Subscribe For More Posts Like This

Get the latest research, best practices, industry trends and cybersecurity blogs from SecPod security experts

Invalid email address
We promise not to spam you. You can unsubscribe at any time.
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments