Security Alert (A16-07-03): Multiple Vulnerabilities in Oracle Java and Oracle Products (July 2016)

Description:

Oracle has released Critical Patch Update (CPU) Advisory with collections of patches for multiple security vulnerabilities found in Java SE and various Oracle products.

There are 13 vulnerabilities identified in Java affecting multiple sub-components including CORBA, Deployment, Hotspot, Install, JavaFX, JAXP, Libraries and Networking. All of them could be remotely exploited without authentication in which 3 of them could affect server deployment of Java (e.g. through a web service).

For vulnerabilities identified in those Oracle products, they can be remotely exploited through various protocols including HTTP, HTTPS, IPMI, MySQL Protocol, NTP, Oracle Net, SNMP, SSH, SSL/TLS, T3, TLS, UDP and X11 over a network.

There are multiple attack vectors. For Java, an attacker could entice a user to open a specially crafted web page containing un-trusted Java applet or Java Web Start application with malicious content, or to launch executables using the Java launcher. For other Oracle products, a remote attacker could send specially crafted network packets to the affected system to exploit the vulnerabilities.

Affected Systems:

Oracle Java SE

• Oracle Java SE, versions 6u115, 7u101, 8u92
  Oracle Java SE Embedded, version 8u91
  Oracle JRockit, version R28.3.10

Database Server

• Application Express, versions prior to 5.0.4
  Oracle Database Server, versions 11.2.0.4, 12.1.0.1, 12.1.0.2

Oracle Linux and Virtualization

• Oracle Secure Global Desktop, versions 4.63, 4.71, 5.2
  Oracle VM VirtualBox, versions prior to 5.0.26

Oracle MySQL Product Suite

• MySQL Server, versions 5.5.49 and prior, 5.6.30 and prior, 5.7.12 and prior

Fusion Applications and Middleware

• Hyperion Financial Reporting, version 11.1.2.4
• Oracle Access Manager, versions 10.1.4.x, 11.1.1.7
• Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
• Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0
• Oracle Directory Server Enterprise Edition, versions 7.0, 11.1.1.7.0
• Oracle Exalogic Infrastructure, versions 1.x, 2.x
• Oracle Fusion Applications, versions 11.1.2 through 11.1.10
• Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.0
• Oracle GlassFish Server, versions 2.1.1, 3.0.1, 3.1.2
• Oracle HTTP Server, versions 11.1.1.9, 12.1.3.0
• Oracle JDeveloper, versions 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0
• Oracle Portal, versions 11.1.1.6
• Oracle TopLink, versions 12.1.3.0, 12.2.1.0, 12.2.1.1
• Oracle WebCenter Sites, versions 11.1.1.8, 12.2.1.0
• Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.0
• Outside In Technology, versions 8.5.0, 8.5.1, 8.5.2

E-Business Suite

• Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5

Enterprise Manager

• Enterprise Manager Base Platform, versions 12.1.0.5, 13.1.0.0
• Enterprise Manager for Fusion Middleware, versions 11.1.1.7, 11.1.1.9
• Enterprise Manager Ops Center, versions 12.1.4, 12.2.2, 12.3.2

Health Sciences

• Oracle Health Sciences Clinical Development Center, versions 3.1.1.x, 3.1.2.x
• Oracle Health Sciences Information Manager, versions 1.2.8.3, 2.0.2.3, 3.0.1.0
• Oracle Healthcare Analytics Data Integration, versions 3.1.0.0.0
• Oracle Healthcare Master Person Index, versions 2.0.12, 3.0.0, 4.0.1

JD Edwards

• JD Edwards EnterpriseOne Tools, version 9.2.0.5

Oracle Banking Platform

• Oracle Banking Platform, versions 2.3.0, 2.4.0, 2.4.1, 2.5.0

Oracle Communications Applications

• Oracle Communications ASAP, versions 7.0, 7.2, 7.3
• Oracle Communications Core Session Manager, versions 7.2.5, 7.3.5
• Oracle Communications EAGLE Application Processor, versions 16.0
• Oracle Communications Messaging Server, versions 6.3, 7.0, 8.0, prior to 7.0.5.37.0 and 8.0.1.1.0
• Oracle Communications Network Charging and Control, versions 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0
• Oracle Communications Operations Monitor, versions prior to 3.3.92.0.0
• Oracle Communications Policy Management, versions prior to 9.9.2
• Oracle Communications Session Border Controller, versions 7.2.0, 7.3.0
• Oracle Communications Unified Session Manager, versions 7.2.5, 7.3.5
• Oracle Enterprise Communications Broker, versions prior to PCz 2.0.0m4p1

Oracle Financial Services Applications

• Oracle Financial Services Lending and Leasing, versions 14.1, 14.2
• Oracle FLEXCUBE Direct Banking, versions 12.0.1, 12.0.2, 12.0.3

Oracle Insurance Applications

• Oracle Documaker, version prior to 12.5
• Oracle Insurance Calculation Engine, versions 9.7.1, 10.1.2, 10.2.2
• Oracle Insurance Policy Administration J2EE, versions 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
• Oracle Insurance Rules Palette, versions 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2

Oracle Knowledge Applications

• Oracle Knowledge, versions 8.5.x

Oracle Policy Automation

• Oracle In-Memory Policy Analytics, version 12.0.1
• Oracle Policy Automation, versions 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 12.1.0, 12.1.1
• Oracle Policy Automation Connector for Siebel, versions 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6
• Oracle Policy Automation for Mobile Devices, version 12.1.1

Oracle Primavera Products Suite

• Primavera Contract Management, version 14.2
• Primavera P6 Enterprise Project Portfolio Management, versions 8.2, 8.3, 8.4, 15.1, 15.2, 16.1

Oracle Supply Chain Products

• Oracle Agile Engineering Data Management, versions 6.1.3.0, 6.2.0.0
• Oracle Agile PLM, versions 9.3.4, 9.3.5
• Oracle Demand Planning, versions 12.1, 12.2
• Oracle Transportation Management, versions 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1

Oracle Utilities Applications

• Oracle Utilities Framework, versions 2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0
• Oracle Utilities Network Management System, versions 1.10.0.6.27, 1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12.                  1.12.0.3.5
• Oracle Utilities Work and Asset Management, version 1.9.1.2.8

Oracle and Sun Systems Products Suite

• 40G 10G 72/64 Ethernet Switch, version 2.0.0
• Fujitsu M10-1, M10-4, M10-4S Servers, versions prior to XCP 2320
• ILOM, versions 3.0, 3.1, 3.2
• Oracle Switch ES1-24, version 1.3
• Solaris, versions 10, 11.3
• Solaris Cluster, versions 3.3, 4.3
• SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, versions prior to XCP 1121
• Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version 1.2
• Sun Data Center InfiniBand Switch 36, versions prior to 2.2.2
• Sun Network 10GE Switch 72p, version 1.2
• Sun Network QDR InfiniBand Gateway Switch, versions prior to 2.2.2

PeopleSoft

• PeopleSoft Enterprise FSCM, versions 9.1, 9.2
• PeopleSoft Enterprise PeopleTools, versions 8.53, 8.54, 8.55

Retail Applications

• MICROS Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
• Oracle Retail Central, Back Office, Returns Management, versions 13.1, 13.2, 13.3, 13.4, 14.0, 14.1, 12.0 13.0
• Oracle Retail Integration Bus, versions 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
• Oracle Retail Order Broker, versions 4.1, 5.1, 5.2, 15.0
• Oracle Retail Service Backbone, versions 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
• Oracle Retail Store Inventory Management, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1

Siebel CRM

• Siebel Applications, version(s) 8.1.1, 8.2.2, IP2014, IP2015, IP2016

Impact:

Depending on the vulnerability exploited, a successful attack could lead to arbitrary code execution, denial of services, information disclosure, bypass of security restrictions or compromise of a vulnerable system.

Recommendation:

Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk.

For Oracle Java SE products, please refer to the following link:

• Java Platform SE 8 (JDK and JRE 8 Update 101)
  http://www.oracle.com/technetwork/java/javase/downloads/index.html

For other Oracle products, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor’s website:

• http://www.oracle.com/technetwork/topics/security/cpujul2016-2881720.html

Users may contact their product support vendors for the fixes and assistance.

More Information:

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/java/javase/8u101-relnotes-3021761.html
http://www.oracle.com/technetwork/java/javase/8u102-relnotes-3021767.html
https://www.hkcert.org/my_url/en/alert/16072001
https://www.us-cert.gov/ncas/current-activity/2016/07/19/Oracle-Releases-Security-Bulletin
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3137
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3410
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2064
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9708
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1791
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3237
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7182
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8104
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0635
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0702
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2105
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3081
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3424
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3432
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3433
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3440
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3444 (to CVE-2016-3446)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3448
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3450 (to CVE-2016-3453)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3458 (to CVE-2016-3459)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3467 (to CVE-2016-3472)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3474 (to CVE-2016-3491)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3493 (to CVE-2016-3494)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3496 (to CVE-2016-3504)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3506 (to CVE-2016-3550)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3552 (to CVE-2016-3561)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3563 (to CVE-2016-3598)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3606 (to CVE-2016-3615)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5436 (to CVE-2016-5437)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5439 (to CVE-2016-5477)