1. 主頁
  2. 保安警報
  3. 保安警報 (A16-07-03)

保安警報 (A16-07-03): Oracle Java 及 Oracle 產品多個漏洞 (2016年7月)


 

發布日期: 2016年 7月 21日

  
  

描述:

Oracle 發布了重要修補程式更新公告,包括一系列應對 Java SE 和不同 Oracle 產品中多個漏洞的安全修補程式。

在多個受影響的 Java 子部件中,包括CORBA, Deployment, Hotspot, Install, JavaFX, JAXP, Libraries 和 Networking,發現了 13 個漏洞。這些漏洞可被未獲授權的攻擊者從遠端攻擊,其中 3 個漏洞更可影響 Java 的服務端部件(例如通過網絡服務)。

對於在 Oracle 產品中發現的漏洞,攻擊者可通過多種規約,包括 HTTP, HTTPS, IPMI, MySQL Protocol, NTP, Oracle Net, SNMP, SSH, SSL/TLS, T3, TLS, UDP及 X11經網絡從遠端攻擊。

攻擊者可通過多種方式攻擊受影響的系統。對於 Java,攻擊者可誘使用戶開啓載有不可靠 Java applet 或含惡意內容的 Java Web Start 應用程式的特製網頁,或以 Java launcher 起動執行檔。對於其他 Oracle 產品,遠端攻擊者可傳送特製的網絡封包到受影響系統攻擊這些漏洞。

 

受影響的系統:

Oracle Java SE

  • Oracle Java SE, versions 6u115, 7u101, 8u92
    Oracle Java SE Embedded, version 8u91
    Oracle JRockit, version R28.3.10

Database Server

  • Application Express, versions prior to 5.0.4
    Oracle Database Server, versions 11.2.0.4, 12.1.0.1, 12.1.0.2

Oracle Linux and Virtualization

  • Oracle Secure Global Desktop, versions 4.63, 4.71, 5.2
    Oracle VM VirtualBox, versions prior to 5.0.26

Oracle MySQL Product Suite

  • MySQL Server, versions 5.5.49 and prior, 5.6.30 and prior, 5.7.12 and prior

Fusion Applications and Middleware

  • Hyperion Financial Reporting, version 11.1.2.4
  • Oracle Access Manager, versions 10.1.4.x, 11.1.1.7
  • Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
  • Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 11.2.1.0.0
  • Oracle Directory Server Enterprise Edition, versions 7.0, 11.1.1.7.0
  • Oracle Exalogic Infrastructure, versions 1.x, 2.x
  • Oracle Fusion Applications, versions 11.1.2 through 11.1.10
  • Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.3.0, 12.2.1.0
  • Oracle GlassFish Server, versions 2.1.1, 3.0.1, 3.1.2
  • Oracle HTTP Server, versions 11.1.1.9, 12.1.3.0
  • Oracle JDeveloper, versions 11.1.1.7.0, 11.1.1.9.0, 11.1.2.4.0, 12.1.3.0.0, 12.2.1.0.0
  • Oracle Portal, versions 11.1.1.6
  • Oracle TopLink, versions 12.1.3.0, 12.2.1.0, 12.2.1.1
  • Oracle WebCenter Sites, versions 11.1.1.8, 12.2.1.0
  • Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.0
  • Outside In Technology, versions 8.5.0, 8.5.1, 8.5.2

E-Business Suite

  • Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5

Enterprise Manager

  • Enterprise Manager Base Platform, versions 12.1.0.5, 13.1.0.0
  • Enterprise Manager for Fusion Middleware, versions 11.1.1.7, 11.1.1.9
  • Enterprise Manager Ops Center, versions 12.1.4, 12.2.2, 12.3.2

Health Sciences

  • Oracle Health Sciences Clinical Development Center, versions 3.1.1.x, 3.1.2.x
  • Oracle Health Sciences Information Manager, versions 1.2.8.3, 2.0.2.3, 3.0.1.0
  • Oracle Healthcare Analytics Data Integration, versions 3.1.0.0.0
  • Oracle Healthcare Master Person Index, versions 2.0.12, 3.0.0, 4.0.1

JD Edwards

  • JD Edwards EnterpriseOne Tools, version 9.2.0.5

Oracle Banking Platform

  • Oracle Banking Platform, versions 2.3.0, 2.4.0, 2.4.1, 2.5.0

Oracle Communications Applications

  • Oracle Communications ASAP, versions 7.0, 7.2, 7.3
  • Oracle Communications Core Session Manager, versions 7.2.5, 7.3.5
  • Oracle Communications EAGLE Application Processor, versions 16.0
  • Oracle Communications Messaging Server, versions 6.3, 7.0, 8.0, prior to 7.0.5.37.0 and 8.0.1.1.0
  • Oracle Communications Network Charging and Control, versions 4.4.1.5.0, 5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0, 5.0.2.0.0
  • Oracle Communications Operations Monitor, versions prior to 3.3.92.0.0
  • Oracle Communications Policy Management, versions prior to 9.9.2
  • Oracle Communications Session Border Controller, versions 7.2.0, 7.3.0
  • Oracle Communications Unified Session Manager, versions 7.2.5, 7.3.5
  • Oracle Enterprise Communications Broker, versions prior to PCz 2.0.0m4p1

Oracle Financial Services Applications

  • Oracle Financial Services Lending and Leasing, versions 14.1, 14.2
  • Oracle FLEXCUBE Direct Banking, versions 12.0.1, 12.0.2, 12.0.3

Oracle Insurance Applications

  • Oracle Documaker, version prior to 12.5
  • Oracle Insurance Calculation Engine, versions 9.7.1, 10.1.2, 10.2.2
  • Oracle Insurance Policy Administration J2EE, versions 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2
  • Oracle Insurance Rules Palette, versions 9.6.1, 9.7.1, 10.0.1, 10.1.2, 10.2.0, 10.2.2

Oracle Knowledge Applications

  • Oracle Knowledge, versions 8.5.x

Oracle Policy Automation

  • Oracle In-Memory Policy Analytics, version 12.0.1
  • Oracle Policy Automation, versions 10.3.0, 10.3.1, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6, 12.1.0, 12.1.1
  • Oracle Policy Automation Connector for Siebel, versions 10.3.0, 10.4.0, 10.4.1, 10.4.2, 10.4.3, 10.4.4, 10.4.5, 10.4.6
  • Oracle Policy Automation for Mobile Devices, version 12.1.1

Oracle Primavera Products Suite

  • Primavera Contract Management, version 14.2
  • Primavera P6 Enterprise Project Portfolio Management, versions 8.2, 8.3, 8.4, 15.1, 15.2, 16.1

Oracle Supply Chain Products

  • Oracle Agile Engineering Data Management, versions 6.1.3.0, 6.2.0.0
  • Oracle Agile PLM, versions 9.3.4, 9.3.5
  • Oracle Demand Planning, versions 12.1, 12.2
  • Oracle Transportation Management, versions 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7, 6.4.0, 6.4.1

Oracle Utilities Applications

  • Oracle Utilities Framework, versions 2.2.0.0.0, 4.1.0.1.0, 4.1.0.2.0, 4.2.0.1.0, 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0, 4.3.0.2.0
  • Oracle Utilities Network Management System, versions 1.10.0.6.27, 1.11.0.4.41, 1.11.0.5.4, 1.12.0.1.16, 1.12.0.2.12.                  1.12.0.3.5
  • Oracle Utilities Work and Asset Management, version 1.9.1.2.8

Oracle and Sun Systems Products Suite

  • 40G 10G 72/64 Ethernet Switch, version 2.0.0
  • Fujitsu M10-1, M10-4, M10-4S Servers, versions prior to XCP 2320
  • ILOM, versions 3.0, 3.1, 3.2
  • Oracle Switch ES1-24, version 1.3
  • Solaris, versions 10, 11.3
  • Solaris Cluster, versions 3.3, 4.3
  • SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, versions prior to XCP 1121
  • Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version 1.2
  • Sun Data Center InfiniBand Switch 36, versions prior to 2.2.2
  • Sun Network 10GE Switch 72p, version 1.2
  • Sun Network QDR InfiniBand Gateway Switch, versions prior to 2.2.2

PeopleSoft

  • PeopleSoft Enterprise FSCM, versions 9.1, 9.2
  • PeopleSoft Enterprise PeopleTools, versions 8.53, 8.54, 8.55

Retail Applications

  • MICROS Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1
  • Oracle Retail Central, Back Office, Returns Management, versions 13.1, 13.2, 13.3, 13.4, 14.0, 14.1, 12.0 13.0
  • Oracle Retail Integration Bus, versions 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
  • Oracle Retail Order Broker, versions 4.1, 5.1, 5.2, 15.0
  • Oracle Retail Service Backbone, versions 13.0, 13.1, 13.2, 14.0, 14.1, 15.0
  • Oracle Retail Store Inventory Management, versions 12.0, 13.0, 13.1, 13.2, 14.0, 14.1

Siebel CRM

  • Siebel Applications, version(s) 8.1.1, 8.2.2, IP2014, IP2015, IP2016

 

影響:

成功攻擊這些漏洞可導致執行程式碼、服務受阻斷、取得敏感資料、繞過保安限制或控制受影響系統,視乎攻擊者利用哪個漏洞而定。

 

建議:

現已有適用於受影響系統的修補程式。受影響系統的用戶應遵從產品供應商的建議,立即採取行動以降低風險。

Oracle Java SE 產品的修補程式可從以下連結下載:

  • Java Platform SE 8 (JDK 及 JRE 8 101)
    http://www.oracle.com/technetwork/java/javase/downloads/index.html

關於其他 Oracle 產品,請參閱供應商網站相關安全公告中 “Patch Availability Table and Risk Matrices"的部分:

  • http://www.oracle.com/technetwork/topics/security/cpujul2016-2881720.html

用戶可聯絡其產品支援供應商,以取得修補程式及有關支援

 

進一步資訊:

http://www.oracle.com/technetwork/security-advisory/cpujul2016-2881720.html
http://www.oracle.com/technetwork/java/javase/8u101-relnotes-3021761.html
http://www.oracle.com/technetwork/java/javase/8u102-relnotes-3021767.html
https://www.hkcert.org/my_url/en/alert/16072001
https://www.us-cert.gov/ncas/current-activity/2016/07/19/Oracle-Releases-Security-Bulletin
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3137
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-3410
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2064
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2566
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0224
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3566
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3571
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9708
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0204
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0228
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0235
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1791
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1793
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2808
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3183
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3197
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3237
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3253
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5300
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5600
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7182
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7501
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8104
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0635
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0702
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0800
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1181
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1548
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2105
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-2107
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3081
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3424
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3432
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3433
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3440
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3444 (to CVE-2016-3446)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3448
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3450 (to CVE-2016-3453)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3458 (to CVE-2016-3459)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3467 (to CVE-2016-3472)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3474 (to CVE-2016-3491)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3493 (to CVE-2016-3494)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3496 (to CVE-2016-3504)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3506 (to CVE-2016-3550)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3552 (to CVE-2016-3561)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3563 (to CVE-2016-3598)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3606 (to CVE-2016-3615)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5436 (to CVE-2016-5437)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5439 (to CVE-2016-5477) 



標籤 : Oracle , Java , Oracle Database , Oracle Linux , MySQL , Fusion , Oracle E-Business Suite , Enterprise Manager , Health Sciences , JD Edwards , Oracle Banking Platform , Oracle Communications , Oracle Financial Services , Oracle Insurance , Oracle Knowledge , Oracle Policy Automation , Oracle Primavera , Oracle Supply Chain , Oracle Utilities , Sun Systems , PeopleSoft , Oracle Retail , Siebel
標籤