019
Oracle has released 219 new security patches as a part of the October 2019 update cycle. 142 vulnerabilities are remotely exploitable without user credentials.
Oracle MySQL received 34 security patches. 9 vulnerabilities allow an attacker to exploit the underlying flaws over the network without any form of authentication. CVE-2019-8457 is considered to be the most critical of them all. CVE-2019-8457 affects the ‘SQLite‘ component of MySQL Workbench. Successful exploitation of this vulnerability can lead to a takeover of MySQL Workbench.
Oracle Java SE received 20 security patches. All the 20 vulnerabilities allow remote exploitation over multiple protocols without any form of authentication. These vulnerabilities though are remotely exploitable have not been rated critical due to high Attack Complexity. CVE-2019-2949 and CVE-2019-2989 have been rated highest in the list.
CVE-2019-2949 affects the ‘Kerberos’ component of Java SE and Java SE Embedded. Successful exploitation of this vulnerability gives an unauthorized attacker complete access to critical Java SE and Java SE Embedded accessible data. CVE-2019-2989 affects the ‘Networking’ component of Java SE and Java SE Embedded. Successful exploitation of this vulnerability allows an unauthorized attacker to create, delete or modify access to critical data or all Java SE, Java SE Embedded accessible data.
Oracle VM VirtualBox received 11 security patches. None of the vulnerabilities can be exploited remotely without authentication. CVE-2019-3028 and CVE-2019-3017 are rated high and affect the ‘Core‘ component of Oracle VM VirtualBox. Successful exploitation of CVE-2019-8457 can lead to a takeover of Oracle VM VirtualBox and impact certain other products too.
The other products which also received security updates are: Oracle Database Server, Oracle NoSQL, Oracle Fusion Middleware, Oracle Hyperion, Oracle Enterprise Manager, Oracle E-Business Suite, Oracle PeopleSoft, Oracle Siebel CRM, Oracle Industry Applications (Construction and Engineering, Financial Services, Health Sciences, Hospitality, Food & Beverage, Retail), Oracle Support Tools, Oracle Graal VM, and Oracle Sun Systems Products Suite. We strongly recommend that these security updates be installed at the earliest.
Oracle Critical Patch Update October 2019 Summary
Oracle MySQL
1)Products : MySQL Connectors, MySQL Enterprise Monitor, MySQL Server, MySQL Workbench
Affected Components : Client programs, Connector/ODBC, Connector/ODBC (OpenSSL), Information Schema, InnoDB, Monitoring: General (Apache Tomcat), MySQL Workbench (SQLite), Server: C API, Server: Compiling (cURL), Server: Connection, Server: DDL, Server: Optimizer, Server: PS, Server: Parser, Server: Replication, Server: Security: Encryption, Workbench: Security: Encryption (OpenSSL)
CVEs : CVE-2019-10072, CVE-2019-1543, CVE-2019-1549, CVE-2019-2910, CVE-2019-2911, CVE-2019-2914, CVE-2019-2920, CVE-2019-2922, CVE-2019-2923, CVE-2019-2924, CVE-2019-2938, CVE-2019-2946, CVE-2019-2948, CVE-2019-2950, CVE-2019-2957, CVE-2019-2960, CVE-2019-2963, CVE-2019-2966, CVE-2019-2967, CVE-2019-2968, CVE-2019-2969, CVE-2019-2974, CVE-2019-2982, CVE-2019-2991, CVE-2019-2993, CVE-2019-2997, CVE-2019-2998, CVE-2019-3003, CVE-2019-3004, CVE-2019-3009, CVE-2019-3011, CVE-2019-3018, CVE-2019-5443, CVE-2019-8457
Oracle Java SE
2)Products : Java SE, Java SE Embedded
Affected Components : 2D, Concurrency, Deployment, Hotspot, JAXP, JavaFX (libxslt), Javadoc, Kerberos, Libraries, Networking, Scripting, Security, Serialization
CVEs : CVE-2019-11068, CVE-2019-2894, CVE-2019-2933, CVE-2019-2945, CVE-2019-2949, CVE-2019-2958, CVE-2019-2962, CVE-2019-2964, CVE-2019-2973, CVE-2019-2975, CVE-2019-2977, CVE-2019-2978, CVE-2019-2981, CVE-2019-2983, CVE-2019-2987, CVE-2019-2988, CVE-2019-2989, CVE-2019-2992, CVE-2019-2996, CVE-2019-2999
Oracle Virtualization
3)Products : Oracle VM VirtualBox
Affected Components : Core, Core (OpenSSL)
CVEs : CVE-2019-1547, CVE-2019-2926, CVE-2019-2944, CVE-2019-2984, CVE-2019-3002, CVE-2019-3005, CVE-2019-3017, CVE-2019-3021, CVE-2019-3026, CVE-2019-3028, CVE-2019-3031
Oracle Database Server
Affected Components : Core RDBMS, Core RDBMS (jackson-databind), Java VM, WLM (Apache Tomcat)
CVEs : CVE-2019-2909, CVE-2019-2956, CVE-2019-2913, CVE-2019-2939, CVE-2018-2875, CVE-2019-2734, CVE-2018-11784, CVE-2019-2954, CVE-2019-2955, CVE-2019-2940
Oracle NoSQL Database
4)Products : Oracle NoSQL Database
Affected Components : NoSQL (jackson-databind)
CVEs : CVE-2018-14721
Oracle Construction and Engineering
5)Products : Instantis EnterpriseTrack, Primavera Gateway, Primavera P6 Enterprise Project Portfolio Management, Primavera Unifier
Affected Components : Admin (Apache POI), Admin (jackson-databind), Core (Apache POI), Core (Apache Tomcat), Core (jQuery), Core (jackson-databind), Generic (Apache Axis), Generic (Apache HTTP Server), Generic (Apache POI), Generic (Apache Tomcat), Web Access, Web Access (Apache POI)
CVEs : CVE-2017-6056, CVE-2019-14379, CVE-2019-14379, CVE-2019-3020, CVE-2019-0232, CVE-2019-0211, CVE-2019-0227, CVE-2017-12626, CVE-2017-12626, CVE-2017-12626, CVE-2017-12626, CVE-2019-2976, CVE-2019-11358
Oracle E-Business Suite
6)Products : Oracle Advanced Outbound Telephony, Oracle Application Object Library, Oracle Content Manager, Oracle Field Service, Oracle Installed Base, Oracle Marketing, Oracle Workflow, Oracle iStore
Affected Components : Content, Engineering Change Order, Login Help, Marketing Administration, Order Tracker, User Interface, Wireless, Worklist
CVEs : CVE-2019-2942, CVE-2019-2990, CVE-2019-2994, CVE-2019-2995, CVE-2019-3000, CVE-2019-3022, CVE-2019-3027, CVE-2019-2930, CVE-2019-3024, CVE-2019-2925
Oracle Enterprise Manager
7)Products : Enterprise Manager Base Platform, Enterprise Manager Ops Center, Enterprise Manager for Exadata, Oracle Application Testing Suite
Affected Components : Agent Next Gen (Eclipse Jetty), Command Line Interface (Jython), Exadata Plug-In Deploy and Ins, Load Testing for Web Apps (jQuery), Networking (cURL), Networking (jQuery), OS Provisioning (Apache HTTP Server)
CVEs : CVE-2016-4000, CVE-2019-5443, CVE-2019-2895, CVE-2019-9517, CVE-2019-11358, CVE-2019-11358, CVE-2019-10247
Oracle Financial Services Applications
8)Products : Oracle Banking Digital Experience, Oracle Banking Platform, Oracle FLEXCUBE Direct Banking, Oracle Financial Services Analytical Applications Infrastructure, Oracle Financial Services Enterprise Financial Performance Analytics, Oracle Financial Services Retail Performance Analytics
Affected Components : Infrastructure (jackson-databind), Loan Calculator, Payments, UI (jQuery), eMail
CVEs : CVE-2019-11358, CVE-2019-14379, CVE-2019-2979, CVE-2019-2980, CVE-2019-3019
Oracle Food and Beverage Applications
9)Products : Oracle Hospitality Materials Control, Oracle Hospitality RES 3700, Oracle Hospitality Reporting and Analytics
CVEs : CVE-2019-11358, CVE-2019-2934, CVE-2019-2936, CVE-2019-2937, CVE-2019-2947, CVE-2019-2952, CVE-2019-3025
Oracle Fusion Middleware
10)Products : BI Publisher (formerly XML Publisher), Oracle API Gateway, Oracle Business Intelligence Enterprise Edition, Oracle Data Integrator, Oracle Enterprise Repository, Oracle Forms, Oracle GoldenGate Application Adapters, Oracle JDeveloper and ADF, Oracle Outside In Technology, Oracle SOA Suite, Oracle Service Bus, Oracle Virtual Directory, Oracle Web Services, Oracle WebCenter Portal, Oracle WebLogic Server
Affected Components : 3rd Party (Spring Framework), ADF Faces, ADF Faces (jQuery), Analytics Actions, BI Platform Security, BI Platform Security (JQuery), BI Publisher Security, BPEL Service Engine and Fabric Layer (Apache Commons FileUpload), Console, Console (jQuery), EJB Container, Installation, Mobile Service, OAM, Oracle API Gateway (OpenSSL), Outside In Filters, SOAP with Attachments API for Java, Sample apps, Sample apps (jQuery), Secure Store (OpenSSL), Security Framework (jackson-databind), Security Subsystem – 12c (Apache Camel), Security Subsystem – 12c (Apache POI), Services, Studio, Virtual Directory Server (Apache Commons FileUpload), Web Container (JavaServer Faces), Web Container (jQuery), Web Services, Web Services (jQuery)
CVEs : CVE-2015-9251, CVE-2016-1000031, CVE-2016-7103, CVE-2017-12626, CVE-2018-15756, CVE-2019-0188, CVE-2019-11358, CVE-2019-12086, CVE-2019-1559, CVE-2019-17091, CVE-2019-2886, CVE-2019-2887, CVE-2019-2888, CVE-2019-2889, CVE-2019-2890, CVE-2019-2891, CVE-2019-2897, CVE-2019-2898, CVE-2019-2899, CVE-2019-2900, CVE-2019-2901, CVE-2019-2902, CVE-2019-2903, CVE-2019-2904, CVE-2019-2905, CVE-2019-2906, CVE-2019-2907, CVE-2019-2943, CVE-2019-2970, CVE-2019-2971, CVE-2019-2972, CVE-2019-3012
Oracle GraalVM
11)Products : Oracle GraalVM Enterprise Edition
Affected Components : Java, JavaScript (Node.js), LLVM Interpreter
CVEs : CVE-2019-2986, CVE-2019-2989, CVE-2019-9511
Oracle Health Sciences Applications
12)Products : Oracle Healthcare Foundation, Oracle Healthcare Translational Research
Affected Components : Cohort Explorer (jQuery), Security (jQuery)
CVEs : CVE-2019-11358
Oracle Hospitality Applications
13)Products : Oracle Hospitality Cruise Dining Room Management, Oracle Hospitality Guest Access
Affected Components : Base (Apache Axis), Base (Eclipse Jetty), Web Service
CVEs : CVE-2019-0227, CVE-2019-10247, CVE-2019-2953
Oracle Hyperion
14)Products : Hyperion Data Relationship Management, Hyperion Enterprise Performance Management Architect, Hyperion Financial Reporting
Affected Components : Access and Security, Security Models, Workspace
CVEs : CVE-2019-2927, CVE-2019-2941, CVE-2019-2959
Oracle JD Edwards
15)Products : JD Edwards EnterpriseOne Tools
Affected Components : Deployment (Log4j)
CVEs : CVE-2017-5645
Oracle PeopleSoft
16)Products : PeopleSoft Enterprise HCM Human Resources, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise SCM eProcurement
Affected Components : File Processing (libssh2), Fluid Core, Integration Broker, Integration Broker (Apache Xerces), Performance Monitor, Portal, Portal, Charting (jQuery), Stylesheet, Tree Manager, US Federal Specific, eProcurement
CVEs : CVE-2016-0729, CVE-2019-11358, CVE-2019-2915, CVE-2019-2929, CVE-2019-2931, CVE-2019-2932, CVE-2019-2951, CVE-2019-2985, CVE-2019-3001, CVE-2019-3014, CVE-2019-3015, CVE-2019-3023, CVE-2019-3862
17)Products : Oracle Policy Automation, Oracle Policy Automation Connector for Siebel, Oracle Policy Automation for Mobile Devices
Affected Components : Core (Apache Axis), Core (jQuery), Determinations Engine (jQuery)
CVEs : CVE-2019-0227, CVE-2019-11358
Oracle Retail Applications
18)Products : CROS Retail XBRi Loss Prevention, MICROS Relate CRM Software, Oracle Retail Customer Insights, Oracle Retail Customer Management and Segmentation Foundation, Oracle Retail Integration Bus, Oracle Retail Xstore Office, Oracle Retail Xstore Point of Service
Affected Components : Dataloader (jackson-databind), Internal Operations, Internal Operations (Apache Tomcat), Point of Sale, RIB Kernal (Spring Framework), Retail (jackson-databind), Retail Science Engine (jQuery), Segment, Xenvironment (jackson-databind)
CVEs : CVE-2018-15756, CVE-2018-19362, CVE-2018-3300, CVE-2019-0232, CVE-2019-10247, CVE-2019-11358, CVE-2019-12086, CVE-2019-14379, CVE-2019-2872, CVE-2019-2883, CVE-2019-2884, CVE-2019-2896
Oracle Siebel CRM
19)Products : Siebel Core – DB Deployment and Configuration, Siebel Mobile Applications, Siebel UI Framework
Affected Components : CG Mobile Connected (jQuery), Customizable Prod/Configurator (Apache Tomcat), EAI, Install – Configuration
CVEs : CVE-2018-8037, CVE-2019-11358, CVE-2019-2935, CVE-2019-2965
Oracle Systems
20)Products : Fujitsu M10-1, M10-4, M10-4S, M12-1, M12-2, M12-2S Servers, Oracle Solaris
Affected Components : Filesystem, LDAP Library, SMF services & legacy daemons, XCP Firmware (NSS), XCP Firmware (NTP), XCP Firmware (Net SNMP), XCP Firmware (OpenSSH), XCP Firmware (OpenSSL), XCP Firmware (USB Driver), XCP Firmware (cURL), XCP Firmware (glibc), XScreenSaver
CVEs : CVE-2015-5180, CVE-2017-17558, CVE-2018-0732, CVE-2018-1000007, CVE-2018-12404, CVE-2018-18066, CVE-2018-7185, CVE-2019-2765, CVE-2019-2961, CVE-2019-3008, CVE-2019-3010, CVE-2019-6109
Oracle Supply Chain
21)Products : Agile Recipe Management for Pharmaceuticals, Oracle Agile PLM, Oracle Agile Product Lifecycle Management for Process
Affected Components : Recipe (Apache Groovy), Security (Apache Tomcat), Supplier Portal (jQuery)
CVEs : CVE-2016-6814, CVE-2019-0232, CVE-2019-11358
Oracle Support Tools
22)Products : Diagnostic Assistant, Oracle Clusterware
Affected Components : Libraries (jQuery), Trace File Analyzer (TFA) Collector (jackson-databind)
CVEs : CVE-2019-11358, CVE-2019-12814