【安全更新】Oracle全系产品2021年1月关键补丁更新通告

  • A+
所属分类:安全漏洞

通告编号:NS-2021-0003

2021-01-20
TAG:

Oracle、CPU、关键补丁更新

漏洞危害:

此次补丁更新修复了329个不同程度的漏洞,涉及多个常用产品。

版本: 1.0

1

概述


2021年1月20日,绿盟科技监测发现Oracle官方发布了2021年1月关键补丁更新公告CPU(Critical Patch Update),共修复了329个不同程度的漏洞,此次安全更新涉及Oracle WebLogic Server、Oracle Database Server、Oracle Java SE、Oracle Fusion Middleware、Oracle MySQL、Oracle Enterprise Manager、Oracle Systems等多个常用产品。Oracle强烈建议客户尽快应用关键补丁更新修复程序,对漏洞进行修复。


参考链接:

https://www.oracle.com/security-alerts/cpujan2021.html


SEE MORE →


2重点漏洞简述

根据产品流行度和漏洞重要性筛选出此次更新中包含影响较大的漏洞,请相关用户重点进行关注:

Oracle WebLogic Server多个严重漏洞:

本次安全更新修复了Weblogic的多个反序列化漏洞,这些漏洞允许未经身份验证的攻击者通过HTTP、IIOP、T3协议发送精心构造的恶意请求,从而在Oracle WebLogic Server上执行任意代码。漏洞编号如下:

CVE-2021-1994

CVE-2021-2047

CVE-2021-2064

CVE-2021-2108

CVE-2021-2075

CVE-2020-14756

CVE-2019-17195

CVE-2021-2109(细节已公开)

Oracle Communications多个严重漏洞:

此次安全更新针对Oracle Communication发布了12个安全补丁。其中的7个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞如下:

CVE-2019-7164

CVE-2020-24750

Oracle E-Business Suite多个严重漏洞:

此次安全更新针对Oracle E-Business Suite发布了31个安全补丁。其中的29个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞如下:

CVE-2021-2029

CVE-2021-2100

CVE-2021-2101

Oracle Enterprise Manager多个严重漏洞:

此次安全更新针对Oracle Enterprise Manager发布了8个安全补丁。皆可在未经用户身份验证的情况下远程进行利用。高危漏洞如下:

CVE-2019-13990

CVE-2020-11973

CVE-2016-1000031

CVE-2020-11984

CVE-2020-10683

Oracle Financial Services Applications多个严重漏洞:

此次安全更新针对Oracle Financial Services Applications发布了50个安全补丁。其中有41个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞如下:

CVE-2020-11612

CVE-2019-10744

CVE-2020-8174

CVE-2019-3773

CVE-2019-0230

CVE-2020-1945

Oracle Retail Applications多个严重漏洞:

此次安全更新针对Oracle Retail Applications发布了32个安全补丁。其中有20个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞如下:

CVE-2020-10683

CVE-2020-9546

CVE-2020-9546

CVE-2020-1945

CVE-2020-5421

CVE-2017-8028

Oracle Database Server多个严重漏洞(CVE-2021-2035、CVE-2021-2018):

此次安全更新针对Oracle Database Server发布了8个安全补丁,其中有1个漏洞在未经用户身份验证的情况下即可远程进行利用。

Oracle官方1月关键补丁更新漏洞总结如下:

产品

漏洞个数

未授权远程利用个数

最高CVSS评分

Oracle   Database server

8

1

8.8

Oracle   Communications Applications

8

6

8.1

Oracle   Communications

12

7

9.8

Oracle   Construction and Engineering

7

5

9.8

Oracle   E-Business Suite

31

29

9.8

Oracle   Enterprise Manager

8

8

9.8

Oracle   Financial Services Applications

50

41

9.8

Oracle   Food and Beverage Applications

2

1

9.8

Oracle   Fusion Middleware

60

47

9.8

Oracle   GraalVM

2

2

7.5

Oracle   Health Sciences Applications

5

3

9.8

Oracle   Hyperion

7

5

9.8

Oracle   Insurance Applications

3

1

6.5

Oracle   Java SE

1

1

5.3

Oracle   JD Edwards

5

5

7.5

Oracle   MySQL

43

5

7.5

Oracle   PeopleSoft

8

6

8.4

Oracle   Retail Applications

32

20

9.8

Oracle   Siebel CRM

4

1

7.6

Oracle   Supply Chain

11

11

8.2

Oracle   Systems

4

3

9.8

Oracle   Utilities Applications

1

1

9.8

Oracle   Virtualization

17

0

8.2


3漏洞防护

请用户参考本文附录“受影响产品及补丁信息”及时下载受影响产品更新补丁,并参照补丁安装包中的readme文件进行安装更新,以保证长期有效的防护。

注:Oracle官方补丁需要用户持有正版软件的许可账号,使用该账号登陆https://support.oracle.com后,可以下载最新补丁。


附录受影响产品及补丁信息


受影响产品及版本号

可用补丁

Business Intelligence Enterprise Edition, versions   5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Enterprise Manager Base Platform, versions   13.2.1.0, 13.3.0.0, 13.4.0.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Enterprise Manager for Fusion Applications, version   13.3.0.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Enterprise Manager Ops Center, version 12.4.0.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Hyperion Financial Reporting, version 11.1.2.4

https://support.oracle.com/rs?type=doc&id=2725756.1

Hyperion Infrastructure Technology, version   11.1.2.4

https://support.oracle.com/rs?type=doc&id=2725756.1

Instantis EnterpriseTrack, versions 17.1-17.3

https://support.oracle.com/rs?type=doc&id=2735245.1

JD Edwards EnterpriseOne Orchestrator, versions   prior to 9.2.5.1

https://support.oracle.com/rs?type=doc&id=2739390.1

JD Edwards EnterpriseOne Tools, versions prior to   9.2.5.0

https://support.oracle.com/rs?type=doc&id=2739390.1

MySQL Client, versions 5.6.50 and prior, 5.7.32 and   prior, 8.0.22 and prior

https://support.oracle.com/rs?type=doc&id=2739278.1

MySQL Enterprise Monitor, versions 8.0.22 and prior

https://support.oracle.com/rs?type=doc&id=2739278.1

MySQL Server, versions 5.6.50 and prior, 5.7.32 and   prior, 8.0.22 and prior

https://support.oracle.com/rs?type=doc&id=2739278.1

MySQL Workbench, versions 8.0.22 and prior

https://support.oracle.com/rs?type=doc&id=2739278.1

Oracle Adaptive Access Manager, version 11.1.2.3.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Agile Engineering Data Management, version   6.2.1.0

https://support.oracle.com/rs?type=doc&id=2739390.1

Oracle Agile PLM, versions 9.3.5, 9.3.6

https://support.oracle.com/rs?type=doc&id=2739390.1

Oracle Agile Product Lifecycle Management for   Process, version 6.1

https://support.oracle.com/rs?type=doc&id=2739390.1

Oracle Application Express Opportunity Tracker,   versions prior to 20.2

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Application Express Survey Builder, versions   prior to 20.2

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Application Testing Suite, version 13.3.0.1

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Argus Safety, version 8.2.2

https://support.oracle.com/rs?type=doc&id=2732449.1

Oracle BAM (Business Activity Monitoring), versions   11.1.1.9.0, 12.2.1.3.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Banking Corporate Lending Process   Management, versions 14.1.0, 14.3.0, 14.4.0

https://support.oracle.com

Oracle Banking Credit Facilities Process   Management, versions 14.1.0, 14.3.0, 14.4.0

https://support.oracle.com

Oracle Banking Extensibility Workbench, versions   14.3.0, 14.4.0

https://support.oracle.com

Oracle Banking Liquidity Management, versions   14.0.0-14.4.0

https://support.oracle.com

Oracle Banking Payments, version 14.4.0

https://support.oracle.com

Oracle Banking Platform, versions 2.4.0, 2.4.1,   2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.9.0

https://support.oracle.com/rs?type=doc&id=2735867.1

Oracle Banking Supply Chain Finance, versions   14.2.0-14.4.0

https://support.oracle.com

Oracle Banking Trade Finance Process Management,   versions 14.1.0, 14.3.0, 14.4.0

https://support.oracle.com

Oracle Banking Virtual Account Management, versions   14.1.0, 14.3.0, 14.4.0

https://support.oracle.com

Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0,   12.2.1.3.0, 12.2.1.4.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Business Intelligence Enterprise Edition,   versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Business Process Management Suite, versions   12.2.1.3.0, 12.2.1.4.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0,   12.2.1.4.0, 14.1.1.0.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Communications Application Session   Controller, version 3.9m0p2

https://support.oracle.com/rs?type=doc&id=2737802.1

Oracle Communications ASAP, version 7.3

https://support.oracle.com/rs?type=doc&id=2738918.1

Oracle Communications BRM - Elastic Charging   Engine, versions 11.3.0.9, 12.0.0.3

https://support.oracle.com/rs?type=doc&id=2738919.1

Oracle Communications Calendar Server, version   8.0.0.4.0

https://support.oracle.com/rs?type=doc&id=2738920.1

Oracle Communications Contacts Server, version   8.0.0.5.0

https://support.oracle.com/rs?type=doc&id=2738930.1

Oracle Communications Diameter Signaling Router   (DSR), versions 8.0.0-8.2.2

https://support.oracle.com/rs?type=doc&id=2737803.1

Oracle Communications Element Manager, versions   8.2.1.0-8.2.2.1

https://support.oracle.com/rs?type=doc&id=2737804.1

Oracle Communications MetaSolv Solution, versions   6.3.0-6.3.1

https://support.oracle.com/rs?type=doc&id=2738931.1

Oracle Communications Network Charging and Control,   versions 6.0.1, 12.0.2

https://support.oracle.com/rs?type=doc&id=2738942.1

Oracle Communications Operations Monitor, versions   3.4, 4.1, 4.2, 4.3

https://support.oracle.com/rs?type=doc&id=2737809.1

Oracle Communications Performance Intelligence   Center (PIC) Software, version 10.4.0.2

https://support.oracle.com/rs?type=doc&id=2737806.1

Oracle Communications Session Report Manager,   versions 8.2.1.0-8.2.2.1

https://support.oracle.com/rs?type=doc&id=2737808.1

Oracle Complex Maintenance, Repair, and Overhaul,   versions 11.5.10, 12.1, 12.2

https://support.oracle.com/rs?type=doc&id=2739390.1

Oracle Configurator, versions 12.1, 12.2

https://support.oracle.com/rs?type=doc&id=2739390.1

Oracle Data Integrator, versions 11.1.1.9.0,   12.2.1.3.0, 12.2.1.4.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Database Server, versions 12.1.0.2,   12.2.0.1, 18c, 19c

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle E-Business Suite, versions 12.1.1-12.1.3,   12.2.3-12.2.10

https://support.oracle.com/rs?type=doc&id=2737201.1

Oracle Endeca Information Discovery Integrator,   version 3.2.0.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Enterprise Communications Broker, versions   3.1, 3.2

https://support.oracle.com/rs?type=doc&id=2739372.1

Oracle Enterprise Data Quality, versions   11.1.1.9.0, 12.2.1.3.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Enterprise Repository, version 11.1.1.7.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Financial Services Analytical Applications   Infrastructure, versions 8.0.6-8.1.0

https://support.oracle.com/rs?type=doc&id=2735798.1

Oracle Financial Services Asset Liability   Management, versions 8.0.7, 8.1.0

https://support.oracle.com/rs?type=doc&id=2735839.1

Oracle Financial Services Data Integration Hub,   versions 8.0.3, 8.0.6

https://support.oracle.com/rs?type=doc&id=2735863.1

Oracle Financial Services Funds Transfer Pricing,   versions 8.0.6, 8.0.7, 8.1.0

https://support.oracle.com/rs?type=doc&id=2735805.1

Oracle Financial Services Market Risk Measurement   and Management, version 8.0.6

https://support.oracle.com/rs?type=doc&id=2735816.1

Oracle Financial Services Profitability Management,   versions 8.0.6, 8.0.7, 8.1.0

https://support.oracle.com/rs?type=doc&id=2735805.1

Oracle Financial Services Revenue Management and   Billing, versions 2.9.0.0, 2.9.0.1

https://support.oracle.com/rs?type=doc&id=2741359.1

Oracle FLEXCUBE Core Banking, versions   11.5.0-11.9.0

https://support.oracle.com

Oracle FLEXCUBE Universal Banking, version 14.4.0

https://support.oracle.com

Oracle Fusion Middleware MapViewer, version   12.2.1.3.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Global Lifecycle Management OPatch

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Global Lifecycle Manager

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle GoldenGate Application Adapters, version   19.1.0.0.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle GraalVM Enterprise Edition, versions 19.3.4,   20.3.0

https://support.oracle.com/rs?type=doc&id=2734817.1

Oracle Health Sciences Information Manager, version   3.0.1

https://support.oracle.com/rs?type=doc&id=2732449.1

Oracle Healthcare Master Person Index, version   4.0.2.5

https://support.oracle.com/rs?type=doc&id=2732449.1

Oracle Hospitality Reporting and Analytics, version   9.1.0

https://support.oracle.com/rs?type=doc&id=2731930.1

Oracle Hospitality Simphony, versions 18.2.7.2,   19.1.3

https://support.oracle.com/rs?type=doc&id=2731524.1

Oracle Insurance Allocation Manager for Enterprise   Profitability, version 8.1.0

https://support.oracle.com/rs?type=doc&id=2735806.1

Oracle Insurance Insbridge Rating and Underwriting,   versions 5.0.0.20, 5.1.1.3

https://support.oracle.com/rs?type=doc&id=2735138.1

Oracle Insurance Policy Administration, versions   10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0

https://support.oracle.com/rs?type=doc&id=2735138.1

Oracle Insurance Rules Palette, versions 10.2.0,   10.2.4, 11.0.2, 11.1.0-11.3.0

https://support.oracle.com/rs?type=doc&id=2735138.1

Oracle Java SE, versions 7u281, 8u271

https://support.oracle.com/rs?type=doc&id=2736202.1

Oracle Java SE Embedded, version 8u271

https://support.oracle.com/rs?type=doc&id=2736202.1

Oracle Managed File Transfer, versions 12.2.1.3.0,   12.2.1.4.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Outside In Technology, versions 8.5.4, 8.5.5

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Real-Time Decision Server, version 3.2.1.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Retail Assortment Planning, version 16.0.3

https://support.oracle.com/rs?type=doc&id=2733723.1

Oracle Retail Bulk Data Integration, versions   15.0.3, 16.0.3

https://support.oracle.com/rs?type=doc&id=2733723.1

Oracle Retail Customer Management and Segmentation   Foundation, versions 16.0, 17.0, 18.0, 19.0

https://support.oracle.com/rs?type=doc&id=2733723.1

Oracle Retail Extract Transform and Load, versions   13.2.5, 13.2.8

https://support.oracle.com/rs?type=doc&id=2733723.1

Oracle Retail Financial Integration, versions   14.1.3, 15.0.3, 16.0.3

https://support.oracle.com/rs?type=doc&id=2733723.1

Oracle Retail Integration Bus, versions 14.1.3,   15.0.3, 16.0.3

https://support.oracle.com/rs?type=doc&id=2733723.1

Oracle Retail Invoice Matching, versions 13.2,   14.0, 14.1

https://support.oracle.com/rs?type=doc&id=2733723.1

Oracle Retail Merchandising System, version 15.0

https://support.oracle.com/rs?type=doc&id=2733723.1

Oracle Retail Order Broker, versions 15.0, 16.0

https://support.oracle.com/rs?type=doc&id=2733723.1

Oracle Retail Order Broker Cloud Service, version   15.0

https://support.oracle.com/rs?type=doc&id=2733723.1

Oracle Retail Sales Audit, version 14.1

https://support.oracle.com/rs?type=doc&id=2733723.1

Oracle Retail Service Backbone, versions 14.1.3,   15.0.3, 16.0.3

https://support.oracle.com/rs?type=doc&id=2733723.1

Oracle Retail Store Inventory Management, versions   14.0.4.0, 14.1.3.0, 14.1.3.9, 15.0.3.0, 16.0.3.0

https://support.oracle.com/rs?type=doc&id=2733723.1

Oracle SD-WAN Edge, version 9.0

https://support.oracle.com/rs?type=doc&id=2739078.1

Oracle Secure Backup

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle Transportation Management, version 1.4.3

https://support.oracle.com/rs?type=doc&id=2739390.1

Oracle Utilities Framework, versions 4.2.0.2.0,   4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0

https://support.oracle.com/rs?type=doc&id=2736041.1

Oracle VM VirtualBox, versions prior to 6.1.18

https://support.oracle.com/rs?type=doc&id=2739282.1

Oracle WebCenter Portal, versions 11.1.1.9.0,   12.2.1.3.0, 12.2.1.4.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle WebCenter Sites, versions 12.2.1.3.0,   12.2.1.4.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle WebLogic Server, versions 10.3.6.0.0,   12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0

https://support.oracle.com/rs?type=doc&id=2725756.1

Oracle ZFS Storage Appliance Kit, version 8.8

https://support.oracle.com/rs?type=doc&id=2740997.1

PeopleSoft Enterprise FIN Payables, version 9.2

https://support.oracle.com/rs?type=doc&id=2739390.1

PeopleSoft Enterprise HCM Human Resources, version   9.2

https://support.oracle.com/rs?type=doc&id=2739390.1

PeopleSoft Enterprise PeopleTools, versions 8.56,   8.57, 8.58

https://support.oracle.com/rs?type=doc&id=2739390.1

Primavera Gateway, versions 16.2.0-16.2.11,   17.12.0-17.12.9, 18.8.0-18.8.10, 19.12.0-19.12.10

https://support.oracle.com/rs?type=doc&id=2735245.1

Primavera P6 Enterprise Project Portfolio   Management, versions 16.1.0-16.2.20, 17.1.0-17.12.19, 18.1.0-18.8.21,   19.12.0-19.12.10

https://support.oracle.com/rs?type=doc&id=2735245.1

Primavera Unifier, versions 16.1, 16.2, 17.7-17.12,   18.8, 19.12, 20.12

https://support.oracle.com/rs?type=doc&id=2735245.1

Siebel Applications, versions 20.12 and prior

https://support.oracle.com/rs?type=doc&id=2739390.1

StorageTek Tape Analytics SW Tool, version 2.3.1

https://support.oracle.com/rs?type=doc&id=2740997.1




END

作者:绿盟科技威胁对抗能力部

【安全更新】Oracle全系产品2021年1月关键补丁更新通告         
【安全更新】Oracle全系产品2021年1月关键补丁更新通告        
声明

本安全公告仅用来描述可能存在的安全问题,绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失,均由使用者本人负责,绿盟科技以及安全公告作者不为此承担任何责任。            

绿盟科技拥有对此安全公告的修改和解释权。如欲转载或传播此安全公告,必须保证此安全公告的完整性,包括版权声明等全部内容。未经绿盟科技允许,不得任意修改或者增减此安全公告内容,不得以任何方式将其用于商业目的。            

【安全更新】Oracle全系产品2021年1月关键补丁更新通告

绿盟科技安全情报 微信公众号
【安全更新】Oracle全系产品2021年1月关键补丁更新通告
【安全更新】Oracle全系产品2021年1月关键补丁更新通告
长按识别二维码,关注网络安全威胁信息


本文始发于微信公众号(绿盟科技安全情报):【安全更新】Oracle全系产品2021年1月关键补丁更新通告

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: