【安全更新】Oracle全系产品2021年1月关键补丁更新通告

2021年1月20日12:01:37评论228 views字数 14865阅读49分33秒阅读模式

通告编号:NS-2021-0003

2021-01-20

TAG：	Oracle、CPU、关键补丁更新
漏洞危害：	此次补丁更新修复了329个不同程度的漏洞，涉及多个常用产品。
版本：	1.0

概述

2021年1月20日，绿盟科技监测发现Oracle官方发布了2021年1月关键补丁更新公告CPU（Critical Patch Update），共修复了329个不同程度的漏洞，此次安全更新涉及Oracle WebLogic Server、Oracle Database Server、Oracle Java SE、Oracle Fusion Middleware、Oracle MySQL、Oracle Enterprise Manager、Oracle Systems等多个常用产品。Oracle强烈建议客户尽快应用关键补丁更新修复程序，对漏洞进行修复。

参考链接：

https://www.oracle.com/security-alerts/cpujan2021.html

SEE MORE →

2重点漏洞简述

根据产品流行度和漏洞重要性筛选出此次更新中包含影响较大的漏洞，请相关用户重点进行关注：

Oracle WebLogic Server多个严重漏洞：

本次安全更新修复了Weblogic的多个反序列化漏洞，这些漏洞允许未经身份验证的攻击者通过HTTP、IIOP、T3协议发送精心构造的恶意请求，从而在Oracle WebLogic Server上执行任意代码。漏洞编号如下：

CVE-2021-1994

CVE-2021-2047

CVE-2021-2064

CVE-2021-2108

CVE-2021-2075

CVE-2020-14756

CVE-2019-17195

CVE-2021-2109（细节已公开）

Oracle Communications多个严重漏洞：

此次安全更新针对Oracle Communication发布了12个安全补丁。其中的7个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞如下：

CVE-2019-7164

CVE-2020-24750

Oracle E-Business Suite多个严重漏洞：

此次安全更新针对Oracle E-Business Suite发布了31个安全补丁。其中的29个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞如下：

CVE-2021-2029

CVE-2021-2100

CVE-2021-2101

Oracle Enterprise Manager多个严重漏洞：

此次安全更新针对Oracle Enterprise Manager发布了8个安全补丁。皆可在未经用户身份验证的情况下远程进行利用。高危漏洞如下：

CVE-2019-13990

CVE-2020-11973

CVE-2016-1000031

CVE-2020-11984

CVE-2020-10683

Oracle Financial Services Applications多个严重漏洞：

此次安全更新针对Oracle Financial Services Applications发布了50个安全补丁。其中有41个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞如下：

CVE-2020-11612

CVE-2019-10744

CVE-2020-8174

CVE-2019-3773

CVE-2019-0230

CVE-2020-1945

Oracle Retail Applications多个严重漏洞：

此次安全更新针对Oracle Retail Applications发布了32个安全补丁。其中有20个漏洞在未经用户身份验证的情况下即可远程进行利用。高危漏洞如下：

CVE-2020-10683

CVE-2020-9546

CVE-2020-1945

CVE-2020-5421

CVE-2017-8028

Oracle Database Server多个严重漏洞（CVE-2021-2035、CVE-2021-2018）：

此次安全更新针对Oracle Database Server发布了8个安全补丁，其中有1个漏洞在未经用户身份验证的情况下即可远程进行利用。

Oracle官方1月关键补丁更新漏洞总结如下：

产品	漏洞个数	未授权远程利用个数	最高CVSS评分
Oracle Database server	8	1	8.8
Oracle Communications Applications	8	6	8.1
Oracle Communications	12	7	9.8
Oracle Construction and Engineering	7	5	9.8
Oracle E-Business Suite	31	29	9.8
Oracle Enterprise Manager	8	8	9.8
Oracle Financial Services Applications	50	41	9.8
Oracle Food and Beverage Applications	2	1	9.8
Oracle Fusion Middleware	60	47	9.8
Oracle GraalVM	2	2	7.5
Oracle Health Sciences Applications	5	3	9.8
Oracle Hyperion	7	5	9.8
Oracle Insurance Applications	3	1	6.5
Oracle Java SE	1	1	5.3
Oracle JD Edwards	5	5	7.5
Oracle MySQL	43	5	7.5
Oracle PeopleSoft	8	6	8.4
Oracle Retail Applications	32	20	9.8
Oracle Siebel CRM	4	1	7.6
Oracle Supply Chain	11	11	8.2
Oracle Systems	4	3	9.8
Oracle Utilities Applications	1	1	9.8
Oracle Virtualization	17	0	8.2

3漏洞防护

请用户参考本文附录“受影响产品及补丁信息”及时下载受影响产品更新补丁，并参照补丁安装包中的readme文件进行安装更新，以保证长期有效的防护。

注：Oracle官方补丁需要用户持有正版软件的许可账号，使用该账号登陆https://support.oracle.com后，可以下载最新补丁。

附录受影响产品及补丁信息

受影响产品及版本号	可用补丁
Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Enterprise Manager Base Platform, versions 13.2.1.0, 13.3.0.0, 13.4.0.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Enterprise Manager for Fusion Applications, version 13.3.0.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Enterprise Manager Ops Center, version 12.4.0.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Hyperion Financial Reporting, version 11.1.2.4	https://support.oracle.com/rs?type=doc&id=2725756.1
Hyperion Infrastructure Technology, version 11.1.2.4	https://support.oracle.com/rs?type=doc&id=2725756.1
Instantis EnterpriseTrack, versions 17.1-17.3	https://support.oracle.com/rs?type=doc&id=2735245.1
JD Edwards EnterpriseOne Orchestrator, versions prior to 9.2.5.1	https://support.oracle.com/rs?type=doc&id=2739390.1
JD Edwards EnterpriseOne Tools, versions prior to 9.2.5.0	https://support.oracle.com/rs?type=doc&id=2739390.1
MySQL Client, versions 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and prior	https://support.oracle.com/rs?type=doc&id=2739278.1
MySQL Enterprise Monitor, versions 8.0.22 and prior	https://support.oracle.com/rs?type=doc&id=2739278.1
MySQL Server, versions 5.6.50 and prior, 5.7.32 and prior, 8.0.22 and prior	https://support.oracle.com/rs?type=doc&id=2739278.1
MySQL Workbench, versions 8.0.22 and prior	https://support.oracle.com/rs?type=doc&id=2739278.1
Oracle Adaptive Access Manager, version 11.1.2.3.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Agile Engineering Data Management, version 6.2.1.0	https://support.oracle.com/rs?type=doc&id=2739390.1
Oracle Agile PLM, versions 9.3.5, 9.3.6	https://support.oracle.com/rs?type=doc&id=2739390.1
Oracle Agile Product Lifecycle Management for Process, version 6.1	https://support.oracle.com/rs?type=doc&id=2739390.1
Oracle Application Express Opportunity Tracker, versions prior to 20.2	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Application Express Survey Builder, versions prior to 20.2	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Application Testing Suite, version 13.3.0.1	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Argus Safety, version 8.2.2	https://support.oracle.com/rs?type=doc&id=2732449.1
Oracle BAM (Business Activity Monitoring), versions 11.1.1.9.0, 12.2.1.3.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Banking Corporate Lending Process Management, versions 14.1.0, 14.3.0, 14.4.0	https://support.oracle.com
Oracle Banking Credit Facilities Process Management, versions 14.1.0, 14.3.0, 14.4.0	https://support.oracle.com
Oracle Banking Extensibility Workbench, versions 14.3.0, 14.4.0	https://support.oracle.com
Oracle Banking Liquidity Management, versions 14.0.0-14.4.0	https://support.oracle.com
Oracle Banking Payments, version 14.4.0	https://support.oracle.com
Oracle Banking Platform, versions 2.4.0, 2.4.1, 2.6.2, 2.7.0, 2.7.1, 2.8.0, 2.9.0	https://support.oracle.com/rs?type=doc&id=2735867.1
Oracle Banking Supply Chain Finance, versions 14.2.0-14.4.0	https://support.oracle.com
Oracle Banking Trade Finance Process Management, versions 14.1.0, 14.3.0, 14.4.0	https://support.oracle.com
Oracle Banking Virtual Account Management, versions 14.1.0, 14.3.0, 14.4.0	https://support.oracle.com
Oracle BI Publisher, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Business Intelligence Enterprise Edition, versions 5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Business Process Management Suite, versions 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Communications Application Session Controller, version 3.9m0p2	https://support.oracle.com/rs?type=doc&id=2737802.1
Oracle Communications ASAP, version 7.3	https://support.oracle.com/rs?type=doc&id=2738918.1
Oracle Communications BRM - Elastic Charging Engine, versions 11.3.0.9, 12.0.0.3	https://support.oracle.com/rs?type=doc&id=2738919.1
Oracle Communications Calendar Server, version 8.0.0.4.0	https://support.oracle.com/rs?type=doc&id=2738920.1
Oracle Communications Contacts Server, version 8.0.0.5.0	https://support.oracle.com/rs?type=doc&id=2738930.1
Oracle Communications Diameter Signaling Router (DSR), versions 8.0.0-8.2.2	https://support.oracle.com/rs?type=doc&id=2737803.1
Oracle Communications Element Manager, versions 8.2.1.0-8.2.2.1	https://support.oracle.com/rs?type=doc&id=2737804.1
Oracle Communications MetaSolv Solution, versions 6.3.0-6.3.1	https://support.oracle.com/rs?type=doc&id=2738931.1
Oracle Communications Network Charging and Control, versions 6.0.1, 12.0.2	https://support.oracle.com/rs?type=doc&id=2738942.1
Oracle Communications Operations Monitor, versions 3.4, 4.1, 4.2, 4.3	https://support.oracle.com/rs?type=doc&id=2737809.1
Oracle Communications Performance Intelligence Center (PIC) Software, version 10.4.0.2	https://support.oracle.com/rs?type=doc&id=2737806.1
Oracle Communications Session Report Manager, versions 8.2.1.0-8.2.2.1	https://support.oracle.com/rs?type=doc&id=2737808.1
Oracle Complex Maintenance, Repair, and Overhaul, versions 11.5.10, 12.1, 12.2	https://support.oracle.com/rs?type=doc&id=2739390.1
Oracle Configurator, versions 12.1, 12.2	https://support.oracle.com/rs?type=doc&id=2739390.1
Oracle Data Integrator, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Database Server, versions 12.1.0.2, 12.2.0.1, 18c, 19c	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10	https://support.oracle.com/rs?type=doc&id=2737201.1
Oracle Endeca Information Discovery Integrator, version 3.2.0.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Enterprise Communications Broker, versions 3.1, 3.2	https://support.oracle.com/rs?type=doc&id=2739372.1
Oracle Enterprise Data Quality, versions 11.1.1.9.0, 12.2.1.3.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Enterprise Repository, version 11.1.1.7.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Financial Services Analytical Applications Infrastructure, versions 8.0.6-8.1.0	https://support.oracle.com/rs?type=doc&id=2735798.1
Oracle Financial Services Asset Liability Management, versions 8.0.7, 8.1.0	https://support.oracle.com/rs?type=doc&id=2735839.1
Oracle Financial Services Data Integration Hub, versions 8.0.3, 8.0.6	https://support.oracle.com/rs?type=doc&id=2735863.1
Oracle Financial Services Funds Transfer Pricing, versions 8.0.6, 8.0.7, 8.1.0	https://support.oracle.com/rs?type=doc&id=2735805.1
Oracle Financial Services Market Risk Measurement and Management, version 8.0.6	https://support.oracle.com/rs?type=doc&id=2735816.1
Oracle Financial Services Profitability Management, versions 8.0.6, 8.0.7, 8.1.0	https://support.oracle.com/rs?type=doc&id=2735805.1
Oracle Financial Services Revenue Management and Billing, versions 2.9.0.0, 2.9.0.1	https://support.oracle.com/rs?type=doc&id=2741359.1
Oracle FLEXCUBE Core Banking, versions 11.5.0-11.9.0	https://support.oracle.com
Oracle FLEXCUBE Universal Banking, version 14.4.0	https://support.oracle.com
Oracle Fusion Middleware MapViewer, version 12.2.1.3.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Global Lifecycle Management OPatch	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Global Lifecycle Manager	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle GoldenGate Application Adapters, version 19.1.0.0.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle GraalVM Enterprise Edition, versions 19.3.4, 20.3.0	https://support.oracle.com/rs?type=doc&id=2734817.1
Oracle Health Sciences Information Manager, version 3.0.1	https://support.oracle.com/rs?type=doc&id=2732449.1
Oracle Healthcare Master Person Index, version 4.0.2.5	https://support.oracle.com/rs?type=doc&id=2732449.1
Oracle Hospitality Reporting and Analytics, version 9.1.0	https://support.oracle.com/rs?type=doc&id=2731930.1
Oracle Hospitality Simphony, versions 18.2.7.2, 19.1.3	https://support.oracle.com/rs?type=doc&id=2731524.1
Oracle Insurance Allocation Manager for Enterprise Profitability, version 8.1.0	https://support.oracle.com/rs?type=doc&id=2735806.1
Oracle Insurance Insbridge Rating and Underwriting, versions 5.0.0.20, 5.1.1.3	https://support.oracle.com/rs?type=doc&id=2735138.1
Oracle Insurance Policy Administration, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0	https://support.oracle.com/rs?type=doc&id=2735138.1
Oracle Insurance Rules Palette, versions 10.2.0, 10.2.4, 11.0.2, 11.1.0-11.3.0	https://support.oracle.com/rs?type=doc&id=2735138.1
Oracle Java SE, versions 7u281, 8u271	https://support.oracle.com/rs?type=doc&id=2736202.1
Oracle Java SE Embedded, version 8u271	https://support.oracle.com/rs?type=doc&id=2736202.1
Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Outside In Technology, versions 8.5.4, 8.5.5	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Real-Time Decision Server, version 3.2.1.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Retail Assortment Planning, version 16.0.3	https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Bulk Data Integration, versions 15.0.3, 16.0.3	https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Customer Management and Segmentation Foundation, versions 16.0, 17.0, 18.0, 19.0	https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Extract Transform and Load, versions 13.2.5, 13.2.8	https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Financial Integration, versions 14.1.3, 15.0.3, 16.0.3	https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Integration Bus, versions 14.1.3, 15.0.3, 16.0.3	https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Invoice Matching, versions 13.2, 14.0, 14.1	https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Merchandising System, version 15.0	https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Order Broker, versions 15.0, 16.0	https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Order Broker Cloud Service, version 15.0	https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Sales Audit, version 14.1	https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Service Backbone, versions 14.1.3, 15.0.3, 16.0.3	https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle Retail Store Inventory Management, versions 14.0.4.0, 14.1.3.0, 14.1.3.9, 15.0.3.0, 16.0.3.0	https://support.oracle.com/rs?type=doc&id=2733723.1
Oracle SD-WAN Edge, version 9.0	https://support.oracle.com/rs?type=doc&id=2739078.1
Oracle Secure Backup	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle Transportation Management, version 1.4.3	https://support.oracle.com/rs?type=doc&id=2739390.1
Oracle Utilities Framework, versions 4.2.0.2.0, 4.2.0.3.0, 4.3.0.1.0-4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0	https://support.oracle.com/rs?type=doc&id=2736041.1
Oracle VM VirtualBox, versions prior to 6.1.18	https://support.oracle.com/rs?type=doc&id=2739282.1
Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0, 14.1.1.0.0	https://support.oracle.com/rs?type=doc&id=2725756.1
Oracle ZFS Storage Appliance Kit, version 8.8	https://support.oracle.com/rs?type=doc&id=2740997.1
PeopleSoft Enterprise FIN Payables, version 9.2	https://support.oracle.com/rs?type=doc&id=2739390.1
PeopleSoft Enterprise HCM Human Resources, version 9.2	https://support.oracle.com/rs?type=doc&id=2739390.1
PeopleSoft Enterprise PeopleTools, versions 8.56, 8.57, 8.58	https://support.oracle.com/rs?type=doc&id=2739390.1
Primavera Gateway, versions 16.2.0-16.2.11, 17.12.0-17.12.9, 18.8.0-18.8.10, 19.12.0-19.12.10	https://support.oracle.com/rs?type=doc&id=2735245.1
Primavera P6 Enterprise Project Portfolio Management, versions 16.1.0-16.2.20, 17.1.0-17.12.19, 18.1.0-18.8.21, 19.12.0-19.12.10	https://support.oracle.com/rs?type=doc&id=2735245.1
Primavera Unifier, versions 16.1, 16.2, 17.7-17.12, 18.8, 19.12, 20.12	https://support.oracle.com/rs?type=doc&id=2735245.1
Siebel Applications, versions 20.12 and prior	https://support.oracle.com/rs?type=doc&id=2739390.1
StorageTek Tape Analytics SW Tool, version 2.3.1	https://support.oracle.com/rs?type=doc&id=2740997.1

END

作者：绿盟科技威胁对抗能力部

声明

本安全公告仅用来描述可能存在的安全问题，绿盟科技不为此安全公告提供任何保证或承诺。由于传播、利用此安全公告所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，绿盟科技以及安全公告作者不为此承担任何责任。

【安全更新】Oracle全系产品2021年1月关键补丁更新通告

绿盟科技安全情报 ∣微信公众号

长按识别二维码，关注网络安全威胁信息

本文始发于微信公众号（绿盟科技安全情报）：【安全更新】Oracle全系产品2021年1月关键补丁更新通告

左青龙
微信扫一扫

右白虎
微信扫一扫

【安全更新】Oracle全系产品2021年1月关键补丁更新通告

校园网自助服务系统存在SQL注入漏洞

玲珑-login-bypass登录绕过漏洞复现

用友-政务-FileDownload-任意文件读取漏洞复现

卡车卫星定位系统/user/create存在未授权密码重置漏洞

用友-U8-Cloud-TableInputOperServlet存在反序列化漏洞

CVE-2024-26503

致远互联 OA fileUpload.do 文件上传漏洞

某世界500强企业|存在通杀漏洞(0day)

CVE-2024-32409 POC

【Weblogic 文件上传漏洞（CVE-2019-2618）

发表评论

在线咨询

微信