Oracle admins, here's your first critical patch advisory for 2019, and it's a doozy: a total of 284 vulnerabilities patched across Big Red's product range, and 33 of them are rated “critical”.
We hope your support contracts are up-to-date to receive these fixes. The full list is here, and with so much to choose from, The Register will work through the top-rated bugs.
Oracle Communications Applications (OCA) is home to nine of the vulnerabilities in various components:
You might be familiar with CVE-2016-1000031 – it's the Apache Commons FileUpload remote code execution (RCE) bug disclosed in November last year. OCA's Diameter Signalling Router component inherited the bug, as did its Communications Services Gatekeeper. Other systems affected by this bug include its Financial Services Analytical Applications Infrastructure, the Fusion Middleware MapViewer, and four three Oracle Retail components. Another 2016 bug, this time in Codehaus versions of Groovy (CVE-2016-6814) affected OCA Unified Inventory Management. An Apache Log4j bug, CVE-2017-5645, was inherited by Oracle's Converged Application Server - Service Controller, and the OCA Online Mediation Controller, Service Broker, and WebRTC Session Controller. It also popped up in a FLEXCUBE component in Oracle Financial Services Applications, Fusion's GoldenGate app adapters and SOA Suite, and a Sun tape library component. This CVE has been problematic for Big Red before: last year, it was responsible for 21 entries in the January patch list, and in April it had to be squashed in its Fusion Middleware. OCA's Communications Policy Management Component suffered from CVE-2018-11776, an Apache Struts bug that last year was exploited to mine cryptocurrency. VE-2018-9206 exposed OCA's Services Gatekeeper to arbitrary file upload. This bug also affected Primavera P6 in the Construction and Engineering Suite, and Siebel CRM.Oracle E-Business' Performance Management component had an “easily exploitable” bug in CVE-2019-2453: an unauthenticated network attacker could create, delete, or modify critical data. There was similar bug in the e-biz suite's fulfillment system (CVE-2019-2489).
Sorry, no.
In CVE-2016-4000, Jython provided a vector for arbitrary code, and it's used by Big Red's Enterprise Manager platform, Banking Platform, and Utilities Network Management System.
Yet another Apache tool, Derby before version 10.12.1.1 used in the WebLogic server, suffered from CVE-2015-1832, a denial-of-service vulnerability.
Oracle Tuxedo used a version of the Spring framework vulnerable to CVE-2018-1275, an RCE bug that also affected the Sun Tape Library ACSLS component.
The company's JD Edwards Enterprise Tools was vulnerable to CVE-2018-8013, a complete takeover enabled by a deserialisation bug in Apache Batik.
There were a couple more authorisation bypass bugs to deal with, one in MySQL (CVE-2018-10933, inherited from libssh), and Xstore Payment (CVE-2017-7658, in the Eclipse Jetty server).
Finally: in CVE-2015-8965, Rogue Wave JViews was patched against an RCE, and Oracle found that software in the Agile PLM component of its supply chain suite. ®