Oracle publie son patch de sécurité corrigeant 319 vulnérabilités sur ces produits

Date de publication :

Dans son patch de sécurité de Juillet 2019, Oracle corrige plus de 300 vulnérabilités sur l’ensemble de ses produits. Parmi ces vulnérabilités, une cinquantaine sont considérées comme critiques. Certaines de ces vulnérabilités seraient exploitables à distance et sans authentification nécessaire.

Dans la liste des produits concernés, on retrouve notamment les bases de données Oracle MySQL et la suite logicielle de communication Oracle Communications Applications.

Oracle recommande fortement d’effectuer les mises à jour évoquées ici sans attendre.

Détails Techniques :

Parmi les vulnérabilités considérées comme critiques :

  • CVE-2019-3822 [CVSS v3 9.8] : La version de la librairie cURL intégrée à MySQL est vulnérable à un dépassement de tampon basé sur la pile. Une mauvaise implémentation des fonctions permettant la création des entêtes de message HTTP permettrait à un attaquant envoyant une requête avec un entête de plus de 1000 octets de dépasser la pile et d’exécuter du code arbitraire sur la machine.
  • CVE-2019-2729 [CVSS v3 9.8] : Dans le serveur Oracle Weblogic du produit Oracle Communications Converged Application Server, une vulnérabilité facilement exploitable permettrait à un attaquant distant non authentifié de prendre le contrôle du serveur à l’aide de requêtes HTTP.
  • CVE-2018-1275 [CVSS v3 9.8] : Dans le cadriciel Spring intégré au produit Oracle Communications Converged Application Server, un attaquant pourrait confectionner un message STOMP à destination du websocket sur le serveur et exécuter du code à distance.

Informations

La faille est activement exploitée :

Un correctif existe :

Une mesure de contournement existe :

Risques

Risques

  • Exécution de code arbitraire à distance

Criticité

  • Score CVSS : 9.80 (score le plus élevé)

Existence d’un code d’exploitation de la vulnérabilité

  • Aucun code d’exploitation n’est disponible.

Composants & versions vulnérables

  • Oracle Weblogic Server 12.2.1.3.0
  • Oracle Weblogic Server 12.1.3.0.0
  • Oracle Weblogic Server 10.3.6.0.0
  • Oracle WebCenter Sites 12.2.1.3.0
  • Oracle VM VirtualBox 6.0.6
  • Oracle VM VirtualBox 6.0.4
  • Oracle VM VirtualBox 6.0.2
  • Oracle VM VirtualBox 6.0
  • Oracle VM VirtualBox 5.2.28
  • Oracle VM VirtualBox 5.2.26
  • Oracle VM VirtualBox 5.2.25
  • Oracle VM VirtualBox 5.2.24
  • Oracle VM VirtualBox 5.2.22
  • Oracle VM VirtualBox 5.2.20
  • Oracle Utilities Framework 4.4.0.0.0
  • Oracle Utilities Framework 4.3.0.6.0
  • Oracle Utilities Framework 4.3.0.5.0
  • Oracle Utilities Framework 4.3.0.2.0
  • Oracle Utilities Advanced Spatial and Operational Analytics 2.7.0.1
  • Oracle Transportation Management 6.3.7
  • Oracle Tape Virtual Storage Manager GUI 6.2
  • Oracle Sun ZFS Storage Appliance Kit (AK) 8.8.6
  • Oracle Sun ZFS Storage Appliance Kit (AK) 8.8.3
  • Oracle Solaris 11.4
  • Oracle Solaris 11.3
  • Oracle Solaris 10
  • Oracle SOA Suite 12.2.1.3.0
  • Oracle Siebel Applications 19.0
  • Oracle Services Tools Bundle 19.2
  • Oracle Security Service 12.2.1.3.0
  • Oracle Security Service 12.1.3.0.0
  • Oracle Security Service 11.1.1.9.0
  • Oracle Retail Xstore Point of Service 7.1
  • Oracle Retail Xstore Point of Service 7.0
  • Oracle Retail Xstore Point of Service 18.0
  • Oracle Retail Xstore Point of Service 17.0
  • Oracle Retail Xstore Point of Service 16.0
  • Oracle Retail Xstore Point of Service 15.0
  • Oracle Retail Xstore Office 7.1
  • Oracle Retail Xstore Office 7.0
  • Oracle Retail Service Backbone 16.0.1
  • Oracle Retail Predictive Application Server 16.0
  • Oracle Retail Predictive Application Server 15.0.3.100
  • Oracle Retail Predictive Application Server 14.1.3.37
  • Oracle Retail Predictive Application Server 14.0.3.26
  • Oracle Retail Order Management System 5.0
  • Oracle Retail Order Broker 5.2
  • Oracle Retail Order Broker 15.0
  • Oracle Retail Integration Bus 16.0
  • Oracle Retail Integration Bus 15.0
  • Oracle Retail Financial Integration 16.0
  • Oracle Retail Financial Integration 15.0
  • Oracle Retail Financial Integration 14.1
  • Oracle Retail Financial Integration 14.0
  • Oracle Retail Customer Management and Segmentation Foundation 18.0
  • Oracle Retail Customer Management and Segmentation Foundation 17.0
  • Oracle Retail Customer Management and Segmentation Foundation 16.0
  • Oracle Retail Customer Engagement 18.0
  • Oracle Retail Customer Engagement 17.0
  • Oracle Retail Customer Engagement 16.0
  • Oracle Retail Customer Engagement 11.4
  • Oracle Retail Advanced Inventory Planning 15.0
  • Oracle Primavera Unifier 18.8
  • Oracle Primavera Unifier 17.7
  • Oracle Primavera Unifier 17.12
  • Oracle Primavera Unifier 16.2
  • Oracle Primavera Unifier 16.1
  • Oracle Primavera Gateway 18.8
  • Oracle Primavera Gateway 17.12
  • Oracle Primavera Gateway 16.2
  • Oracle Primavera Gateway 15.2
  • Oracle Primavera Analytics 18.8
  • Oracle PeopleSoft Enterprise PT PeopleTools 8.57
  • Oracle PeopleSoft Enterprise PT PeopleTools 8.56
  • Oracle PeopleSoft Enterprise PT PeopleTools 8.55
  • Oracle PeopleSoft Enterprise PeopleTools 8.57
  • Oracle PeopleSoft Enterprise PeopleTools 8.56
  • Oracle PeopleSoft Enterprise PeopleTools 8.55
  • Oracle PeopleSoft Enterprise FIN Project Costing 9.2
  • Oracle Outside In Technology 8.5.4
  • Oracle OFS REG REP US FED 8.0.7
  • Oracle OFS REG REP US FED 8.0.4
  • Oracle OFS REG REP RBI 8.0.7
  • Oracle OFS REG REP EBA 8.0.7
  • Oracle OFS REG REP EBA 8.0.6
  • Oracle MICROS Retail-J 12.1.2
  • Oracle MICROS Retail-J 12.1.1
  • Oracle MICROS Retail-J 13.1
  • Oracle MICROS Retail-J 12.1
  • Oracle MICROS Retail XBRi Loss Prevention 10.8.3
  • Oracle MICROS Retail XBRi Loss Prevention 10.8.1
  • Oracle MICROS Retail XBRi Loss Prevention 10.8
  • Oracle JRE(Windows Production Release) 12.0.1
  • Oracle JRE(Windows Production Release) 11.0.3
  • Oracle JRE(Windows Production Release) 1.8 Update 212
  • Oracle JRE(Windows Production Release) 1.7 Update 221
  • Oracle JRE(Solaris Production Release) 12.0.1
  • Oracle JRE(Solaris Production Release) 11.0.3
  • Oracle JRE(Solaris Production Release) 1.8 Update 212
  • Oracle JRE(Solaris Production Release) 1.7 Update 221
  • Oracle JRE(macOS Production Release) 12.0.1
  • Oracle JRE(macOS Production Release) 11.0.3
  • Oracle JRE(macOS Production Release) 1.8 Update 212
  • Oracle JRE(macOS Production Release) 1.7 Update 221
  • Oracle JRE(Linux Production Release) 12.0.1
  • Oracle JRE(Linux Production Release) 11.0.3
  • Oracle JRE(Linux Production Release) 1.8 Update 212
  • Oracle JRE(Linux Production Release) 1.7 Update 221
  • Oracle JDK(Windows Production Release) 12.0.1
  • Oracle JDK(Windows Production Release) 11.0.3
  • Oracle JDK(Windows Production Release) 1.8 Update 212
  • Oracle JDK(Windows Production Release) 1.7 Update 221
  • Oracle JDK(Solaris Production Release) 12.0.1
  • Oracle JDK(Solaris Production Release) 11.0.3
  • Oracle JDK(Solaris Production Release) 1.8 Update 212
  • Oracle JDK(Solaris Production Release) 1.7 Update 221
  • Oracle JDK(macOS Production Release) 12.0.1
  • Oracle JDK(macOS Production Release) 11.0.3
  • Oracle JDK(macOS Production Release) 1.8 Update 212
  • Oracle JDK(macOS Production Release) 1.7 Update 221
  • Oracle JDK(Linux Production Release) 12.0.1
  • Oracle JDK(Linux Production Release) 11.0.3
  • Oracle JDK(Linux Production Release) 1.8 Update 212
  • Oracle JDK(Linux Production Release) 1.7 Update 221
  • Oracle Java SE Embedded 8u211
  • Oracle Insurance Performance Insight 8.0.7
  • Oracle Insurance IFRS 17 Analyzer 8.0.7
  • Oracle Insurance IFRS 17 Analyzer 8.0.6
  • Oracle Insurance Data Foundation 8.0.7
  • Oracle Insurance Data Foundation 8.0.5
  • Oracle Insurance Data Foundation 8.0.4
  • Oracle Insurance Allocation Manager for Enterprise Profitability 8.0.8
  • Oracle Instantis EnterpriseTrack 17.3
  • Oracle Instantis EnterpriseTrack 17.2
  • Oracle Instantis EnterpriseTrack 17.1
  • Oracle Identity Manager 12.2.1.3.0
  • Oracle Identity Manager 11.1.2.3.0
  • Oracle Identity Manager 11.1.2.2.0
  • Oracle Hyperion Workspace 11.1.2.4
  • Oracle Hyperion Planning 11.1.2.4
  • Oracle HTTP Server 12.2.1.3.0
  • Oracle HTTP Server 12.1.3.0.0
  • Oracle HTTP Server 11.1.1.9.0
  • Oracle Hospitality Suite8 8.9.6
  • Oracle Hospitality Suite8 8.14
  • Oracle Hospitality Suite8 8.11
  • Oracle Hospitality Suite8 8.10.2
  • Oracle Hospitality Simphony 18.2.1
  • Oracle Hospitality Guest Access 4.2.1
  • Oracle Hospitality Guest Access 4.2
  • Oracle Hospitality Gift and Loyalty 9.1
  • Oracle Hospitality Gift and Loyalty 9.0
  • Oracle Global Lifecycle Management OPatchAuto 12.2.0.1.0
  • Oracle FLEXCUBE Universal Banking 14.2
  • Oracle FLEXCUBE Universal Banking 14.0
  • Oracle FLEXCUBE Universal Banking 12.4
  • Oracle FLEXCUBE Universal Banking 12.3
  • Oracle FLEXCUBE Universal Banking 12.2
  • Oracle FLEXCUBE Universal Banking 12.1
  • Oracle FLEXCUBE Universal Banking 12.0.3
  • Oracle FLEXCUBE Universal Banking 12.0.2
  • Oracle FLEXCUBE Universal Banking 12.0.1
  • Oracle FLEXCUBE Universal Banking 14.1.0
  • Oracle FLEXCUBE Private Banking 12.1
  • Oracle FLEXCUBE Private Banking 12.0.3
  • Oracle FLEXCUBE Private Banking 12.0.1
  • Oracle FLEXCUBE Investor Servicing 14.1
  • Oracle FLEXCUBE Investor Servicing 14.0
  • Oracle FLEXCUBE Investor Servicing 12.4
  • Oracle FLEXCUBE Investor Servicing 12.3
  • Oracle FLEXCUBE Investor Servicing 12.1
  • Oracle FLEXCUBE Investor Servicing 12.0.4
  • Oracle FLEXCUBE Investor Servicing 12.0.3
  • Oracle FLEXCUBE Investor Servicing 12.0.1
  • Oracle FLEXCUBE Enterprise Limits and Collateral Management 12.0
  • Oracle FLEXCUBE Enterprise Limits and Collateral Management 12.1
  • Oracle FLEXCUBE Core Banking 11.8
  • Oracle FLEXCUBE Core Banking 11.7
  • Oracle FLEXCUBE Core Banking 11.6
  • Oracle FLEXCUBE Core Banking 5.2
  • Oracle Financial Services Revenue Management and Billing 2.4.0.1
  • Oracle Financial Services Revenue Management and Billing 2.4.0.0.0
  • Oracle Financial Services Retail Customer Analytics 8.0.6
  • Oracle Financial Services Retail Customer Analytics 8.0.5
  • Oracle Financial Services Retail Customer Analytics 8.0.4
  • Oracle Financial Services Regulatory Reporting for US Federal Reserve 8.0.7
  • Oracle Financial Services Regulatory Reporting for US Federal Reserve 8.0.4
  • Oracle Financial Services Regulatory Reporting for European Banking Aut 8.0.7
  • Oracle Financial Services Regulatory Reporting for European Banking Aut 8.0.6
  • Oracle Financial Services Profitability Management 8.0.7
  • Oracle Financial Services Profitability Management 8.0.6
  • Oracle Financial Services Profitability Management 8.0.5
  • Oracle Financial Services Profitability Management 8.0.4
  • Oracle Financial Services Price Creation and Discovery 8.0.7
  • Oracle Financial Services Price Creation and Discovery 8.0.5
  • Oracle Financial Services Price Creation and Discovery 8.0.4
  • Oracle Financial Services Market Risk Measurement and Management 8.0.8
  • Oracle Financial Services Market Risk Measurement and Management 8.0.6
  • Oracle Financial Services Market Risk Measurement and Management 8.0.5
  • Oracle Financial Services Loan Loss Forecasting and Provisioning 8.0.7
  • Oracle Financial Services Loan Loss Forecasting and Provisioning 8.0.5
  • Oracle Financial Services Loan Loss Forecasting and Provisioning 8.0.4
  • Oracle Financial Services Loan Loss Forecasting and Provisioning 8.0.3
  • Oracle Financial Services Loan Loss Forecasting and Provisioning 8.0.2
  • Oracle Financial Services Liquidity Risk Measurement and Management 8.0.8
  • Oracle Financial Services Liquidity Risk Measurement and Management 8.0.7
  • Oracle Financial Services Liquidity Risk Management 8.0.6
  • Oracle Financial Services Liquidity Risk Management 8.0.5
  • Oracle Financial Services Liquidity Risk Management 8.0.4
  • Oracle Financial Services Liquidity Risk Management 8.0.2
  • Oracle Financial Services Liquidity Risk Management 8.0.1
  • Oracle Financial Services Institutional Performance Analytics 8.0.7
  • Oracle Financial Services Institutional Performance Analytics 8.0.5
  • Oracle Financial Services Institutional Performance Analytics 8.0.4
  • Oracle Financial Services Hedge Management and IFRS Valuations 8.0.7
  • Oracle Financial Services Hedge Management and IFRS Valuations 8.0.5
  • Oracle Financial Services Hedge Management and IFRS Valuations 8.0.4
  • Oracle Financial Services Funds Transfer Pricing 8.0.7
  • Oracle Financial Services Funds Transfer Pricing 8.0.5
  • Oracle Financial Services Funds Transfer Pricing 8.0.4
  • Oracle Financial Services Data Integration Hub 8.0.7
  • Oracle Financial Services Data Integration Hub 8.0.5
  • Oracle Financial Services Data Foundation 8.0.8
  • Oracle Financial Services Data Foundation 8.0.5
  • Oracle Financial Services Data Foundation 8.0.4
  • Oracle Financial Services Basel Regulatory Capital Internal Ratings Bas 8.0.7
  • Oracle Financial Services Basel Regulatory Capital Internal Ratings Bas 8.0.4
  • Oracle Financial Services Basel Regulatory Capital Basic 8.0.7
  • Oracle Financial Services Basel Regulatory Capital Basic 8.0.4
  • Oracle Financial Services Asset Liability Management 8.0.7
  • Oracle Financial Services Asset Liability Management 8.0.5
  • Oracle Financial Services Asset Liability Management 8.0.4
  • Oracle Financial Services Analytical Applications Reconciliation Framew 8.0.7
  • Oracle Financial Services Analytical Applications Reconciliation Framew 8.0.4
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.8
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.7
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.6
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.5
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.4
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.3
  • Oracle Financial Services Analytical Applications Infrastructure 8.0.2
  • Oracle Financial Services Analytical Applications Infrastructure 7.3.5
  • Oracle Financial Services Analytical Applications Infrastructure 7.3.4
  • Oracle Financial Services Analytical Applications Infrastructure 7.3.3
  • Oracle Enterprise Repository 12.1.3.0.0
  • Oracle Enterprise Manager Ops Center 12.4
  • Oracle Enterprise Manager Ops Center 12.3.3
  • Oracle Enterprise Manager for Virtualization 13.3
  • Oracle Enterprise Manager for Virtualization 13.2
  • Oracle Enterprise Manager for Virtualization 13.1
  • Oracle Enterprise Manager for Fusion Middleware 13.3
  • Oracle Enterprise Manager for Fusion Middleware 13.2
  • Oracle Enterprise Manager Base Platform 13.3.0.0.0
  • Oracle Enterprise Manager Base Platform 13.2.0.0.0
  • Oracle Enterprise Manager Base Platform 12.1.0.5.0
  • Oracle Endeca Server 7.7.0
  • Oracle Endeca Information Discovery Integrator 3.2
  • Oracle E-Business Suite 12.2.8
  • Oracle E-Business Suite 12.2.7
  • Oracle E-Business Suite 12.2.6
  • Oracle E-Business Suite 12.2.3
  • Oracle E-Business Suite 12.1.2
  • Oracle E-Business Suite 12.1.1
  • Oracle E-Business Suite 12.2.5
  • Oracle E-Business Suite 12.2.4
  • Oracle E-Business Suite 12.1.3
  • Oracle Diagnostic Assistant 2.12
  • Oracle Demantra Demand Management 7.3.1.5.2
  • Oracle Database Server 19c
  • Oracle Database Server 18c
  • Oracle Database Server 12.2.0.1
  • Oracle Database Server 12.1.0.2
  • Oracle Database Server 11.2.0.4.0
  • Oracle Data Integrator 12.2.1.3.0
  • Oracle Communications Unified 8.0.0.2.0
  • Oracle Communications Online Mediation Controller 6.1
  • Oracle Communications Messaging Server 8.0.2
  • Oracle Communications Messaging Server 8.1
  • Oracle Communications Interactive Session Recorder 6.2
  • Oracle Communications Interactive Session Recorder 6.1
  • Oracle Communications Interactive Session Recorder 6.0
  • Oracle Communications Instant Messaging Server 10.0.1.2.0
  • Oracle Communications EAGLE 46.7
  • Oracle Communications EAGLE 46.6
  • Oracle Communications EAGLE 46.5
  • Oracle Communications Diameter Signaling Router 8.3
  • Oracle Communications Diameter Signaling Router 8.2
  • Oracle Communications Diameter Signaling Router 8.1
  • Oracle Communications Diameter Signaling Router 8.0
  • Oracle Communications Convergence 3.0.2
  • Oracle Communications Converged Application Server - Service Controller 6.1
  • Oracle Communications Converged Application Server - Service Controller 6.0
  • Oracle Communications Converged Application Server 7.1
  • Oracle Communications Converged Application Server 7.0
  • Oracle Communications Converged Application Server 5.1
  • Oracle Communications Billing and Revenue Management 7.5
  • Oracle Communications Billing and Revenue Management 12.0
  • Oracle Communications Application Session Controller 3.8
  • Oracle Communications Application Session Controller 3.7.1
  • Oracle Clusterware 12.1.0.2.0
  • Oracle Business Intelligence Enterprise Edition 12.2.1.4.0
  • Oracle Business Intelligence Enterprise Edition 12.2.1.3.0
  • Oracle Business Intelligence Enterprise Edition 11.1.1.9.0
  • Oracle BI Publisher 12.2.1.3.0
  • Oracle BI Publisher 11.1.1.9.0
  • Oracle Berkeley DB 12.1.6.2.32
  • Oracle Berkeley DB 12.1.6.2.23
  • Oracle Berkeley DB 12.1.6.1.36
  • Oracle Berkeley DB 12.1.6.1.29
  • Oracle Berkeley DB 12.1.6.1.26
  • Oracle Berkeley DB 12.1.6.1.23
  • Oracle Banking Platform 2.7.1
  • Oracle Banking Platform 2.4.0
  • Oracle Application Testing Suite 13.3
  • Oracle Application Testing Suite 13.2
  • Oracle Application Testing Suite 13.1
  • Oracle Application Express 5.1
  • Oracle Application Express 18.2
  • Oracle Agile PLM 9.3.5
  • Oracle Agile PLM 9.3.3
  • Oracle Agile PLM 9.3.6
  • Oracle Agile PLM 9.3.4
  • Oracle Agile Engineering Data Management 6.2.1
  • Oracle Agile Engineering Data Management 6.2

CVE

La liste complète des 319 CVE est disponible sur le bulletin de sécurité Oracle.

Solutions ou recommandations

Mise en place de correctif de sécurité

  • Toutes les vulnérabilités évoquées dans le bulletin sont corrigées dans les dernières versions des produits concernés. Pour  plus de détails, se référer au bulletin de sécurité Oracle.

Solution de contournement

  • Aucune solution n'a été proposée.

Liens