Pierluigi Paganini January 18, 2019

Oracle released the first critical patch advisory for 2019 that addresses a total of 284 vulnerabilities, 33 of them are rated “critical”.

Let’s give a close look at some of the vulnerabilities fixed by this patch advisory.

The advisory fixed the CVE-2016-1000031 flaw, a remote code execution (RCE) bug in the Apache Commons FileUpload,  disclosed in November last year. The Commons FileUpload library is the default file upload mechanism in Struts 2, the CVE-2016-1000031 was discovered two years ago by experts at Tenable.

The bug affected the OCA’s Diameter Signalling Router component and its Communications Services Gatekeeper. The flaw also affected the Financial Services Analytical Applications Infrastructure, the Fusion Middleware MapViewer, and four three Oracle Retail components.

A vulnerability in the Apache Log4j tracked as CVE-2017-5645 impacted the Oracle’s Converged Application Server – Service Controller, the OCA Online Mediation Controller Service Broker, the WebRTC Session Controller, the FLEXCUBE component in Oracle Financial Services Applications, the Fusion’s GoldenGate app adapters and SOA Suite, and also a Sun tape library component.

The CVE-2017-5645 flaw resides in the Codehaus versions of Groovy and affected OCA Unified Inventory Management.

The critical patch advisory for 2019 also fixed the CVE-2018-11776 vulnerability in the OCA’s Communications Policy Management Component, this issue was exploited in 2018 by threat actors to mine cryptocurrency.

Oracle also addressed an arbitrary file upload flaw (CVE-2018-9206) in the OCA’s Services Gatekeeper that also impacted Primavera P6 in the Construction and Engineering Suite, and Siebel CRM.

Another bug fixed by Big Red affected the Oracle E-Business’ Performance Management component, it was in CVE-2019-2453:

“Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle Performance Management.” reads the description provided by

“Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Performance Management accessible data as well as unauthorized access to critical data or complete access to all Oracle Performance Management accessible data. “

Oracle addressed the CVE-2016-4000 flaw, Jython provided a vector for arbitrary code, it is used by Oracle Enterprise Manager platform, Banking Platform, and Utilities Network Management System.

The list is very long, it also includes patches for a DoS in the Derby
Apache tool used in the WebLogic server (CVE-2015-1832) and an RCE bug in the Spring framework used by Oracle Tuxedo and the Sun Tape Library ACSLS component.

People interested in the full list could visit the following address:

https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html

Pierluigi Paganini

(SecurityAffairs – hacking, critical patch advisory)

[adrotate banner=”5″]

[adrotate banner="13"]