Recently, just in the middle of the summer holidays, Oracle has released the third Critical Patch Advisory for its products. It seems there’s a lot of work going on in Redwood Shore. Oracle has fixed about 319 security vulnerabilities across their products. The Oracle database is relatively prominently represented with 9 security vulnerabilities and a maximal CVSS rating of 9.8. The problem CVE-2018-11058 with such a high CVSS rating is related to Core RDBMS and affects all Oracle releases on various platforms. In addition this vulnerability can also be exploited remotely over the network. 3 of the security bug fixes are for client-only installations. So you have to patch your database servers as well the clients.
Oracle Unified Directory itself is not mentioned in the Oracle Critical Patch Update Advisory. But the MOS note 2385785.1 Information And Bug Listing of Oracle Unified Directory Bundle Patches: 12.2.1.3.x (12cR2PS3) Version does provide information on the latest bundle patch for OUD. Beside this patch, There are updates for Oracle WebLogic and Oracle Java as well (see links below).
The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.8. The following components are affected:
- Oracle 11.2 Core RDBMS, Java VM, Oracle Text
- Oracle 12.1 Core RDBMS, Java VM, Oracle Text
- Oracle 12.2 Core RDBMS, Java VM, Oracle Text, Spatial
- Oracle 18c Core RDBMS, Java VM, Oracle Text, Spatial
- Oracle 19c Core RDBMS, Java VM
Oracle Java VM is not installed by default. It is therefore recommended that you check your database environment to see if it is necessary to apply this critical patch update.
For Oracle Fusion Middleware the situation looks somehow different. The Critical Patch Update includes not less than 33 fixes for vulnerabilities. Several of the vulnerabilities may be remotely exploitable without authentication and are rated with the highest CVSS rating of 9.8.
By the way, I’ve just update my Docker build scripts for Oracle Databases as well Oracle Unified Directory on GitHub to use the latest release updates. Ok, I still haven’t improved the documentation, but at least the build scripts are up to date. 🙂
A few links related to this Critical Patch Update.
- Critical Patch Updates and Security Alerts
- Oracle Critical Patch Update Advisory – July 2019.
- Critical Patch Update (CPU) Program July 2019 Patch Availability Document (PAD)[2534806.1]
- Information And Bug Listing of Oracle Unified Directory Bundle Patches: 12.2.1.3.x (12cR2PS3) Version[2385785.1]
- Information And Bug Listing of Oracle Unified Directory Bundle Patches: 11.1.2.3.x (11gR2PS3) Version[2067482.1]
- Patch Set Update (PSU) Release Listing for Oracle WebLogic Server (WLS)[1470197.1]
- All Java SE Downloads on MOS[1439822.1]
- Oracle Database and Oracle Unified Directory build scripts oehrlis/docker
- Setup and initialisation scripts for Oracle environments oehrlis/oradba_init
- TVD-Critical Patch Report