Alert GCSA-24097 - Oracle Critical Patch Update Advisory - July 2024


******************************************************************

Alert ID: GCSA-24097
Data: 22 Luglio 2024
Titolo: Oracle Critical Patch Update Advisory - July 2024

******************************************************************

:: Descrizione del problema

Oracle ha rilasciato la Critical Patch Update Luglio 2024.
L'aggiornamento include numerose patch di sicurezza che risolvono
vulnerabilita' multiple, presenti in vari prodotti.

Un aggressore remoto potrebbe sfruttare alcune di queste
vulnerabilita' per prendere il controllo di un sistema interessato.
Oracle raccomanda di applicare gli aggiornamenti appena possibile.

Maggiori informazioni sono disponibili alla sezione "Riferimenti".


:: Software interessato

JD Edwards EnterpriseOne Orchestrator, versioni precedenti alla 9.2.8.3
JD Edwards EnterpriseOne Tools, versioni precedenti alla 9.2.8.2
JD Edwards World Security, versione A9.4
Management Pack for Oracle GoldenGate, versione 12.2.1.2
MySQL Cluster, versions 7.5.34, 7.6.30, 8.0.37, 8.1.0, 8.3.0, 8.4.0 e precedenti
MySQL Connectors, versioni 8.4.0 e precedenti
MySQL Enterprise Monitor, versioni 8.0.38 e precedenti
MySQL Server, versione 8.0.37, 8.0.38, 8.2.0, 8.3.0, 8.4.0, 8.4.1, 9.0.0 e precedenti
MySQL Workbench, versione 8.0.36 e precedenti
Oracle Access Manager, versione 12.2.1.4.0
Oracle Agile Engineering Data Management, versioni 6.2.1.0-6.2.1.9
Oracle Analytics Desktop, versioni precedenti alla 7.7.0, e precedenti alla 7.8.0
Oracle Application Express, versione 23.2
Oracle Application Testing Suite, versione 13.3.0.1
Oracle Autovue for Agile Product Lifecycle Management, versione 21.0.2
Oracle Banking Branch, versioni 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
Oracle Banking Cash Management, versioni 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
Oracle Banking Corporate Lending Process Management, versioni 14.4.0.0.0, 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
Oracle Banking Credit Facilities Process Management, versioni 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
Oracle Banking Deposits and Lines of Credit Servicing, versione 2.12.0.0.0
Oracle Banking Liquidity Management, versioni 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
Oracle Banking Origination, versioni 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
Oracle Banking Platform, versione 2.4.0.0.0
Oracle Banking Party Management, versione 2.7.0.0.0
Oracle Banking Virtual Account Management, versioni 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
Oracle Big Data Spatial and Graph, versione 3.0.6
Oracle Business Activity Monitoring, versione 12.2.1.4.0
Oracle Business Intelligence Enterprise Edition, versioni 7.0.0.0.0, 7.6.0.0.0, 12.2.1.4.0
Oracle Coherence, versioni 12.2.1.4.0, 14.1.1.0.0
Oracle Commerce Guided Search, versione 11.3.2
Oracle Commerce Platform, versioni 11.3.0, 11.3.1, 11.3.2
Oracle Communications ASAP, versione 7.4
Oracle Communications Billing and Revenue Management, versioni 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0
Oracle Communications BRM - Elastic Charging Engine, versioni 12.0.0.4-12.0.0.8, 15.0.0.0
Oracle Communications Cloud Native Core Automated Test Suite, versioni 23.1.0, 23.4.0
Oracle Communications Cloud Native Core Binding Support Function, versioni 23.4.0-23.4.3
Oracle Communications Cloud Native Core Console, versioni 23.4.0, 23.4.1
Oracle Communications Cloud Native Core Network Data Analytics Function, versione 24.2.0
Oracle Communications Cloud Native Core Network Exposure Function, versione 23.4.3
Oracle Communications Cloud Native Core Network Function Cloud Native Environment, versioni 23.4.0, 24.1.0
Oracle Communications Cloud Native Core Network Repository Function, versione 23.4.2
Oracle Communications Cloud Native Core Policy, versioni 23.4.0-23.4.4
Oracle Communications Cloud Native Core Security Edge Protection Proxy, versioni 23.4.0, 24.1.0
Oracle Communications Cloud Native Core Service Communication Proxy, versioni 23.4.0, 23.4.1, 23.4.2, 24.1.0
Oracle Communications Cloud Native Core Unified Data Repository, versioni 23.4.1, 23.4.2
Oracle Communications Converged Charging System, versioni 2.0.0.0.0, 2.0.0.1.0
Oracle Communications Convergent Charging Controller, versioni 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0
Oracle Communications Diameter Signaling Router, versioni 8.6.0.4-8.6.0.8
Oracle Communications EAGLE Element Management System, versioni 46.6.4, 46.6.5
Oracle Communications Element Manager, versioni 9.0.0-9.0.3
Oracle Communications Network Analytics Data Director, versioni 23.4.0, 24.1.0
Oracle Communications Network Charging and Control, versioni 6.0.1.0.0, 12.0.1.0.0-12.0.6.0.0, 15.0.0.0.0
Oracle Communications Operations Monitor, versioni 5.1, 5.2
Oracle Communications Performance Intelligence, versione 10.5
Oracle Communications Policy Management, versioni 12.6.1.0.0, 15.0.0.0.0
Oracle Communications Pricing Design Center, versioni 12.0.0.4.0-12.0.0.8.0, 15.0.0.0.0
Oracle Communications Service Catalog and Design, versioni 7.4.0-7.4.2, 8.0.0
Oracle Communications Session Border Controller, versioni 4.1.0, 4.2.0, 9.2.0, 9.3.0
Oracle Communications Session Report Manager, versioni 9.0.0-9.0.3
Oracle Communications Unified Assurance, versioni 5.5.0-5.5.21, 6.0.0-6.0.4
Oracle Communications Unified Inventory Management, versioni 7.4.1, 7.4.2
Oracle Communications User Data Repository, versioni 12.11.0, 12.11.3, 12.11.4
Oracle Data Integrator, versione 12.2.1.4.0
Oracle Database Server, versioni 19.3-19.23, 21.3-21.14, 23.4
Oracle Documaker, versioni 12.6.4-12.7.1
Oracle E-Business Suite, versioni 12.2.3-12.2.13
Oracle Enterprise Data Quality, versione 12.2.1.4.0
Oracle Enterprise Manager Base Platform, versione 13.5.0.0
Oracle Essbase, versione 21.5.6
Oracle Financial Services Analytical Applications Infrastructure, versioni 8.0.7, 8.0.8, 8.1.1, 8.1.2
Oracle Financial Services Basel Regulatory Capital Basic, versioni 8.0.7.3, 8.0.8.3
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versioni 8.0.7.3, 8.0.8.3
Oracle Financial Services Behavior Detection Platform, versioni 8.0.8.1, 8.1.1.1, 8.1.2.6, 8.1.2.7
Oracle Financial Services Compliance Studio, versioni 8.1.2.6, 8.1.2.7
Oracle Financial Services Enterprise Case Management, versioni 8.0.8.2.8, 8.1.1.1.18, 8.1.2.6.4, 8.1.2.7.3
Oracle Financial Services Model Management and Governance, versioni 8.1.2.5, 8.1.2.6
Oracle Financial Services Revenue Management and Billing, versioni 6.0.0.0.0, 6.1.0.0.0
Oracle Financial Services Trade-Based Anti Money Laundering Enterprise Edition, versione 8.0.8.0
Oracle FLEXCUBE Investor Servicing, versioni 14.5.0.0.0, 14.7.0.0.0
Oracle FLEXCUBE Universal Banking, versioni 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
Oracle FLEXCUBE Universal Banking, versioni 14.5.0.0.0, 14.6.0.0.0, 14.7.0.0.0
Oracle Fusion Middleware, versione 12.2.1.4.0
Oracle Global Lifecycle Management NextGen OUI Framework, versione 12.2.1.4.0
Oracle GoldenGate, versioni 19.1.0.0.0-19.23.0.0.240716, 21.3-21.14
Oracle GoldenGate Big Data and Application Adapters, versioni 19.1.0.0.0-19.1.0.0.18, 21.3-21.14.0.0.0
Oracle GoldenGate Studio, versione 12.2.0.4.0
Oracle GraalVM Enterprise Edition, versioni 20.3.14, 21.3.10
Oracle GraalVM for JDK, versioni 17.0.11, 21.0.3, 22.0.1
Oracle Graph Server and Client, versioni 22.4.7 and prior, 23.4.2 and prior, 24.1.0 and prior
Oracle Healthcare Data Repository, versioni 8.1.4, 8.2.0
Oracle Healthcare Foundation, versioni 8.2.0, 8.2.1, 8.2.2, 8.2.3, 8.2.4
Oracle Healthcare Master Person Index, versioni 5.0.0-5.0.9
Oracle HTTP Server, versione 12.2.1.4.0
Oracle Hyperion Data Relationship Management, versione 11.2.17.0.0
Oracle Hyperion Financial Close Management, versione 11.2.17.0.0
Oracle Hyperion Infrastructure Technology, versione 11.2.17.0.0
Oracle Identity Manager, versione 12.2.1.4.0
Oracle Insurance Policy Administration J2EE, versioni 11.2.12, 11.3.0-11.3.2
Oracle Java SE, versioni 8u411, 8u411-perf, 11.0.23, 17.0.11, 21.0.3, 22.0.1
Oracle JDeveloper, versione 12.2.1.4.0
Oracle Middleware Common Libraries and Tools, versione 12.2.1.4.0
Oracle NoSQL Database, versioni 1.4, 1.5, e precedenti alle 19.5.42, 20.3.40, 21.2.27, 22.3.46, 23.3.32
Oracle Outside In Technology, versione 8.5.7
Oracle Reports Developer, versioni 12.2.1.4.0, 12.2.1.19.0
Oracle REST Data Services, versioni precedenti alla 23.3.1, 24.1.0
Oracle Retail Assortment Planning, versioni 15.0.3, 16.0.3
Oracle Retail Financial Integration, versioni 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
Oracle Retail Integration Bus, versioni 14.1.3.2, 15.0.3.1, 16.0.3, 19.0.1
Oracle Retail Predictive Application Server, versioni 15.0.3, 16.0.3
Oracle Retail Xstore Office, versioni 19.0.5, 20.0.3, 20.0.4, 22.0.0, 23.0.1
Oracle Service Bus, versione 12.2.1.4.0
Oracle Solaris, versione 11
Oracle TimesTen In-Memory Database, versioni 22.1.1.1.0-22.1.1.24.0
Oracle Unified Directory, versione 12.2.1.4.0
Oracle Utilities Application Framework, versioni 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0, 4.4.0.3.0, 4.5.0.0.0, 4.5.0.1.1-4.5.0.1.3, 24.1.0.0.0, 24.2.0.0.0
Oracle VM VirtualBox, versioni precedenti alla 7.0.20
Oracle WebCenter Content, versione 12.2.1.4.0
Oracle WebCenter Portal, versione 12.2.1.4.0
Oracle WebCenter Sites, versione 12.2.1.4.0
Oracle WebLogic Server, versioni 12.2.1.4.0, 14.1.1.0.0
Oracle ZFS Storage Appliance Kit, versione 8.8
PeopleSoft Enterprise HCM Human Resources, versione 9.2
PeopleSoft Enterprise HCM Shared Components, versione 9.2
PeopleSoft Enterprise PeopleTools, versioni 8.59, 8.60, 8.61
Primavera Gateway, versioni 19.12.0-19.12.19, 20.12.0-20.12.14, 21.12.0-21.12.12
Primavera Unifier, versioni 19.12.0-19.12.16, 20.12.0-20.12.16, 21.12.0-21.12.17, 22.12.0-22.12.13, 23.12.0-23.12.6
Siebel Applications, versioni 22.12, 23.12, 24.6 e precedenti

Per una descrizione completa dei prodotti interessati
si rimanda alla segnalazione ufficiale nella sezione "Riferimenti".


:: Impatto

Esecuzione remota di codice arbitrario (RCE)
Denial of Service (DoS)
Bypass delle restrizioni di sicurezza (SRB)
Rivelazione di informazioni (ID)
Data Manipulation (Tampering)
Acquisizione di privilegi piu' elevati (EoP)
Cross Site Scripting (XSS)

L'impatto delle vulnerabilita' varia a seconda del prodotto,
della componente e della configurazione del sistema.


:: Soluzioni

Applicare le patch appropriate o procedere all'opportuno
aggiornamento secondo le istruzioni rilasciate da Oracle.

Java SE Downloads
https://www.oracle.com/java/technologies/downloads/

Java Downloads for All Operating Systems
https://www.java.com/en/download/manual.jsp


:: Riferimenti

Oracle Critical Patch Updates, Security Alerts and Bulletins
https://www.oracle.com/security-alerts/
https://www.oracle.com/security-alerts/cpujul2024.html
https://www.oracle.com/security-alerts/cpujul2024verbose.html

I riferimenti CVE sono disponibili nell'advisory originale.



GARR CERT Security Alert - subscribe/unsubscribe:
http://www.cert.garr.it/alert/ricevi-gli-alert-di-cert




-----BEGIN PGP SIGNATURE-----

iF0EAREIAB0WIQTGpdiR5MqstacBGHbBnEyTZRJgQgUCZp37ggAKCRDBnEyTZRJg
QomaAKDanoyA5pvSQGIjKr+khh+dPIwD6gCgpPFE6PgN9/2eozICFSSE8yun+MQ=
=ICez
-----END PGP SIGNATURE-----