Oracle Critical Patch Update for January 2018

Oracle | Hyperion Products

Oracle Critical Patch Update Advisory – January 2018

Link to Update:  http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html

Essential Oracle | Hyperion Products Affected:

• Hyperion BI+, version 11.1.2.4
• Hyperion Data Relationship Management, version 11.1.2.4.330
• Oracle Hyperion Planning, version 11.1.2.4.007
• Oracle Database Server, versions 11.2.0.4, 12.1.0.2, 12.2.0.1
• Oracle Business Intelligence Enterprise Edition, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.2.0, 12.2.1.3.0
• Oracle Java SE, versions 6u171, 7u161, 8u152, 9.0.1
• Oracle Java SE Embedded, version 8u151
• Oracle JRockit, version R28.3.16
• Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0, 12.2.1.2.0, 12.2.1.3.0

Essential Oracle | Hyperion Related Products Affected:

• MySQL Server, versions 5.5.58 and prior, 5.6.38 and prior, 5.7.20 and prior
• Oracle E-Business Suite, versions 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6, 12.2.7
• Oracle Fusion Middleware, versions 11.1.1.7, 11.1.1.9, 11.1.2.3, 12.1.3.0, 12.2.1.2, 12.2.1.3
• Oracle Fusion Applications, versions 11.1.2 through 11.1.9

Patch Availability Document: 

The January 2018 CPU Availability Document can be found here. Please note that an Oracle Account sign in is required to view the Oracle support documents, including installation documentation. 

Assessment:

This Critical Patch Update (CPU) contains a total of 238 security related fixes across a variety of Oracle Products, including Oracle Database Server, Oracle Hyperion, Oracle Fusion Middleware, Oracle E-Business Suite, etc. Approximately 25% of the updates are for non-Oracle CVEs, vulnerabilities in third-party components used in Oracle product distributions. For vulnerabilities affecting Oracle Fusion applications, customers need to refer to My Oracle Support Note 1967316.1 for details.

This CPU provides fixes in response to the Spectre (CVE-2017-5753, CVE-2017-5715) and Meltdown (CVE-2017-5754) vulnerabilities. For the details and patches regarding to these vulnerabilities, you can refer to Document 2347948.1. Oracle’s general recommendation is to keep up with the security updates from your operating systems, virtualization technologies and hardware when released by their respective vendors, in addition to patches for Oracle products (https://support.oracle.com/epmos/faces/DocumentDisplay?_afrLoop=393290929121756&id=2347948.1&_afrWindowMode=0&_adf.ctrl-state=657sbocfs_298).

The January 2018 CPU provides 5 new fixes for Oracle Database, majority of which have a CVSS base rating of 8. If exploited, CVE-2017-10282 with 9.1 CVSS rating, can result in takeover of Core RDBMS. (http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html).

The January 2018 CPU provides 4 new security fixes for Hyperion. 1 of the vulnerabilities is remotely exploitable without authentication. If exploited, these vulnerabilities can lead to unauthorized read access to confidential data (http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html).

The January 2018 CPU provides 27 security fixes for Oracle Fusion Middleware. 17 of the vulnerabilities received CVVS rating above 8. Successful attacks can result in unauthorized access to critical data or complete access to all Oracle Business Intelligence Enterprise Edition accessible data as well as unauthorized updates (http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html).

Oracle strongly recommends applying the patches as soon as possible. Should you have any questions on this matter, please do not hesitate to email us at support@goalgetters.com.