Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2021.0016
Oracle E-Business Suite Critical Patch Update
21 January 2021
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle E-Business Suite
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote with User Interaction
Read-only Data Access -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2021-2118 CVE-2021-2115 CVE-2021-2114
CVE-2021-2107 CVE-2021-2106 CVE-2021-2105
CVE-2021-2101 CVE-2021-2100 CVE-2021-2099
CVE-2021-2098 CVE-2021-2097 CVE-2021-2096
CVE-2021-2094 CVE-2021-2093 CVE-2021-2092
CVE-2021-2091 CVE-2021-2090 CVE-2021-2089
CVE-2021-2085 CVE-2021-2084 CVE-2021-2083
CVE-2021-2082 CVE-2021-2077 CVE-2021-2059
CVE-2021-2034 CVE-2021-2029 CVE-2021-2027
CVE-2021-2026 CVE-2021-2023 CVE-2021-2017
CVE-2021-2015
Member content until: Saturday, February 20 2021
Reference: ESB-2021.0121
ESB-2021.0120
ESB-2021.0119
ESB-2021.0117
OVERVIEW
Multiple vulnerabilities have been identified in :
o Oracle E-Business Suite, versions 12.1.1-12.1.3, 12.2.3-12.2.10
[1]
IMPACT
The vendor has provided the following information regarding the
vulnerabilities:
"This Critical Patch Update contains 31 new security patches for
Oracle E-Business Suite. 29 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a
network without requiring user credentials." [1]
CVE-2021-2029
9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.8. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Scripting. Successful attacks of this vulnerability can result
in takeover of Oracle Scripting.
Affects:
o Oracle Scripting 12.1.1-12.1.3, 12.2.3-12.2.8
CVE-2021-2100
9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle One-to-One Fulfillment. Successful attacks of this
vulnerability can result in unauthorized creation, deletion or
modification access to critical data or all Oracle One-to-One
Fulfillment accessible data as well as unauthorized access to
critical data or complete access to all Oracle One-to-One Fulfillment
accessible data.
Affects:
o Oracle One-to-One Fulfillment 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2101
9.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle One-to-One Fulfillment. Successful attacks of this
vulnerability can result in unauthorized creation, deletion or
modification access to critical data or all Oracle One-to-One
Fulfillment accessible data as well as unauthorized access to
critical data or complete access to all Oracle One-to-One Fulfillment
accessible data.
Affects:
o Oracle One-to-One Fulfillment 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2093
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Common Applications. Successful attacks require human
interaction from a person other than the attacker and while the
vulnerability is in Oracle Common Applications, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized access to critical data or
complete access to all Oracle Common Applications accessible data as
well as unauthorized update, insert or delete access to some of
Oracle Common Applications accessible data.
Affects:
o Oracle Common Applications 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2114
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Common Applications Calendar. Successful attacks require human
interaction from a person other than the attacker and while the
vulnerability is in Oracle Common Applications Calendar, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized access to critical data or
complete access to all Oracle Common Applications Calendar accessible
data as well as unauthorized update, insert or delete access to some
of Oracle Common Applications Calendar accessible data.
Affects:
o Oracle Common Applications Calendar 12.1.1-12.1.3,
12.2.3-12.2.10
CVE-2021-2034
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Common Applications
Calendar. Successful attacks require human interaction from a person
other than the attacker and while the vulnerability is in Oracle
Common Applications Calendar, attacks may significantly impact
additional products. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete access to
all Oracle Common Applications Calendar accessible data as well as
unauthorized update, insert or delete access to some of Oracle Common
Applications Calendar accessible data.
Affects:
o Oracle Common Applications Calendar 12.1.1-12.1.3
CVE-2021-2084
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle CRM Technical
Foundation. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle CRM Technical Foundation, attacks may significantly impact
additional products. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete access to
all Oracle CRM Technical Foundation accessible data as well as
unauthorized update, insert or delete access to some of Oracle CRM
Technical Foundation accessible data.
Affects:
o Oracle CRM Technical Foundation 12.1.3, 12.2.3-12.2.10
CVE-2021-2085
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle CRM Technical
Foundation. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle CRM Technical Foundation, attacks may significantly impact
additional products. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete access to
all Oracle CRM Technical Foundation accessible data as well as
unauthorized update, insert or delete access to some of Oracle CRM
Technical Foundation accessible data.
Affects:
o Oracle CRM Technical Foundation 12.1.3, 12.2.3-12.2.10
CVE-2021-2092
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10.
Easily exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle CRM Technical
Foundation. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle CRM Technical Foundation, attacks may significantly impact
additional products. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete access to
all Oracle CRM Technical Foundation accessible data as well as
unauthorized update, insert or delete access to some of Oracle CRM
Technical Foundation accessible data.
Affects:
o Oracle CRM Technical Foundation 12.1.3, 12.2.3-12.2.10
CVE-2021-2099
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.2.3-12.2.10. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle CRM Technical
Foundation. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle CRM Technical Foundation, attacks may significantly impact
additional products. Successful attacks of this vulnerability can
result in unauthorized access to critical data or complete access to
all Oracle CRM Technical Foundation accessible data as well as
unauthorized update, insert or delete access to some of Oracle CRM
Technical Foundation accessible data.
Affects:
o Oracle CRM Technical Foundation 12.2.3-12.2.10
CVE-2021-2105
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Customer Interaction History. Successful attacks require human
interaction from a person other than the attacker and while the
vulnerability is in Oracle Customer Interaction History, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized access to critical data or
complete access to all Oracle Customer Interaction History accessible
data as well as unauthorized update, insert or delete access to some
of Oracle Customer Interaction History accessible data.
Affects:
o Oracle Customer Interaction History 12.1.1-12.1.3,
12.2.3-12.2.10
CVE-2021-2106
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Customer Interaction History. Successful attacks require human
interaction from a person other than the attacker and while the
vulnerability is in Oracle Customer Interaction History, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized access to critical data or
complete access to all Oracle Customer Interaction History accessible
data as well as unauthorized update, insert or delete access to some
of Oracle Customer Interaction History accessible data.
Affects:
o Oracle Customer Interaction History 12.1.1-12.1.3,
12.2.3-12.2.10
CVE-2021-2107
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Customer Interaction History. Successful attacks require human
interaction from a person other than the attacker and while the
vulnerability is in Oracle Customer Interaction History, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized access to critical data or
complete access to all Oracle Customer Interaction History accessible
data as well as unauthorized update, insert or delete access to some
of Oracle Customer Interaction History accessible data.
Affects:
o Oracle Customer Interaction History 12.1.1-12.1.3,
12.2.3-12.2.10
CVE-2021-2090
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Email Center. Successful attacks require human interaction
from a person other than the attacker and while the vulnerability is
in Oracle Email Center, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle
Email Center accessible data as well as unauthorized update, insert
or delete access to some of Oracle Email Center accessible data.
Affects:
o Oracle Email Center 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2098
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Email Center. Successful attacks require human interaction
from a person other than the attacker and while the vulnerability is
in Oracle Email Center, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle
Email Center accessible data as well as unauthorized update, insert
or delete access to some of Oracle Email Center accessible data.
Affects:
o Oracle Email Center 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2089
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle iStore. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle iStore, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle iStore
accessible data as well as unauthorized update, insert or delete
access to some of Oracle iStore accessible data.
Affects:
o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2077
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle iStore. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle iStore, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle iStore
accessible data as well as unauthorized update, insert or delete
access to some of Oracle iStore accessible data.
Affects:
o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2082
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle iStore. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle iStore, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle iStore
accessible data as well as unauthorized update, insert or delete
access to some of Oracle iStore accessible data.
Affects:
o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2096
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle iStore. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle iStore, attacks may significantly impact additional products.
Successful attacks of this vulnerability can result in unauthorized
access to critical data or complete access to all Oracle iStore
accessible data as well as unauthorized update, insert or delete
access to some of Oracle iStore accessible data.
Affects:
o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2097
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle iSupport. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle iSupport, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle
iSupport accessible data as well as unauthorized update, insert or
delete access to some of Oracle iSupport accessible data.
Affects:
o Oracle iSupport 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2083
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle iSupport. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle iSupport, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle
iSupport accessible data as well as unauthorized update, insert or
delete access to some of Oracle iSupport accessible data.
Affects:
o Oracle iSupport 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2026
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Marketing. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle Marketing, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle
Marketing accessible data as well as unauthorized update, insert or
delete access to some of Oracle Marketing accessible data.
Affects:
o Oracle Marketing 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2027
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Marketing. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle Marketing, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle
Marketing accessible data as well as unauthorized update, insert or
delete access to some of Oracle Marketing accessible data.
Affects:
o Oracle Marketing 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2118
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Marketing. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle Marketing, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle
Marketing accessible data as well as unauthorized update, insert or
delete access to some of Oracle Marketing accessible data.
Affects:
o Oracle Marketing 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2094
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle One-to-One Fulfillment. Successful attacks require human
interaction from a person other than the attacker and while the
vulnerability is in Oracle One-to-One Fulfillment, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized access to critical data or
complete access to all Oracle One-to-One Fulfillment accessible data
as well as unauthorized update, insert or delete access to some of
Oracle One-to-One Fulfillment accessible data.
Affects:
o Oracle One-to-One Fulfillment 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2091
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Scripting. Successful attacks require human interaction from a
person other than the attacker and while the vulnerability is in
Oracle Scripting, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized access to critical data or complete access to all Oracle
Scripting accessible data as well as unauthorized update, insert or
delete access to some of Oracle Scripting accessible data.
Affects:
o Oracle Scripting 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2015
8.2 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.2.3-12.2.10. Easily
exploitable vulnerability allows unauthenticated attacker with
network access via HTTP to compromise Oracle Workflow. Successful
attacks require human interaction from a person other than the
attacker and while the vulnerability is in Oracle Workflow, attacks
may significantly impact additional products. Successful attacks of
this vulnerability can result in unauthorized access to critical data
or complete access to all Oracle Workflow accessible data as well as
unauthorized update, insert or delete access to some of Oracle
Workflow accessible data.
Affects:
o Oracle Workflow 12.2.3-12.2.10
CVE-2021-2115
7.6 AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows low
privileged attacker with network access via HTTP to compromise Oracle
Common Applications Calendar. Successful attacks require human
interaction from a person other than the attacker and while the
vulnerability is in Oracle Common Applications Calendar, attacks may
significantly impact additional products. Successful attacks of this
vulnerability can result in unauthorized access to critical data or
complete access to all Oracle Common Applications Calendar accessible
data as well as unauthorized update, insert or delete access to some
of Oracle Common Applications Calendar accessible data.
Affects:
o Oracle Common Applications Calendar 12.1.1-12.1.3,
12.2.3-12.2.10
CVE-2021-2059
5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.10. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle iStore. Successful attacks of this vulnerability can result in
unauthorized read access to a subset of Oracle iStore accessible
data.
Affects:
o Oracle iStore 12.1.1-12.1.3, 12.2.3-12.2.10
CVE-2021-2023
4.7 AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N
Supported versions that are affected are 12.1.1-12.1.3 and
12.2.3-12.2.9. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to compromise
Oracle Installed Base. Successful attacks require human interaction
from a person other than the attacker and while the vulnerability is
in Oracle Installed Base, attacks may significantly impact additional
products. Successful attacks of this vulnerability can result in
unauthorized update, insert or delete access to some of Oracle
Installed Base accessible data.
Affects:
o Oracle Installed Base 12.1.1-12.1.3, 12.2.3-12.2.9
CVE-2021-2017
4.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Supported versions that are affected are 12.1.3 and 12.2.3-12.2.10.
Easily exploitable vulnerability allows low privileged attacker with
network access via HTTP to compromise Oracle User Management.
Successful attacks of this vulnerability can result in unauthorized
read access to a subset of Oracle User Management accessible data.
Affects:
o Oracle User Management 12.1.3, 12.2.3-12.2.10
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. Until
you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - January 2021
https://www.oracle.com/security-alerts/cpujan2021.html
[2] Text Form of Oracle Critical Patch Update - January 2021 Risk
Matrices
https://www.oracle.com/security-alerts/cpujan2021verbose.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBYAi5TuNLKJtyKPYoAQjWhRAAkBxMxByrn8L9JQp7zqoaV1f/qQ3faaHO
l0aUWWMlMo2vo+Scw8BvP8OwawS3xmI2ZSTi8LuqL1XvZLXexUjQyXRw2YPGm/3R
9mdJWVjOmlylPdKKZ5caOSSXA8GCQamuf4ZLUq7kYuyjjT3+v0TVcFpyjgEAMhxP
llHmN/+CWaW6UNjNS9Q8QbLaw+U6pfQb0Z18xnRFCYMrd0l7b1+c5lyBq+1836Nd
+UFiHtHOoBQmTstScZn5ehNuF3Biur3QrqkzM5arrXQN5xxqBa9vkAlHdXc0vkxV
zwx1jUblVQ2CaR6xYDvS/YYGJbx6Seg6ki7KfPSDdpd4CelMKjq8eLYMdeRrWV5f
jTc7VZq6yMdk7Nm4pV3L+zs23BGbHiIzMlBfztG6yAArwvLn/vZuywP88+oGZI43
xuk/FaACTqsGwo04ByVzNYthh6qSVNeAJUmfYUcOt3CXM2HZG8BEhwTrDSTyuRn5
xHjr3lwuwxn5EOIRm1J4D0Vw/sorj/QitNgozoLqDAbrxuJIEmV9wJa7S5voc/+S
cwzzYJjG01tMl8Q9P5jlQm+Pj/4lRktzhqVazQSWPSaGA2kKPaMlt/JybbOKAKC3
xeQAyO41aC97bKyVTZL9fSR/o9dTVSgVEQF9Vvh9yg7m5oAj/1vfmdh4jMcWKtHz
M5TC33IO+a4=
=RYcO
-----END PGP SIGNATURE-----