Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2018.0162
Security Advisory: Oracle Enterprise Manager Products
18 July 2018
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Enterprise Manager Products
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote with User Interaction
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2018-7489 CVE-2018-2976 CVE-2018-1275
CVE-2018-0739 CVE-2017-9798 CVE-2017-5645
CVE-2016-9878 CVE-2016-1181
Member content until: Friday, August 17 2018
Reference: ASB-2018.0159
ASB-2018.0158
ASB-2018.0134
ASB-2018.0095
OVERVIEW
Multiple vulnerabilities have been identified in
Enterprise Manager Base Platform, versions 12.1.0.5,
13.2.x
Enterprise Manager for Fusion Middleware, versions
12.1.0.5, 13.2.x
Enterprise Manager for MySQL Database, versions
13.2.2.0.0 and prior
Enterprise Manager for Oracle Database, versions
12.1.0.8, 13.2.2
Enterprise Manager for Peoplesoft, versions 13.1.1.1,
13.2.1.1
Enterprise Manager for Virtualization, versions 13.2.2,
13.2.3
Enterprise Manager Ops Center, versions 12.2.2, 12.3.3
Oracle Application Testing Suite, version 10.1
[1]
IMPACT
The vendor has provided the following information regarding
the vulnerabilities:
"This Critical Patch Update contains 16 new security fixes
for the Oracle Enterprise Manager Products Suite. All of
these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network
without requiring user credentials. None of these fixes
are applicable to client-only installations, i.e.,
installations that do not have the Oracle Enterprise Manager
Products Suite installed." [1]
"CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2017-5645
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Supported versions that are affected are 12.1.0.5 and
13.2.x. Easily exploitable vulnerability allows
unauthenticated attacker with network access via HTTP to
compromise Enterprise Manager Base Platform. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager Base Platform.
CVE-2018-7489
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is All. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via multiple protocols to compromise
Oracle Global Lifecycle Management OPatchAuto. Successful
attacks of this vulnerability can result in takeover of
Oracle Global Lifecycle Management OPatchAuto.
CVE-2018-1275
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 10.1. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle
Application Testing Suite. Successful attacks of this
vulnerability can result in takeover of Oracle Application
Testing Suite.
CVE-2018-1275
9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 10.1. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Oracle
Application Testing Suite. Successful attacks of this
vulnerability can result in takeover of Oracle Application
Testing Suite.
CVE-2018-2976
8.2
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
The supported version that is affected is 12.2.2. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Enterprise
Manager Ops Center. Successful attacks of this
vulnerability can result in unauthorized access to critical
data or complete access to all Enterprise Manager Ops Center
accessible data as well as unauthorized update, insert or
delete access to some of Enterprise Manager Ops Center
accessible data.
CVE-2016-1181
8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
The supported version that is affected is 12.1.0.5.
Difficult to exploit vulnerability allows unauthenticated
attacker with network access via HTTP to compromise
Enterprise Manager for Fusion Middleware. Successful
attacks of this vulnerability can result in takeover of
Enterprise Manager for Fusion Middleware.
CVE-2017-9798
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The supported version that is affected is 13.2.x. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Enterprise
Manager Base Platform. Successful attacks of this
vulnerability can result in unauthorized access to critical
data or complete access to all Enterprise Manager Base
Platform accessible data.
CVE-2016-9878
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Supported versions that are affected are 12.2.2 and 12.3.3.
Easily exploitable vulnerability allows unauthenticated
attacker with network access via HTTP to compromise
Enterprise Manager Ops Center. Successful attacks of this
vulnerability can result in unauthorized access to critical
data or complete access to all Enterprise Manager Ops Center
accessible data.
CVE-2017-9798
7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
The supported version that is affected is 13.2.x. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via HTTP to compromise Enterprise
Manager Base Platform. Successful attacks of this
vulnerability can result in unauthorized access to critical
data or complete access to all Enterprise Manager Base
Platform accessible data.
CVE-2018-0739
6.5
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Supported versions that are affected are 4.4.1.5.0,
5.0.0.1.0, 5.0.0.2.0, 5.0.1.0.0 and 5.0.2.0.0. Easily
exploitable vulnerability allows unauthenticated attacker
with network access via TLS to compromise Oracle
Communications Network Charging and Control. Successful
attacks require human interaction from a person other than
the attacker. Successful attacks of this vulnerability can
result in unauthorized ability to cause a hang or frequently
repeatable crash (complete DOS) of Oracle Communications
Network Charging and Control." [2]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon
as possible. Until you apply the CPU fixes, it may be
possible to reduce the risk of successful attack by blocking
network protocols required by an attack. For attacks that
require certain privileges or access to certain packages,
removing the privileges or the ability to access the
packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may
break application functionality, so Oracle strongly
recommends that customers test changes on non-production
systems. Neither approach should be considered a long-term
solution as neither corrects the underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - July 2018
http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
[2] Text Form of Oracle Critical Patch Update - July 2018 Risk Matrices
http://www.oracle.com/technetwork/security-advisory/cpujul2018verbose-4258253.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBW07NAWaOgq3Tt24GAQgn7A//aOo67wSEirEUpRZ3Q7r5TZiF5s6/JSbO
SBnA3o1PTXRFxBQ673y++5+cn5NeHcjTC35fs6NCwmnl+8v7NiDvrv3eqwGJnGRk
Cs+cuhKeKMBEoASo/EqoA48Z+lxFI4nzqpglmEh43dX74wwYRgP6MnWz601JrvXN
dn4lcqAocHfxjrK3vAI3Dvjhknwf+FJty/VNpK1A+XylHogVNUbu2yNwtI2VzA7r
kOn8n+kfspIQ/5QLh2lNJvV1cELz3Uiy1RH+A0uKveoMds4E7gdM3lUv1xpIO4RH
i/khhReBBRcZVHzeen5qD1MtwsoUET/kwsrUwV7AHBs8GrKJGZYj1c+eH0dN6GwH
nQU77w3k84rxIywoTZP7/MatXvzRIR1dyLQpuG1AYZ0fA7tj0QCElNDlJhfGs2QT
h3ubR3mU9IP22qoZsuzq9yMXkWk0lQfqYiOjJMoeDxaecBuLX3EyaKqpdlME9PH1
qq87/oGuzOBw1YoRedWgukrlzrLB4ffYWk52sztzaFaa6MNygWX8ML+SthwG5Biq
tkbYoiZdY3EAmQHiivvcs2YiFaSWBZj85mwUv1utUe3a/IsgsajRFjFuEfYeOQFL
AXkiuVmoiaSblB34ENJaYGSL8iaWK4gtYWljdPdqL6pXlGZKzpy6qrADy5rlwmc9
A1unxG/eMzA=
=C7h4
-----END PGP SIGNATURE-----