Security Advisory

Oracle Family April 2024 Secondary Security Update Advisory

  • Apr 18 2024

Overview

 

We have released security updates to fix vulnerabilities in the Oracle family of products. users of affected products are advised to update to the latest version.

 

Affected Products

 

Cve-2024-21076, cve-2024-21077, cve-2024-21074, cve-2024-21075, cve-2024-21073

  • Oracle Trade Management versions 12.2.3-12.2.13

 

Cve-2024-21110, cve-2024-21116, cve-2024-21112, cve-2024-21103, cve-2024-21114, cve-2024-21111, cve-2024-21115, cve-2024-21113

  • Oracle VM VirtualBox prior to 7.0.16

 

CVE-2024-21088

  • Oracle Production Scheduling versions 12.2.4 through 12.2.12

 

CVE-2024-21067

  • Oracle Enterprise Manager Base Platform 13.5.0.0 Version

 

Cve-2024-20952, cve-2024-20918

  • Oracle Java SE 8u391, 8u391-perf, 11.0.21, 17.0.9, 21.0.1 Versions
  • Oracle GraalVM for JDK 17.0.9, 21.0.1 Versions
  • Oracle GraalVM Enterprise Edition 20.3.12, 21.3.8, 22.3.4 versions

 

Cve-2024-21010, cve-2024-21014

  • Oracle Hospitality Simphony 19.1.0-19.5.4 Versions

 

CVE-2024-20932

  • Oracle Java SE 17.0.9 version
  • Oracle GraalVM for JDK 17.0.9 Version
  • Oracle GraalVM Enterprise Edition: 21.3.8, 22.3.4 versions

 

Cve-2024-21059, cve-2024-20999

  • Oracle Solaris 11 Versions

 

CVE-2024-21090

  • MySQL Connectors prior to 8.3.0

 

CVE-2024-21071

  • Oracle Workflow versions 12.2.3-12.2.13

 

Cve-2024-21006, cve-2024-21007

  • Oracle WebLogic Server 12.2.1.4.0, 14.1.1.0.0 Versions

 

Cve-2024-21078, cve-2024-21079

  • Oracle Marketing 12.2.3-12.2.13 Versions

 

Cve-2024-21082, cve-2024-21083

  • Oracle BI Publisher 7.0.0.0.0.0, 12.2.1.4.0 Versions

 

CVE-2024-21092

  • Oracle Agile Product Lifecycle Management for Process 6.2.4.2 version

 

Cve-2024-20989, cve-2024-20997

  • Oracle Hospitality Simphony 19.1.0-19.5.4 Versions

 

CVE-2024-21095

  • Primavera P6 Enterprise Project Portfolio Management 19.12.0-19.12.22, 20.12.0-20.12.21, 21.12.0-21.12.18, 22.12.0-22.12.12, 23.12.0-23.12.2 versions

 

Resolved Vulnerabilities

 

Vulnerabilities in the Oracle Trade Management product in Oracle E-Business Suite, accessible via HTTP, could allow unauthorized access to data by attackers (CVE-2024-21076, CVE-2024-21077, CVE-2024-21074, CVE-2024-21075, CVE-2024-21073)

Privilege escalation vulnerabilities in Oracle VM VirtualBox products in Oracle Virtualization that could allow an attacker with low privileges to log in to the system and conduct attacks (CVE-2024-21110, CVE-2024-21116, CVE-2024-21112, CVE-2024-21103, CVE-2024-21114, CVE-2024-21111, CVE-2024-21115, CVE-2024-21113, CVE-2024-21112, CVE-2024-21113)

Vulnerability in the Oracle Production Scheduling product in Oracle E-Business Suite, accessible via HTTP, that could allow unauthorized access to data by an attacker (CVE-2024-21088)

Anescalation of privilege vulnerability in the Oracle Enterprise Manager product in Oracle Enterprise Manager that could allow a low privileged attacker to log in to the system and conduct attacks (CVE-2024-21067)

Vulnerabilities in Oracle Java SE, Oracle GraalVM for JDK, and Oracle GraalVM Enterprise Edition products in Oracle Java SE that could allow attackers with access via multiple protocols to gain unauthorized access to data (CVE-2024-20952, CVE-2024-20932, CVE-2024-20918)

Privilege escalation vulnerabilities in Oracle Hospitality Simphony product in Oracle Food and Beverage Applications that could allow attackers with access via HTTP to conduct attacks (CVE-2024-21010, CVE-2024-21014, CVE-2024-20997)

Privilege escalation vulnerabilities in Oracle Systems Oracle Solaris products that could allow an attacker with low privileges to log in to the system and conduct attacks (CVE-2024-21059, CVE-2024-20999)

An elevation of privilege vulnerability in the MySQL Connector product in Oracle MySQL that could allow an attacker with access over the network to conduct attacks (CVE-2024-21090)

A privilege escalation vulnerability in the Oracle Workflow product in Oracle E-Business Suite that could allow attackers with access via HTTP to conduct attacks (CVE-2024-21071)

T3, IIOP vulnerability in the Oracle WebLogic Server product in Oracle Fusion Middleware that could allow an attacker with access via IIOP to gain unauthorized access to data (CVE-2024-21006, CVE-2024-21007)

Vulnerabilities in the Oracle Marketing product in Oracle E-Business Suite that could allow attackers with access via HTTP to gain unauthorized access to data (CVE-2024-21078, CVE-2024-21079)

Privilege escalation vulnerabilities in the Oracle BI Publisher product in Oracle Analytics that could be exploited by attackers with access via HTTP (CVE-2024-21082, CVE-2024-21083)

Vulnerability in Oracle Agile Product Lifecycle Management for Process product in racle Supply Chain that could allow attackers with access via HTTP to gain unauthorized access to data (CVE-2024-21092)

Vulnerability in the Oracle Hospitality Simphony product in Oracle Food and Beverage Applications that could allow an attacker with access via HTTP to gain unauthorized access to data (CVE-2024-20989)

Vulnerability in the Primavera P6 Enterprise Project Portfolio Management product in Oracle Construction and Engineering that could allow attackers with access via HTTP to gain unauthorized access to data (CVE-2024-21095)

 

Vulnerability Patches

 

Vulnerability Patches have been made available in the latest updates. Please follow the instructions on the Referenced Sites [2], [3] to update to the latest Vulnerability Patches version.

 

Referenced Sites

 

[1] Critical Patch Updates, Security Alerts and Bulletins

https://www.oracle.com/security-alerts/

[2] Oracle Critical Patch Update Advisory – April 2024

https://www.oracle.com/security-alerts/cpuapr2024.html

[3] Oracle Critical Patch Update Advisory – January 2024

https://www.oracle.com/security-alerts/cpujan2024.html

Tags:

Previous Post

Next Post