Security Advisory

Oracle Family October 2024 Security Update Advisory

  • Oct 16 2024

Overview

 

An update has been released to address vulnerabilities in Oracle Product Line. Users of the affected versions are advised to update to the latest version.

 

Affected Products

CVE-2024-21259

  • Oracle VM VirtualBox versions: – 7.0.22
  • Oracle VM VirtualBox versions: – 7.1.2

 

CVE-2024-21275

  • Oracle Quoting versions: 12.2.7 – 12.2.13

 

CVE-2024-21246

  • Oracle Service Bus versions: 12.2.1.4.0

 

CVE-2024-21274, CVE-2024-21215, CVE-2024-21216, CVE-2024-21234, CVE-2024-21260

  • Oracle WebLogic Server versions: 12.2.1.4.0
  • Oracle WebLogic Server versions: 14.1.1.0.0.0

 

CVE-2024-21266

  • Oracle Advanced Pricing versions: 12.2.3 – 12.2.13

 

CVE-2024-21195, CVE-2024-21254

  • Oracle BI Publisher versions: 7.0.0.0.0.0
  • Oracle BI Publisher versions: 7.6.0.0.0.0
  • Oracle BI Publisher versions: 12.2.1.4.0

 

CVE-2024-21265

  • Oracle Site Hub versions: 12.2.3 – 12.2.13

 

CVE-2024-21267

  • Oracle Cost Management versions: 12.2.12 – 12.2.13

 

CVE-2024-21271

  • Oracle Field Service versions: 12.2.3 – 12.2.13

 

CVE-2024-21272

  • MySQL Connectors versions: – 9.0.0

 

CVE-2024-21280

  • Oracle Service Contracts versions: 12.2.5 – 12.2.13

 

CVE-2024-21190

  • Oracle Global Lifecycle Management FMW Installer versions: 12.2.1.4.0

 

CVE-2024-21250

  • Oracle Process Manufacturing Product Development versions: 12.2.13 – 12.2.14

 

CVE-2024-21214, CVE-2024-21255

  • PeopleSoft Enterprise PeopleTools versions: 8.5.9
  • PeopleSoft Enterprise PeopleTools versions: 8.6.0
  • PeopleSoft Enterprise PeopleTools versions: 8.6.1

 

CVE-2024-21284

  • Oracle Banking Liquidity Management versions: 14.5.0.12.0

 

CVE-2024-21268

  • Oracle Applications Manager versions: 12.2.11 – 12.2.13

 

CVE-2024-21191

  • Oracle Enterprise Manager Fusion Middleware Control versions: 12.2.1.4.0

 

CVE-2024-21252

  • Oracle Product Hub versions: 12.2.3 – 12.2.13

 

CVE-2024-21278

  • Oracle Contract Lifecycle Management for Public Sector versions: 12.2.3 – 12.2.13

 

CVE-2024-21282

  • Oracle Financials versions: 12.2.3 – 12.2.13

 

CVE-2024-21285

  • Oracle Banking Liquidity Management versions: 14.5.0.12.0

 

CVE-2024-21276

  • Oracle Work in Process versions: 12.2.3 – 12.2.13

 

CVE-2024-21277

  • Oracle MES for Process Manufacturing versions: 12.2.3 – 12.2.13

 

CVE-2024-21283

  • PeopleSoft Enterprise HCM Global Payroll Core versions: 9.2.48 – 9.2.50

 

CVE-2024-21279

  • Oracle Sourcing versions: 12.2.3 – 12.2.13

 

CVE-2024-21172

  • Oracle Hospitality OPERA 5 versions: 5.6.19.19
  • Oracle Hospitality OPERA 5 versions: 5.6.25.8
  • Oracle Hospitality OPERA 5 versions: 5.6.26.4

 

CVE-2024-21269

  • Oracle Incentive Compensation versions: 12.2.3 – 12.2.13

 

CVE-2024-21270

  • Oracle Common Applications Calendar versions: 12.2.6 – 12.2.13

 

 

Resolved Vulnerabilities

Vulnerability that could allow a highly privileged attacker logged on to the infrastructure where Oracle VM VirtualBox is running to compromise Oracle VM VirtualBox (CVE-2024-21259)

Vulnerability that could allow a low privileged attacker with network access via HTTP to compromise Oracle Quoting (CVE-2024-21275)

Vulnerability that could allow an unauthenticated attacker with network access via HTTP to compromise Oracle Service Bus (CVE-2024-21246)

Vulnerability that could allow an unauthenticated attacker with network access via HTTP to compromise Oracle WebLogic Server (CVE-2024-21274, CVE-2024-21215)

T3, Vulnerability that could allow an unauthenticated attacker with network access via IIOP to compromise Oracle WebLogic Server (CVE-2024-21216, CVE-2024-21234, CVE-2024-21260)

Vulnerability that could allow a low privilege attacker with network access via HTTP to compromise Oracle Advanced Pricing (CVE-2024-21266)

Vulnerability that could allow a low-privileged attacker with network access via HTTP to compromise Oracle BI Publisher (CVE-2024-21195, CVE-2024-21254)

Vulnerability that could allow a low-privileged attacker with network access via HTTP to compromise Oracle Site Hub (CVE-2024-21265)

Vulnerability that could allow a low-privileged attacker with network access via HTTP to compromise Oracle Cost Management (CVE-2024-21267)

Vulnerability that could allow a low privileged attacker with network access via HTTP to compromise Oracle Field Service (CVE-2024-21271)

Vulnerability that could allow a low privileged attacker with network access via multiple protocols to compromise MySQL Connectors (CVE-2024-21272)

Vulnerability that could allow a low-privileged attacker with network access via HTTP to compromise Oracle Service Contracts (CVE-2024-21280)

Vulnerability that could allow an unauthenticated attacker with network access via SFTP to compromise Oracle Global Lifecycle Management FMW Installer (CVE-2024-21190)

Vulnerability that could allow low privileged attackers with network access via HTTP to compromise Oracle Process Manufacturing Product Development (CVE-2024-21250)

Vulnerability that could allow a low-privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise PeopleTools (CVE-2024-21214, CVE-2024-21255)

Vulnerability that could allow a low-privileged attacker with network access via HTTP to compromise Oracle Banking Liquidity Management (CVE-2024-21284)

Vulnerability that could allow a low-privileged attacker with network access via HTTP to compromise Oracle Applications Manager (CVE-2024-21268)

Vulnerability that could allow a low-privileged attacker with network access via HTTP to compromise Oracle Enterprise Manager Fusion Middleware Control (CVE-2024-21191)

Vulnerability that could allow a low-privileged attacker with network access via HTTP to compromise Oracle Product Hub (CVE-2024-21252)

Vulnerability that could allow an attacker with low network access via HTTP to compromise Oracle Contract Lifecycle Management for Public Sector (CVE-2024-21278)

Vulnerability that could allow a low privileged attacker with network access via HTTP to compromise Oracle Financials (CVE-2024-21282)

Vulnerability that could allow a low-privileged attacker with network access via HTTP to compromise Oracle Banking Liquidity Management (CVE-2024-21285)

Vulnerability that could allow a low privileged attacker with network access via HTTP to compromise Oracle Work in Process (CVE-2024-21276)

Vulnerability that could allow a low-privileged attacker with network access via HTTP to compromise Oracle MES for Process Manufacturing (CVE-2024-21277)

Vulnerability that could allow a low-privileged attacker with network access via HTTP to compromise PeopleSoft Enterprise HCM Global Payroll Core (CVE-2024-21283)

Vulnerability that could allow a low-privileged attacker with network access via HTTP to compromise Oracle Sourcing (CVE-2024-21279)

Vulnerability that could allow an unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5 (CVE-2024-21172)

Vulnerability that could allow a low privileged attacker with network access via HTTP to compromise Oracle Incentive Compensation (CVE-2024-21269)

Vulnerability that could allow a low privileged attacker with network access via HTTP to compromise Oracle Common Applications Calendar (CVE-2024-21270)

 

 

Vulnerability Patches

 

Vulnerability patches have been made available in the latest updates. Please follow the instructions on the References[1] to update to the latest Vulnerability Patches version.

References

 

[1] Oracle Critical Patch Update Advisory – October 2024

https://www.oracle.com/security-alerts/cpuoct2024.html

Tags:

Previous Post

Next Post