Oracle Security Alert Advisory - CVE-2017-10269
Description
This Security Alert addresses CVE-2017-10269 and four other vulnerabilities affecting the Jolt server within Oracle Tuxedo. These vulnerabilities have a maximum CVSS score of 10.0 and may be exploited over a network without the need for a valid username and password. The Oracle Jolt client is not impacted.
Since Oracle PeopleSoft products include and use Oracle Tuxedo in their distributions, PeopleSoft customers should apply the Tuxedo patches referenced below.
Due to the severity of these vulnerabilities, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
Security Alert Supported Products and Versions
Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Products in Extended Support
Patches released through the Security Alert program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Security Alert program for products in the Extended Support Phase.
Credit Statement
The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:
- Dmitrii Iudin aka @ret5et of ERPScan: CVE-2017-10266, CVE-2017-10267, CVE-2017-10269, CVE-2017-10272, CVE-2017-10278
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- English text version of the risk matrices [ Oracle Technology Network ]
- CVRF XML version of the risk matrices [ Oracle Technology Network ]
- The Oracle Software Security Assurance Blog [ The Oracle Software Security Assurance Blog ]
- List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
- Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]
Affected Products and Components
Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:
| Affected Products and Versions | Patch Availability |
|---|---|
| Oracle Tuxedo, versions 11.1.1, 12.1.1, 12.1.3, 12.2.2 | Fusion Middleware |
Modification History
| Date | Note |
|---|---|
| 2017-November-16 | Rev 2. Updated Credit Statement. |
| 2017-November-14 | Rev 1. Initial Release. |
Appendix - Oracle Fusion Middleware
Oracle Fusion Middleware Executive Summary
This Security Alert contains 5 new security fixes for Oracle Fusion Middleware. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
Oracle Fusion Middleware Risk Matrix
| CVE# | Product | Component | Protocol | Remote Exploit without Auth.? | CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Attack Vector | Attack Complexity | PrivsReq'd | UserInteract | Scope | Confidentiality | Integrity | Availability | |||||||
| CVE-2017-10269 | Oracle Tuxedo | Core | Jolt | Yes | 10.0 | Network | Low | None | None | Changed | High | High | Low | 11.1.1, 12.1.1, 12.1.3, 12.2.2 | |
| CVE-2017-10272 | Oracle Tuxedo | Core | Jolt | No | 9.9 | Network | Low | Low | None | Changed | High | High | Low | 11.1.1, 12.1.1, 12.1.3, 12.2.2 | |
| CVE-2017-10267 | Oracle Tuxedo | Core | Jolt | Yes | 7.5 | Network | Low | None | None | Un- changed | High | None | None | 11.1.1, 12.1.1, 12.1.3, 12.2.2 | |
| CVE-2017-10278 | Oracle Tuxedo | Security | Jolt | Yes | 7.0 | Network | High | None | None | Un- changed | High | Low | Low | 11.1.1, 12.1.1, 12.1.3, 12.2.2 | |
| CVE-2017-10266 | Oracle Tuxedo | Core | Jolt | Yes | 5.3 | Network | Low | None | None | Un- changed | Low | None | None | 11.1.1, 12.1.1, 12.1.3, 12.2.2 | |