Oracle Security Alert Advisory - CVE-2017-9805

List of Affected Products and Versions

Purpose

This document details the Oracle Products and Versions affected by patches distributed in Security Alert CVE-2017-9805.

Affected Products and Versions

Security vulnerabilities addressed by this Security Alert affect the products listed in the categories below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions Patch Availability
MySQL Enterprise Monitor, versions 3.2.8.2223 and prior, 3.3.4.3247 and prior, 3.4.2.4181 and prior Oracle MySQL Product Suite
Oracle Communications Policy Management, versions 11.5, 12.x Oracle Communications Policy Management
Oracle FLEXCUBE Private Banking, versions 2.0, 2.1, 2.2, 3.0, 12.0, 12.0.1, 12.0.2, 12.0.3, 12.1 Oracle Financial Services Applications
Oracle Financial Services Analytical Applications Infrastructure, versions 7.2, 7.3 Oracle Financial Services Analytical Applications Infrastructure
Oracle Financial Services Analytical Applications Reconciliation Framework, versions 3.5, 3.5.1, 8.0.0 to 8.0.4 Oracle Financial Services Analytical Applications Reconciliation Framework
Oracle Financial Services Asset Liability Management, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5 Oracle Financial Services Asset Liability Management
Oracle Financial Services Basel Regulatory Capital Basic, versions 8.0.0 to 8.0.4 Oracle Financial Services Basel Regulatory Capital Basic
Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach, versions 8.0.0 to 8.0.4 Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach
Oracle Financial Services Data Foundation, versions 7.3.0, 7.4.0, 8.0.0 to 8.0.5 Oracle Financial Services Data Foundation
Oracle Financial Services Data Integration Hub, versions 8.0.1 to 8.0.4 Oracle Financial Services Data Integration Hub
Oracle Financial Services Enterprise Financial Performance Analytics, versions 8.0.0 to 8.0.5 Oracle Financial Services Enterprise Financial Performance Analytics
Oracle Financial Services Funds Transfer Pricing, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5 Oracle Financial Services Funds Transfer Pricing
Oracle Financial Services Hedge Management and IFRS Valuations, versions 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5 Oracle Financial Services Hedge Management and IFRS Valuations
Oracle Financial Services ICAAP Analytics, version 8.0 Oracle Financial Services ICAAP Analytics
Oracle Financial Services Institutional Performance Analytics, versions 8.0.0 to 8.0.5 Oracle Financial Services Institutional Performance Analytics
Oracle Financial Services Liquidity Risk Management, versions 8.0.1, 8.0.2, 8.0.4 Oracle Financial Services Liquidity Risk Management
Oracle Financial Services Loan Loss Forecasting and Provisioning, versions 1.5.0, 1.5.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5 Oracle Financial Services Loan Loss Forecasting and Provisioning
Oracle Financial Services Pricing Management, Transfer Pricing Component / Oracle Financial Services Price Creation and Discovery, versions 8.0.0 to 8.0.5 Oracle Financial Services Pricing Management, Transfer Pricing Component
Oracle Financial Services Profitability Management, versions 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5 Oracle Financial Services Profitability Management
Oracle Financial Services Retail Customer Analytics, versions 8.0.0 to 8.0.5 Oracle Financial Services Retail Customer Analytics
Oracle Financial Services Retail Performance Analytics, versions 8.0.0 to 8.0.5 Oracle Financial Services Retail Performance Analytics
Oracle Insurance Data Foundation, versions 8.0.0 to 8.0.5 Oracle Insurance Data Foundation
Oracle Insurance Performance Insight for General Insurance, version 8.0 Oracle Insurance Performance Insight for General Insurance
Oracle Retail XBRi Loss Prevention, versions 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1 Retail Applications
Siebel Applications, versions 6.1, 6.2, 7.1 Siebel
WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1, 12.2.1.2, 12.2.1.3 Fusion Middleware

Modification History

Date Note
2017-September-22 Rev 1. Initial Release.

Appendix - Oracle Applications

Oracle Siebel CRM Executive Summary

This Security Alert contains 1 new security fix for Oracle Siebel CRM.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Siebel CRM Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-9805 Siebel Apps - E-Billing Security (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 6.1, 6.2, 7.1

Additional CVEs addressed are below:

  • The fix for CVE-2017-9805 also addresses CVE-2017-12611, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, and CVE-2017-9804.

Appendix - Oracle Communications Applications

Oracle Communications Applications Executive Summary

This Security Alert contains 1 new security fix for Oracle Communications Applications.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Communications Applications Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-9805 Oracle Communications Policy Management Security (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 11.5, 12.x

Additional CVEs addressed are below:

  • The fix for CVE-2017-9805 also addresses CVE-2017-12611, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, and CVE-2017-9804.

Appendix - Oracle Financial Services Applications

Oracle Financial Services Applications Executive Summary

This Security Alert contains 21 new security fixes for Oracle Financial Services Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Financial Services Applications Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-9805 Oracle Financial Services Analytical Applications Infrastructure Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 7.2, 7.3
CVE-2017-9805 Oracle Financial Services Analytical Applications Reconciliation Framework Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 3.5, 3.5.1, 8.0.0 to 8.0.4
CVE-2017-9805 Oracle Financial Services Asset Liability Management Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
CVE-2017-9805 Oracle Financial Services Basel Regulatory Capital Basic Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 8.0.0 to 8.0.4
CVE-2017-9805 Oracle Financial Services Basel Regulatory Capital Internal Ratings Based Approach Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 8.0.0 to 8.0.4
CVE-2017-9805 Oracle Financial Services Data Foundation Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 7.3.0, 7.4.0, 8.0.0 to 8.0.5
CVE-2017-9805 Oracle Financial Services Data Integration Hub Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 8.0.1 to 8.0.4
CVE-2017-9805 Oracle Financial Services Enterprise Financial Performance Analytics Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 8.0.0 to 8.0.5
CVE-2017-9805 Oracle Financial Services Funds Transfer Pricing Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
CVE-2017-9805 Oracle Financial Services Hedge Management and IFRS Valuations Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
CVE-2017-9805 Oracle Financial Services ICAAP Analytics Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 8.0
CVE-2017-9805 Oracle Financial Services Institutional Performance Analytics Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 8.0.0 to 8.0.5
CVE-2017-9805 Oracle Financial Services Liquidity Risk Management Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 8.0.1, 8.0.2, 8.0.4
CVE-2017-9805 Oracle Financial Services Loan Loss Forecasting and Provisioning Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 1.5.0, 1.5.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
CVE-2017-9805 Oracle Financial Services Pricing Management, Transfer Pricing Component / Oracle Financial Services Price Creation and Discovery Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 8.0.0 to 8.0.5
CVE-2017-9805 Oracle Financial Services Profitability Management Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 6.0.0, 6.1.0, 6.1.1, 8.0.1, 8.0.2, 8.0.3, 8.0.4, 8.0.5
CVE-2017-9805 Oracle Financial Services Retail Customer Analytics Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 8.0.0 to 8.0.5
CVE-2017-9805 Oracle Financial Services Retail Performance Analytics Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 8.0.0 to 8.0.5
CVE-2017-9805 Oracle FLEXCUBE Private Banking Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 2.0, 2.1, 2.2, 3.0, 12.0, 12.0.1, 12.0.2, 12.0.3, 12.1
CVE-2017-9805 Oracle Insurance Data Foundation Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 8.0.0 to 8.0.5
CVE-2017-9805 Oracle Insurance Performance Insight for General Insurance Core (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 8.0

Additional CVEs addressed are below:

  • The fix for CVE-2017-9805 also addresses CVE-2017-12611, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, and CVE-2017-9804.

Appendix - Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Security Alert contains 1 new security fix for Oracle Fusion Middleware.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Fusion Middleware Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-9805 WebLogic Server Samples (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1, 12.2.1.2, 12.2.1.3

Additional CVEs addressed are below:

  • The fix for CVE-2017-9805 also addresses CVE-2017-12611, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, and CVE-2017-9804.

Appendix - Oracle MySQL

Oracle MySQL Executive Summary

This Security Alert contains 1 new security fix for Oracle MySQL.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle MySQL Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-9787 MySQL Enterprise Monitor Monitoring: General (Struts 2) HTTP Yes 7.5 Network Low None None Un-changed None None High 3.2.8.2223 and earlier, 3.3.4.3247 and earlier, 3.4.2.4181 and earlier

Appendix - Oracle Retail Applications

Oracle Retail Applications Executive Summary

This Security Alert contains 1 new security fix for Oracle Retail Applications.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials.  The English text form of this Risk Matrix can be found here.

Oracle Retail Applications Risk Matrix

CVE# Product Component Protocol Remote Exploit without Auth.? CVSS VERSION 3.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Attack Vector Attack Complex Privs Req'd User Interact Scope Confid­entiality Inte­grity Avail­ability
CVE-2017-9805 Oracle Retail XBRi Loss Prevention Internal Operations (Struts 2) HTTP Yes 9.8 Network Low None None Un-changed High High High 10.0.1, 10.5.0, 10.6.0, 10.7.0, 10.8.0, 10.8.1

Additional CVEs addressed are below:

  • The fix for CVE-2017-9805 also addresses CVE-2017-12611, CVE-2017-7672, CVE-2017-9787, CVE-2017-9791, CVE-2017-9793, and CVE-2017-9804.