This Security Alert addresses CVE-2017-10269 and four other vulnerabilities affecting the Jolt server within Oracle Tuxedo. These vulnerabilities have a maximum CVSS score of 10.0 and may be exploited over a network without the need for a valid username and password. The Oracle Jolt client is not impacted.
Since Oracle PeopleSoft products include and use Oracle Tuxedo in their distributions, PeopleSoft customers should apply the Tuxedo patches referenced below.
Due to the severity of these vulnerabilities, Oracle strongly recommends that customers apply the updates provided by this Security Alert as soon as possible.
Patches released through the Security Alert program are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that patches released through the Critical Patch Update program are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. As a result, Oracle recommends that customers upgrade to supported versions.
Supported Database, Fusion Middleware, Oracle Enterprise Manager Base Platform (formerly "Oracle Enterprise Manager Grid Control") and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
Patches released through the Security Alert program are available to customers who have Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download patches released through the Security Alert program for products in the Extended Support Phase.
The following people or organizations reported security vulnerabilities addressed by this Security Alert to Oracle:
Security vulnerabilities addressed by this Security Alert affect the products listed below. The product area of the patches for the listed versions is shown in the Patch Availability column corresponding to the specified Affected Products and Versions column. Please click on the link in the Patch Availability column below to access the documentation for patch availability information and installation instructions.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:
|Affected Products and Versions||Patch Availability|
|Oracle Tuxedo, versions 11.1.1, 12.1.1, 12.1.3, 12.2.2||Fusion Middleware|
|2017-November-16||Rev 2. Updated Credit Statement.|
|2017-November-14||Rev 1. Initial Release.|
This Security Alert contains 5 new security fixes for Oracle Fusion Middleware. 4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without requiring user credentials. The English text form of this Risk Matrix can be found here.
|CVE#||Product||Component||Protocol||Remote Exploit without Auth.?||CVSS VERSION 3.0 RISK (see Risk Matrix Definitions)||Supported Versions Affected||Notes|
|Base Score||Attack Vector||Attack Complexity||PrivsReq'd||UserInteract||Scope||Confidentiality||Integrity||Availability|
|CVE-2017-10269||Oracle Tuxedo||Core||Jolt||Yes||10.0||Network||Low||None||None||Changed||High||High||Low||11.1.1, 12.1.1, 12.1.3, 12.2.2|
|CVE-2017-10272||Oracle Tuxedo||Core||Jolt||No||9.9||Network||Low||Low||None||Changed||High||High||Low||11.1.1, 12.1.1, 12.1.3, 12.2.2|
|CVE-2017-10267||Oracle Tuxedo||Core||Jolt||Yes||7.5||Network||Low||None||None||Un- changed||High||None||None||11.1.1, 12.1.1, 12.1.3, 12.2.2|
|CVE-2017-10278||Oracle Tuxedo||Security||Jolt||Yes||7.0||Network||High||None||None||Un- changed||High||Low||Low||11.1.1, 12.1.1, 12.1.3, 12.2.2|
|CVE-2017-10266||Oracle Tuxedo||Core||Jolt||Yes||5.3||Network||Low||None||None||Un- changed||Low||None||None||11.1.1, 12.1.1, 12.1.3, 12.2.2|