-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2017.0170
          Security Advisory: Oracle Health Sciences Applications
                              18 October 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Health Sciences Applications
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote with User Interaction
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-6814  
Member content until: Friday, November 17 2017
Reference:            ASB-2017.0167
                      ASB-2017.0165
                      ESB-2017.0877
                      ESB-2017.0426

OVERVIEW

        Multiple vulnerabilities have been identified in 
         Oracle Healthcare Master Person Index, version  4.x
        [1]


IMPACT

        The vendor has provided the following information regarding
        to the vulnerabilities.
        
        This Critical Patch Update contains 1 new security fix for
        Oracle Health Sciences Applications.   This vulnerability is
        remotely exploitable without authentication,  i.e.,  may be
        exploited over a network without requiring user credentials.
        [1]
        
        
        CVE-2016-6814
        
        8.3
        
        AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
        
        Difficult to exploit vulnerability allows unauthenticated
        attacker with network access via multiple protocols to
        compromise Spatial (Apache Groovy).  Successful attacks
        require human interaction from a person other than the
        attacker and while the vulnerability is in Spatial (Apache
        Groovy), attacks may significantly impact additional
        products. Successful attacks of this vulnerability can
        result in takeover of Spatial (Apache Groovy). Note:
        Component installed optionally. Not in the default
        installation.
        [2]


MITIGATION

        Oracle states:
        
        "Due to the threat posed by a successful attack, Oracle
        strongly recommends that customers apply CPU fixes as soon
        as possible. Until you apply the CPU fixes, it may be
        possible to reduce the risk of successful attack by blocking
        network protocols required by an attack. For attacks that
        require certain privileges or access to certain packages,
        removing the privileges or the ability to access the
        packages from users that do not need the privileges may help
        reduce the risk of successful attack. Both approaches may
        break application functionality, so Oracle strongly
        recommends that customers test changes on non-production
        systems. Neither approach should be considered a long-term
        solution as neither corrects the underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - October 2017
            http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html

        [2] Text Form of Oracle Critical Patch Update - October 2017 Risk
            Matrices
            http://www.oracle.com/technetwork/security-advisory/cpuoct2017verbose-3236627.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWebNk4x+lLeg9Ub1AQi/Tg//WWGB5nXChdKx8VR8dtnE5wsTOIBMCd7J
EtWW+WWLg1ju/eH4kLNTPgdCzZbsPe8xs8Ff6qnOQeVubTqOqb+j91N6d+YNe2VR
fVY7cACdbfxTfX1LXnsZeWAYjYh7RtzUmtfIjRQx56D6ZHAUOGIGqD2s3EFCPxwd
tDmoB2hjiWk+nQT0Q4g8+jw33srDFZl3LAPE7jaqwpi8FDr3KGs3xgXe3t4Da2Dn
hRim6lkKIem1xxXB/KMRhGUnGaP3sX+P8LUvT/K5067V4DTRLvqYFxDygKDRD8Ds
XJSgKOIOFEo/VcMplFkcRggcZmG3rvkLA7a/fNtnI+gvWTgjqLBXnxk6e+HPjJVD
FkSNZr3TV4k7qj8s+6N3IvwYLJEMctM82U9YTgXO/6/hQ3WRYuq+NGVw9tU6ml4Q
eN2dglY1XHVpv6/sxe7ik0/m+Y+yxJMtf3OpDPYfaKSX/oa6pY3DHgiCGKjqcv9u
LDPstbXV2yWQT8LqoxH+fXPcbJGYVaA2GyqNc3McmCdgHojBTqn6ND2w84Xt3rK2
CwhoudOAI6QHEDRRvjVjwIavbp2GSXSB1gg46S0gp/JBMzldfPPDidzTS+1QeqzS
+8TkKRbVrtNxRwY13wlUWGJdzgDE8If221S5AeUP6zulSCYCqQ3kIUyfyfX3vpYo
k16R71BhtlI=
=G2yP
-----END PGP SIGNATURE-----