-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2018.0250
                         Oracle Fusion Middleware
                              17 October 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Fusion Middleware
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2018-1000300 CVE-2018-18224 CVE-2018-18223
                      CVE-2018-8013 CVE-2018-3302 CVE-2018-3254
                      CVE-2018-3253 CVE-2018-3252 CVE-2018-3250
                      CVE-2018-3249 CVE-2018-3248 CVE-2018-3246
                      CVE-2018-3245 CVE-2018-3238 CVE-2018-3234
                      CVE-2018-3233 CVE-2018-3232 CVE-2018-3231
                      CVE-2018-3230 CVE-2018-3229 CVE-2018-3228
                      CVE-2018-3227 CVE-2018-3226 CVE-2018-3225
                      CVE-2018-3224 CVE-2018-3223 CVE-2018-3222
                      CVE-2018-3221 CVE-2018-3220 CVE-2018-3219
                      CVE-2018-3218 CVE-2018-3217 CVE-2018-3215
                      CVE-2018-3213 CVE-2018-3210 CVE-2018-3204
                      CVE-2018-3201 CVE-2018-3197 CVE-2018-3191
                      CVE-2018-3179 CVE-2018-3168 CVE-2018-3152
                      CVE-2018-3147 CVE-2018-2911 CVE-2018-2902
                      CVE-2018-1305 CVE-2018-1275 CVE-2018-1258
                      CVE-2018-0739 CVE-2018-0732 CVE-2017-15095
                      CVE-2017-14735 CVE-2017-7805 CVE-2017-5645
                      CVE-2016-1182 CVE-2015-9251 
Member content until: Friday, November 16 2018
Reference:            ASB-2018.0180
                      ASB-2018.0177
                      ASB-2018.0173
                      ESB-2018.3028
                      ESB-2018.3014
                      ESB-2018.2952
                      ESB-2018.2951

OVERVIEW

        Multiple vulnerabilities have been identified in :
         o Oracle Adaptive Access Manager, versions 11.1.1.7.0, 11.1.2.3.0
         o Oracle API Gateway, version 11.1.2.4.0
         o Oracle BI Publisher, versions 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0,
           12.2.1.4.0
         o Oracle Big Data Discovery, version 1.6.0
         o Oracle Business Intelligence Enterprise Edition, versions 
           11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
         o Oracle Directory Server Enterprise Edition, version 11.1.1.7
         o Oracle Endeca Information Discovery Integrator, versions 3.1.0, 
           3.2.0
         o Oracle Endeca Information Discovery Studio, versions 3.1.0, 3.2.0
         o Oracle Endeca Server, versions 7.6.1, 7.7.0
         o Oracle Enterprise Repository, versions 11.1.1.7.0, 12.1.3.0.0
         o Oracle Fusion Middleware MapViewer, versions 12.1.3.0, 12.2.1.3
         o Oracle GlassFish Server, version 3.1.2
         o Oracle GoldenGate for Big Data, versions 12.2.0.1, 12.3.1.1, 
           12.3.2.1
         o Oracle HTTP Server, version 12.2.1.3
         o Oracle Identity Analytics, version 11.1.1.5.8
         o Oracle Identity Management Suite, versions 11.1.2.3.0, 12.2.1.3.0
         o Oracle Identity Manager, versions 11.1.2.3.0, 12.2.1.3.0
         o Oracle Outside In Technology, version 8.5.3
         o Oracle Real-Time Decision Server, version 3.2.1
         o Oracle Service Bus, versions 12.1.3.0.0, 12.2.1.3.0
         o Oracle Tuxedo, version 12.1.1.0
         o Oracle Virtual Directory, versions 11.1.1.7.0, 11.1.1.9.0
         o Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0
         o Oracle WebCenter Sites, versions 11.1.1.8.0, 12.2.1.3.0
         o Oracle WebLogic Server, versions 10.3.6.0, 12.1.3.0, 12.2.1.3, 
           prior to Docker 12.2.1.3.20180913
        [1]


IMPACT

        The vendor has provided the following information regarding the 
        vulnerabilities:
        
        "This Critical Patch Update contains 65 new security fixes for 
        Oracle Fusion Middleware. 56 of these vulnerabilities may be 
        remotely exploitable without authentication, i.e., may be exploited
        over a network without requiring user credentials." [1]
        
        "CVE-2015-9251
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Vulnerability in the Oracle Endeca Information Discovery Studio 
        component of Oracle Fusion Middleware (subcomponent: Studio 
        (jQuery)). Supported versions that are affected are 3.1.0 and 3.2.0.
        Easily exploitable vulnerability allows unauthenticated attacker 
        with network access via HTTP to compromise Oracle Endeca Information
        Discovery Studio. Successful attacks require human interaction from
        a person other than the attacker and while the vulnerability is in 
        Oracle Endeca Information Discovery Studio, attacks may 
        significantly impact additional products. Successful attacks of this
        vulnerability can result in unauthorized update, insert or delete 
        access to some of Oracle Endeca Information Discovery Studio 
        accessible data as well as unauthorized read access to a subset of 
        Oracle Endeca Information Discovery Studio accessible data.
        
        CVE-2015-9251
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Vulnerability in the Oracle Service Bus component of Oracle Fusion 
        Middleware (subcomponent: OSB Core Functionality (jQuery)). 
        Supported versions that are affected are 12.1.3.0.0 and 12.2.1.3.0.
        Easily exploitable vulnerability allows unauthenticated attacker 
        with network access via HTTP to compromise Oracle Service Bus. 
        Successful attacks require human interaction from a person other 
        than the attacker and while the vulnerability is in Oracle Service 
        Bus, attacks may significantly impact additional products. 
        Successful attacks of this vulnerability can result in unauthorized
        update, insert or delete access to some of Oracle Service Bus 
        accessible data as well as unauthorized read access to a subset of 
        Oracle Service Bus accessible data.
        
        CVE-2015-9251
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Vulnerability in the Oracle WebCenter Sites component of Oracle 
        Fusion Middleware (subcomponent: Advanced UI (jQuery)). The 
        supported version that is affected is 11.1.1.8.0. Easily exploitable
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle WebCenter Sites. Successful attacks 
        require human interaction from a person other than the attacker and
        while the vulnerability is in Oracle WebCenter Sites, attacks may 
        significantly impact additional products. Successful attacks of this
        vulnerability can result in unauthorized update, insert or delete 
        access to some of Oracle WebCenter Sites accessible data as well as
        unauthorized read access to a subset of Oracle WebCenter Sites 
        accessible data.
        
        CVE-2016-1182
        
        8.2
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
        
        Vulnerability in the Oracle Adaptive Access Manager component of 
        Oracle Fusion Middleware (subcomponent: OAAM Server (Apache Struts 
        1)). Supported versions that are affected are 11.1.1.7.0 and 
        11.1.2.3.0. Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle Adaptive
        Access Manager. Successful attacks of this vulnerability can result
        in unauthorized ability to cause a hang or frequently repeatable 
        crash (complete DOS) of Oracle Adaptive Access Manager as well as 
        unauthorized update, insert or delete access to some of Oracle 
        Adaptive Access Manager accessible data.
        
        CVE-2016-1182
        
        8.2
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H
        
        Vulnerability in the Oracle Real-Time Decision Server component of 
        Oracle Fusion Middleware (subcomponent: Platform Installation 
        (Apache Struts 1)). The supported version that is affected is 3.2.1.
        Easily exploitable vulnerability allows unauthenticated attacker 
        with network access via HTTP to compromise Oracle Real-Time Decision
        Server. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Real-Time Decision Server as well as 
        unauthorized update, insert or delete access to some of Oracle 
        Real-Time Decision Server accessible data.
        
        CVE-2017-14735
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Vulnerability in the Oracle Fusion Middleware MapViewer component of
        Oracle Fusion Middleware (subcomponent: Install (AntiSamy)). 
        Supported versions that are affected are 12.1.3.0 and 12.2.1.3. 
        Easily exploitable vulnerability allows unauthenticated attacker 
        with network access via HTTP to compromise Oracle Fusion Middleware
        MapViewer. Successful attacks require human interaction from a 
        person other than the attacker and while the vulnerability is in 
        Oracle Fusion Middleware MapViewer, attacks may significantly impact
        additional products. Successful attacks of this vulnerability can 
        result in unauthorized update, insert or delete access to some of 
        Oracle Fusion Middleware MapViewer accessible data as well as 
        unauthorized read access to a subset of Oracle Fusion Middleware 
        MapViewer accessible data.
        
        CVE-2017-15095
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle Identity Manager component of Oracle 
        Fusion Middleware (subcomponent: Installer (jackson-databind)). 
        Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0.
        Easily exploitable vulnerability allows unauthenticated attacker 
        with network access via HTTP to compromise Oracle Identity Manager.
        Successful attacks of this vulnerability can result in takeover of 
        Oracle Identity Manager.
        
        CVE-2017-5645
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle API Gateway component of Oracle Fusion 
        Middleware (subcomponent: Oracle API Gateway (Apache Log4j)). The 
        supported version that is affected is 11.1.2.4.0. Easily exploitable
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle API Gateway. Successful attacks of 
        this vulnerability can result in takeover of Oracle API Gateway.
        
        CVE-2017-5645
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the BI Publisher (formerly XML Publisher) component
        of Oracle Fusion Middleware (subcomponent: BI Publisher Security 
        (Apache Log4j)). Supported versions that are affected are 
        11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0. Easily 
        exploitable vulnerability allows unauthenticated attacker with 
        network access via HTTP to compromise BI Publisher (formerly XML 
        Publisher). Successful attacks of this vulnerability can result in 
        takeover of BI Publisher (formerly XML Publisher).
        
        CVE-2017-5645
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle Identity Analytics component of Oracle 
        Fusion Middleware (subcomponent: Security (Apache Log4j)). The 
        supported version that is affected is 11.1.1.5.8. Easily exploitable
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Identity Analytics. Successful attacks
        of this vulnerability can result in takeover of Oracle Identity 
        Analytics.
        
        CVE-2017-5645
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle Identity Management Suite component of 
        Oracle Fusion Middleware (subcomponent: Suite Level Patch Issues 
        (Apache Log4j)). Supported versions that are affected are 11.1.2.3.0
        and 12.2.1.3.0. Easily exploitable vulnerability allows 
        unauthenticated attacker with network access via HTTP to compromise
        Oracle Identity Management Suite. Successful attacks of this 
        vulnerability can result in takeover of Oracle Identity Management 
        Suite.
        
        CVE-2017-7805
        
        7.5
        
        AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle Directory Server Enterprise Edition 
        component of Oracle Fusion Middleware (subcomponent: Admin Console 
        (Sun Security Libraries)). The supported version that is affected is
        11.1.1.7. Difficult to exploit vulnerability allows low privileged 
        attacker with network access via HTTP to compromise Oracle Directory
        Server Enterprise Edition. Successful attacks of this vulnerability
        can result in takeover of Oracle Directory Server Enterprise 
        Edition.
        
        CVE-2018-0732
        
        7.5
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
        
        Vulnerability in the Oracle Tuxedo component of Oracle Fusion 
        Middleware (subcomponent: Docs-ATMI-IB (OpenSSL)). The supported 
        version that is affected is 12.1.1.0. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTPS to compromise Oracle Tuxedo. Successful attacks of this 
        vulnerability can result in unauthorized ability to cause a hang or
        frequently repeatable crash (complete DOS) of Oracle Tuxedo.
        
        CVE-2018-0739
        
        6.5
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
        
        Vulnerability in the Oracle Endeca Server component of Oracle Fusion
        Middleware (subcomponent: Product Code (OpenSSL)). Supported 
        versions that are affected are 7.6.1 and 7.7.0. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Endeca Server. Successful attacks 
        require human interaction from a person other than the attacker. 
        Successful attacks of this vulnerability can result in unauthorized
        ability to cause a hang or frequently repeatable crash (complete 
        DOS) of Oracle Endeca Server.
        
        CVE-2018-1000300
        
        7.5
        
        AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle HTTP Server component of Oracle Fusion 
        Middleware (subcomponent: Web Listener (curl)). The supported 
        version that is affected is 12.2.1.3. Difficult to exploit 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle HTTP Server. Successful attacks 
        require human interaction from a person other than the attacker. 
        Successful attacks of this vulnerability can result in takeover of 
        Oracle HTTP Server.
        
        CVE-2018-1258
        
        8.8
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle Endeca Information Discovery Integrator
        component of Oracle Fusion Middleware (subcomponent: Other Issues 
        (Spring Framework)). Supported versions that are affected are 3.1.0
        and 3.2.0. Easily exploitable vulnerability allows low privileged 
        attacker with network access via HTTP to compromise Oracle Endeca 
        Information Discovery Integrator. Successful attacks of this 
        vulnerability can result in takeover of Oracle Endeca Information 
        Discovery Integrator.
        
        CVE-2018-1258
        
        8.8
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle WebLogic Server component of Oracle 
        Fusion Middleware (subcomponent: Sample apps (Spring Framework)). 
        Supported versions that are affected are 10.3.6.0, 12.1.3.0 and 
        12.2.1.3. Easily exploitable vulnerability allows low privileged 
        attacker with network access via HTTP to compromise Oracle WebLogic
        Server. Successful attacks of this vulnerability can result in 
        takeover of Oracle WebLogic Server.
        
        CVE-2018-1275
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle Big Data Discovery component of Oracle 
        Fusion Middleware (subcomponent: Data Processing (Spring 
        Framework)). The supported version that is affected is 1.6.0. Easily
        exploitable vulnerability allows unauthenticated attacker with 
        network access via HTTP to compromise Oracle Big Data Discovery. 
        Successful attacks of this vulnerability can result in takeover of 
        Oracle Big Data Discovery.
        
        CVE-2018-1275
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle GoldenGate for Big Data component of 
        Oracle Fusion Middleware (subcomponent: Other issues (Spring 
        Framework)). Supported versions that are affected are 12.2.0.1, 
        12.3.1.1 and 12.3.2.1. Easily exploitable vulnerability allows 
        unauthenticated attacker with network access via HTTP to compromise
        Oracle GoldenGate for Big Data. Successful attacks of this 
        vulnerability can result in takeover of Oracle GoldenGate for Big 
        Data.
        
        CVE-2018-1305
        
        6.5
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
        
        Vulnerability in the Oracle WebCenter Sites component of Oracle 
        Fusion Middleware (subcomponent: Advanced UI (Apache Tomcat)). 
        Supported versions that are affected are 11.1.1.8.0 and 12.2.1.3.0.
        Easily exploitable vulnerability allows low privileged attacker with
        network access via HTTP to compromise Oracle WebCenter Sites. 
        Successful attacks of this vulnerability can result in unauthorized
        access to critical data or complete access to all Oracle WebCenter 
        Sites accessible data.
        
        CVE-2018-18223
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters (ODA 
        Module)). The supported version that is affected is 8.5.3. Easily 
        exploitable vulnerability allows unauthenticated attacker with 
        network access via HTTP to compromise Oracle Outside In Technology.
        Successful attacks require human interaction from a person other 
        than the attacker. Successful attacks of this vulnerability can 
        result in unauthorized ability to cause a hang or frequently 
        repeatable crash (complete DOS) of Oracle Outside In Technology and
        unauthorized read access to a subset of Oracle Outside In Technology
        accessible data.
        
        CVE-2018-18224
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters (ODA 
        Module)). The supported version that is affected is 8.5.3. Easily 
        exploitable vulnerability allows unauthenticated attacker with 
        network access via HTTP to compromise Oracle Outside In Technology.
        Successful attacks require human interaction from a person other 
        than the attacker. Successful attacks of this vulnerability can 
        result in unauthorized ability to cause a hang or frequently 
        repeatable crash (complete DOS) of Oracle Outside In Technology and
        unauthorized read access to a subset of Oracle Outside In Technology
        accessible data.
        
        CVE-2018-2902
        
        4.3
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
        
        Vulnerability in the Oracle WebLogic Server component of Oracle 
        Fusion Middleware (subcomponent: Console). Supported versions that 
        are affected are 10.3.6.0 and 12.1.3.0. Easily exploitable 
        vulnerability allows low privileged attacker with network access via
        HTTP to compromise Oracle WebLogic Server. Successful attacks of 
        this vulnerability can result in unauthorized read access to a 
        subset of Oracle WebLogic Server accessible data.
        
        CVE-2018-2911
        
        8.3
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:L
        
        Vulnerability in the Oracle GlassFish Server component of Oracle 
        Fusion Middleware (subcomponent: Java Server Faces). The supported 
        version that is affected is 3.1.2. Easily exploitable vulnerability
        allows unauthenticated attacker with network access via HTTP to 
        compromise Oracle GlassFish Server. Successful attacks require human
        interaction from a person other than the attacker. Successful 
        attacks of this vulnerability can result in unauthorized creation, 
        deletion or modification access to critical data or all Oracle 
        GlassFish Server accessible data as well as unauthorized access to 
        critical data or complete access to all Oracle GlassFish Server 
        accessible data and unauthorized ability to cause a partial denial 
        of service (partial DOS) of Oracle GlassFish Server.
        
        CVE-2018-3147
        
        4.3
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized read access to a subset of Oracle Outside In Technology
        accessible data.
        
        CVE-2018-3152
        
        7.5
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
        
        Vulnerability in the Oracle GlassFish Server component of Oracle 
        Fusion Middleware (subcomponent: Administration). The supported 
        version that is affected is 3.1.2. Easily exploitable vulnerability
        allows unauthenticated attacker with network access via HTTP to 
        compromise Oracle GlassFish Server. Successful attacks of this 
        vulnerability can result in unauthorized ability to cause a hang or
        frequently repeatable crash (complete DOS) of Oracle GlassFish 
        Server.
        
        CVE-2018-3168
        
        7.1
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
        
        Vulnerability in the Oracle Identity Analytics component of Oracle 
        Fusion Middleware (subcomponent: Core Components). The supported 
        version that is affected is 11.1.1.5.8. Easily exploitable 
        vulnerability allows low privileged attacker with network access via
        HTTP to compromise Oracle Identity Analytics. Successful attacks of
        this vulnerability can result in unauthorized creation, deletion or
        modification access to critical data or all Oracle Identity 
        Analytics accessible data as well as unauthorized read access to a 
        subset of Oracle Identity Analytics accessible data.
        
        CVE-2018-3179
        
        7.2
        
        AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:L
        
        Vulnerability in the Oracle Identity Manager component of Oracle 
        Fusion Middleware (subcomponent: Advanced Console). Supported 
        versions that are affected are 11.1.2.3.0 and 12.2.1.3.0. Easily 
        exploitable vulnerability allows unauthenticated attacker with 
        network access via HTTP to compromise Oracle Identity Manager. While
        the vulnerability is in Oracle Identity Manager, attacks may 
        significantly impact additional products. Successful attacks of this
        vulnerability can result in unauthorized read access to a subset of
        Oracle Identity Manager accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Oracle Identity 
        Manager.
        
        CVE-2018-3191
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle WebLogic Server component of Oracle 
        Fusion Middleware (subcomponent: WLS Core Components). Supported 
        versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. 
        Easily exploitable vulnerability allows unauthenticated attacker 
        with network access via T3 to compromise Oracle WebLogic Server. 
        Successful attacks of this vulnerability can result in takeover of 
        Oracle WebLogic Server.
        
        CVE-2018-3197
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle WebLogic Server component of Oracle 
        Fusion Middleware (subcomponent: WLS Core Components). The supported
        version that is affected is 12.1.3.0. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via T3 to compromise Oracle WebLogic Server. Successful attacks of 
        this vulnerability can result in takeover of Oracle WebLogic Server.
        
        CVE-2018-3201
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle WebLogic Server component of Oracle 
        Fusion Middleware (subcomponent: WLS Core Components). The supported
        version that is affected is 12.2.1.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via T3 to compromise Oracle WebLogic Server. Successful attacks of 
        this vulnerability can result in takeover of Oracle WebLogic Server.
        
        CVE-2018-3204
        
        8.2
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N
        
        Vulnerability in the Oracle Business Intelligence Enterprise Edition
        component of Oracle Fusion Middleware (subcomponent: Analytics 
        Server). The supported version that is affected is 12.2.1.3.0. 
        Easily exploitable vulnerability allows unauthenticated attacker 
        with network access via HTTP to compromise Oracle Business 
        Intelligence Enterprise Edition. Successful attacks require human 
        interaction from a person other than the attacker and while the 
        vulnerability is in Oracle Business Intelligence Enterprise Edition,
        attacks may significantly impact additional products. Successful 
        attacks of this vulnerability can result in unauthorized access to 
        critical data or complete access to all Oracle Business Intelligence
        Enterprise Edition accessible data as well as unauthorized update, 
        insert or delete access to some of Oracle Business Intelligence 
        Enterprise Edition accessible data.
        
        CVE-2018-3210
        
        5.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
        
        Vulnerability in the Oracle GlassFish Server component of Oracle 
        Fusion Middleware (subcomponent: Java Server Faces). The supported 
        version that is affected is 3.1.2. Easily exploitable vulnerability
        allows unauthenticated attacker with network access via HTTP to 
        compromise Oracle GlassFish Server. Successful attacks of this 
        vulnerability can result in unauthorized read access to a subset of
        Oracle GlassFish Server accessible data.
        
        CVE-2018-3213
        
        7.5
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
        
        Vulnerability in the Oracle WebLogic Server component of Oracle 
        Fusion Middleware (subcomponent: Docker Images). The supported 
        version that is affected is prior to Docker 12.2.1.3.20180913. 
        Easily exploitable vulnerability allows unauthenticated attacker 
        with network access via T3 to compromise Oracle WebLogic Server. 
        Successful attacks of this vulnerability can result in unauthorized
        access to critical data or complete access to all Oracle WebLogic 
        Server accessible data.
        
        CVE-2018-3215
        
        5.4
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
        
        Vulnerability in the Oracle Endeca Information Discovery Integrator
        component of Oracle Fusion Middleware (subcomponent: Integrator 
        ETL). Supported versions that are affected are 3.1.0 and 3.2.0. 
        Easily exploitable vulnerability allows unauthenticated attacker 
        with network access via HTTP to compromise Oracle Endeca Information
        Discovery Integrator. Successful attacks require human interaction 
        from a person other than the attacker. Successful attacks of this 
        vulnerability can result in unauthorized update, insert or delete 
        access to some of Oracle Endeca Information Discovery Integrator 
        accessible data as well as unauthorized read access to a subset of 
        Oracle Endeca Information Discovery Integrator accessible data.
        
        CVE-2018-3217
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized access to critical data or complete access to all 
        Oracle Outside In Technology accessible data as well as unauthorized
        update, insert or delete access to some of Oracle Outside In 
        Technology accessible data.
        
        CVE-2018-3218
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized access to critical data or complete access to all 
        Oracle Outside In Technology accessible data as well as unauthorized
        update, insert or delete access to some of Oracle Outside In 
        Technology accessible data.
        
        CVE-2018-3219
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized access to critical data or complete access to all 
        Oracle Outside In Technology accessible data and unauthorized 
        ability to cause a partial denial of service (partial DOS) of Oracle
        Outside In Technology.
        
        CVE-2018-3220
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:L
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized access to critical data or complete access to all 
        Oracle Outside In Technology accessible data and unauthorized 
        ability to cause a partial denial of service (partial DOS) of Oracle
        Outside In Technology.
        
        CVE-2018-3221
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3222
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3223
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3224
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3225
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3226
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3227
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3228
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3229
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3230
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3231
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3232
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3233
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3234
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-3238
        
        6.9
        
        AV:N/AC:L/PR:H/UI:R/S:C/C:H/I:L/A:N
        
        Vulnerability in the Oracle WebCenter Sites component of Oracle 
        Fusion Middleware (subcomponent: Advanced UI). The supported version
        that is affected is 11.1.1.8.0. Easily exploitable vulnerability 
        allows high privileged attacker with network access via HTTP to 
        compromise Oracle WebCenter Sites. Successful attacks require human
        interaction from a person other than the attacker and while the 
        vulnerability is in Oracle WebCenter Sites, attacks may 
        significantly impact additional products. Successful attacks of this
        vulnerability can result in unauthorized access to critical data or
        complete access to all Oracle WebCenter Sites accessible data as 
        well as unauthorized update, insert or delete access to some of 
        Oracle WebCenter Sites accessible data.
        
        CVE-2018-3245
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle WebLogic Server component of Oracle 
        Fusion Middleware (subcomponent: WLS Core Components). Supported 
        versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. 
        Easily exploitable vulnerability allows unauthenticated attacker 
        with network access via T3 to compromise Oracle WebLogic Server. 
        Successful attacks of this vulnerability can result in takeover of 
        Oracle WebLogic Server.
        
        CVE-2018-3246
        
        7.5
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
        
        Vulnerability in the Oracle WebLogic Server component of Oracle 
        Fusion Middleware (subcomponent: WLS - Web Services). Supported 
        versions that are affected are 12.1.3.0 and 12.2.1.3. Easily 
        exploitable vulnerability allows unauthenticated attacker with 
        network access via HTTP to compromise Oracle WebLogic Server. 
        Successful attacks of this vulnerability can result in unauthorized
        access to critical data or complete access to all Oracle WebLogic 
        Server accessible data.
        
        CVE-2018-3248
        
        6.5
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
        
        Vulnerability in the Oracle WebLogic Server component of Oracle 
        Fusion Middleware (subcomponent: WLS - Web Services). The supported
        version that is affected is 10.3.6.0. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle WebLogic Server. Successful attacks 
        require human interaction from a person other than the attacker. 
        Successful attacks of this vulnerability can result in unauthorized
        access to critical data or complete access to all Oracle WebLogic 
        Server accessible data.
        
        CVE-2018-3249
        
        6.5
        
        AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
        
        Vulnerability in the Oracle WebLogic Server component of Oracle 
        Fusion Middleware (subcomponent: WLS - Web Services). The supported
        version that is affected is 10.3.6.0. Easily exploitable 
        vulnerability allows low privileged attacker with network access via
        HTTP to compromise Oracle WebLogic Server. Successful attacks of 
        this vulnerability can result in unauthorized access to critical 
        data or complete access to all Oracle WebLogic Server accessible 
        data.
        
        CVE-2018-3250
        
        6.1
        
        AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        
        Vulnerability in the Oracle WebLogic Server component of Oracle 
        Fusion Middleware (subcomponent: WLS - Web Services). The supported
        version that is affected is 10.3.6.0. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle WebLogic Server. Successful attacks 
        require human interaction from a person other than the attacker and
        while the vulnerability is in Oracle WebLogic Server, attacks may 
        significantly impact additional products. Successful attacks of this
        vulnerability can result in unauthorized update, insert or delete 
        access to some of Oracle WebLogic Server accessible data as well as
        unauthorized read access to a subset of Oracle WebLogic Server 
        accessible data.
        
        CVE-2018-3252
        
        9.8
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        
        Vulnerability in the Oracle WebLogic Server component of Oracle 
        Fusion Middleware (subcomponent: WLS Core Components). Supported 
        versions that are affected are 10.3.6.0, 12.1.3.0 and 12.2.1.3. 
        Easily exploitable vulnerability allows unauthenticated attacker 
        with network access via T3 to compromise Oracle WebLogic Server. 
        Successful attacks of this vulnerability can result in takeover of 
        Oracle WebLogic Server.
        
        CVE-2018-3253
        
        5.0
        
        AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
        
        Vulnerability in the Oracle Virtual Directory component of Oracle 
        Fusion Middleware (subcomponent: Virtual Directory Manager). 
        Supported versions that are affected are 11.1.1.7.0 and 11.1.1.9.0.
        Difficult to exploit vulnerability allows low privileged attacker 
        with network access via HTTP to compromise Oracle Virtual Directory.
        Successful attacks of this vulnerability can result in unauthorized
        update, insert or delete access to some of Oracle Virtual Directory
        accessible data as well as unauthorized read access to a subset of 
        Oracle Virtual Directory accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Oracle Virtual 
        Directory.
        
        CVE-2018-3254
        
        5.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
        
        Vulnerability in the Oracle WebCenter Portal component of Oracle 
        Fusion Middleware (subcomponent: WebCenter Spaces Application). 
        Supported versions that are affected are 11.1.1.9.0 and 12.2.1.3.0.
        Easily exploitable vulnerability allows unauthenticated attacker 
        with network access via HTTP to compromise Oracle WebCenter Portal.
        Successful attacks of this vulnerability can result in unauthorized
        read access to a subset of Oracle WebCenter Portal accessible data.
        
        CVE-2018-3302
        
        7.1
        
        AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H
        
        Vulnerability in the Oracle Outside In Technology component of 
        Oracle Fusion Middleware (subcomponent: Outside In Filters). The 
        supported version that is affected is 8.5.3. Easily exploitable 
        vulnerability allows unauthenticated attacker with network access 
        via HTTP to compromise Oracle Outside In Technology. Successful 
        attacks require human interaction from a person other than the 
        attacker. Successful attacks of this vulnerability can result in 
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology and unauthorized read
        access to a subset of Oracle Outside In Technology accessible data.
        
        CVE-2018-8013
        
        7.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
        
        Vulnerability in the Oracle Business Intelligence Enterprise Edition
        component of Oracle Fusion Middleware (subcomponent: Oracle Business
        Intelligence Enterprise Edition (Apache Batik)). Supported versions
        that are affected are 11.1.1.7.0, 11.1.1.9.0, 12.2.1.3.0 and 
        12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle Business
        Intelligence Enterprise Edition. Successful attacks of this 
        vulnerability can result in unauthorized update, insert or delete 
        access to some of Oracle Business Intelligence Enterprise Edition 
        accessible data as well as unauthorized read access to a subset of 
        Oracle Business Intelligence Enterprise Edition accessible data and
        unauthorized ability to cause a partial denial of service (partial 
        DOS) of Oracle Business Intelligence Enterprise Edition.
        
        CVE-2018-8013
        
        7.3
        
        AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
        
        Vulnerability in the Oracle Enterprise Repository component of 
        Oracle Fusion Middleware (subcomponent: Security Subsystem - 12c 
        (Apache Batik)). Supported versions that are affected are 11.1.1.7.0
        and 12.1.3.0.0. Easily exploitable vulnerability allows 
        unauthenticated attacker with network access via HTTP to compromise
        Oracle Enterprise Repository. Successful attacks of this 
        vulnerability can result in unauthorized update, insert or delete 
        access to some of Oracle Enterprise Repository accessible data as 
        well as unauthorized read access to a subset of Oracle Enterprise 
        Repository accessible data and unauthorized ability to cause a 
        partial denial of service (partial DOS) of Oracle Enterprise 
        Repository."
        [2]


MITIGATION

        Oracle states:
        
        "Due to the threat posed by a successful attack, Oracle strongly
        recommends that customers apply CPU fixes as soon as possible. Until
        you apply the CPU fixes, it may be possible to reduce the risk of
        successful attack by blocking network protocols required by an
        attack. For attacks that require certain privileges or access to
        certain packages, removing the privileges or the ability to access
        the packages from users that do not need the privileges may help
        reduce the risk of successful attack. Both approaches may break
        application functionality, so Oracle strongly recommends that
        customers test changes on non-production systems. Neither approach
        should be considered a long-term solution as neither corrects the
        underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - October 2018
            https://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html

        [2] Text Form of Oracle Critical Patch Update - October 2018 Risk
            Matrices
            https://www.oracle.com/technetwork/security-advisory/cpuoct2018verbose-5170927.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBW8aoFGaOgq3Tt24GAQhiIg//WJ7JMjgtfUygktYQws403ZMSTmW7ENan
cu5rgEeekv41fd+GLKXUi8qOwftIebmE0sSbW+ZiKYIgVU+G5kXPMZ7dtmzk9D/Y
huHBjgUfmOInr51hrlfk+FD/xIDUQ+NwUAYPPqo9jWxPJuuwNqdormcblVkL807s
IUnoRecBnyQL22kstgPmOMwAxa6PdTSqMU2YA1HYKRRxO5FLuZzcvljS2IvM1aEn
+kVUD+UTb8XNIXDMlnI086NhfWbo5nZt4rMef+wh1xy3klzHECz8AB1jcgkypTzv
479iB7Gu5euAgvfU31VXtxmXPM4ed165kB1Eo2IpDT5/oU+6FTI2GvBL3P0F0xbx
fxdD1XeCD4CaMd5Xz4dOFsctfoIr7w686d8gvI8OIvspHda2vOXlmQiO0/IYMWeR
a3oNknZGil6pcMDMcVjc6uD6CjRsoqj5GnVVeja//d2LRTSu95/tfA7DQkyqK7ip
JbyN0Q9dUOakPnYD9zdb+it7sMGrzfyIr7xTXDGFmtFOh1hFPw/oKT9REOoKWznQ
+AQvLgCGGlaH9yPzG/HIRk33v3ZzQEj/gdc9UART2DYTP+guABjvHgFU6a3QGIoL
DaMhAGNP+gJFuTglbxi5oxBoyU4UgH0dvtVE0JdjLhLbxxFiJBtQ7sCb4mV27aD+
1O7RA/s1p/w=
=zbkZ
-----END PGP SIGNATURE-----