-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2020.0021
                 Oracle Enterprise Manager security update
                              15 January 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Enterprise Manager
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2020-2673 CVE-2020-2646 CVE-2020-2645
                      CVE-2020-2644 CVE-2020-2643 CVE-2020-2642
                      CVE-2020-2641 CVE-2020-2640 CVE-2020-2639
                      CVE-2020-2638 CVE-2020-2637 CVE-2020-2636
                      CVE-2020-2635 CVE-2020-2634 CVE-2020-2633
                      CVE-2020-2632 CVE-2020-2631 CVE-2020-2630
                      CVE-2020-2629 CVE-2020-2628 CVE-2020-2626
                      CVE-2020-2625 CVE-2020-2624 CVE-2020-2623
                      CVE-2020-2622 CVE-2020-2621 CVE-2020-2620
                      CVE-2020-2619 CVE-2020-2618 CVE-2020-2617
                      CVE-2020-2616 CVE-2020-2615 CVE-2020-2614
                      CVE-2020-2613 CVE-2020-2612 CVE-2020-2611
                      CVE-2020-2610 CVE-2020-2609 CVE-2020-2608
                      CVE-2019-12415 CVE-2019-11358 CVE-2019-5482
                      CVE-2019-2904 CVE-2019-1547 CVE-2018-11058
                      CVE-2017-14735 CVE-2017-12626 CVE-2016-4000
Member content until: Friday, February 14 2020
Reference:            ASB-2020.0001
                      ESB-2019.3496
                      ESB-2019.1571
                      ESB-2018.0592
                      ESB-2018.0296
                      ESB-2017.1580

OVERVIEW

        Multiple vulnerabilities have been identified in :
         o Enterprise Manager Base Platform, versions 12.1.0.5, 13.2.0.0,
           13.3.0.0
         o Enterprise Manager for Fusion Middleware, versions 13.2.0.0,
           13.3.0.0
         o Enterprise Manager for Oracle Database, versions 12.1.0.5,
           13.2.0.0, 13.3.0.0
         o Enterprise Manager Ops Center, versions 12.3.3, 12.4.0
         o Oracle Application Testing Suite, versions 12.5.0.3, 13.1.0.1,
           13.2.0.1, 13.3.0.1
        [1]


IMPACT

        The vendor has provided the following information regarding the
        vulnerabilities:
        
        "This Critical Patch Update contains 50 new security patches for
        Oracle Enterprise Manager. 10 of these vulnerabilities may be
        remotely exploitable without authentication, i.e., may be exploited
        over a network without requiring user credentials. None of these
        patches are applicable to client-only installations, i.e.,
        installations that do not have Oracle Enterprise Manager installed."
        [1]
        
        CVE-2018-11058
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        Supported versions that are affected are 12.3.3 and 12.4.0. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTPS to compromise Enterprise Manager Ops Center.
        Successful attacks of this vulnerability can result in takeover of
        Enterprise Manager Ops Center.
         Affects:
         o Enterprise Manager Ops Center 12.3.3, 12.4.0
        
        CVE-2019-5482
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        Supported versions that are affected are 12.3.3 and 12.4.0. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via multiple protocols to compromise Enterprise
        Manager Ops Center. Successful attacks of this vulnerability can
        result in takeover of Enterprise Manager Ops Center.
         Affects:
         o Enterprise Manager Ops Center 12.3.3, 12.4.0
        
        CVE-2019-2904
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1
        and 13.3.0.1. Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle
        Application Testing Suite. Successful attacks of this vulnerability
        can result in takeover of Oracle Application Testing Suite.
         Affects:
         o Oracle Application Testing Suite 12.5.0.3, 13.1.0.1, 13.2.0.1,
           13.3.0.1
        
        CVE-2016-4000
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
        Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1
        and 13.3.0.1. Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle
        Application Testing Suite. Successful attacks of this vulnerability
        can result in takeover of Oracle Application Testing Suite.
         Affects:
         o Oracle Application Testing Suite 12.5.0.3, 13.1.0.1, 13.2.0.1,
           13.3.0.1
        
        CVE-2017-12626
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
        Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1
        and 13.3.0.1. Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle
        Application Testing Suite. Successful attacks of this vulnerability
        can result in unauthorized ability to cause a hang or frequently
        repeatable crash (complete DOS) of Oracle Application Testing Suite.
         Affects:
         o Oracle Application Testing Suite 12.5.0.3, 13.1.0.1, 13.2.0.1,
           13.3.0.1
         o Oracle Application Testing Suite 12.5.0.3, 13.1.0.1, 13.2.0.1,
           13.3.0.1
        
        CVE-2020-2673
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
        Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1
        and 13.3.0.1. Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle
        Application Testing Suite. Successful attacks of this vulnerability
        can result in unauthorized access to critical data or complete access
        to all Oracle Application Testing Suite accessible data.
         Affects:
         o Oracle Application Testing Suite 12.5.0.3, 13.1.0.1, 13.2.0.1,
           13.3.0.1
        
        CVE-2019-11358
          7.2 AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
        Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1
        and 13.3.0.1. Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle
        Application Testing Suite. While the vulnerability is in Oracle
        Application Testing Suite, attacks may significantly impact
        additional products. Successful attacks of this vulnerability can
        result in unauthorized update, insert or delete access to some of
        Oracle Application Testing Suite accessible data as well as
        unauthorized read access to a subset of Oracle Application Testing
        Suite accessible data.
         Affects:
         o Oracle Application Testing Suite 12.5.0.3, 13.1.0.1, 13.2.0.1,
           13.3.0.1
        
        CVE-2020-2609
          6.3 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized update, insert or delete access to some of
        Enterprise Manager Base Platform accessible data as well as
        unauthorized read access to a subset of Enterprise Manager Base
        Platform accessible data and unauthorized ability to cause a partial
        denial of service (partial DOS) of Enterprise Manager Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2017-14735
          6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
        Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1
        and 13.3.0.1. Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle
        Application Testing Suite. Successful attacks require human
        interaction from a person other than the attacker and while the
        vulnerability is in Oracle Application Testing Suite, attacks may
        significantly impact additional products. Successful attacks of this
        vulnerability can result in unauthorized update, insert or delete
        access to some of Oracle Application Testing Suite accessible data as
        well as unauthorized read access to a subset of Oracle Application
        Testing Suite accessible data.
         Affects:
         o Oracle Application Testing Suite 12.5.0.3, 13.1.0.1, 13.2.0.1,
           13.3.0.1
         o Oracle Application Testing Suite 12.5.0.3, 13.1.0.1, 13.2.0.1,
           13.3.0.1
        
        CVE-2020-2631
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2636
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2626
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2634
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2624
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2633
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2642
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2645
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2617
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2610
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2611
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2612
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2618
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2619
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2620
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2621
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2616
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2622
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2629
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2630
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2613
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2628
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2639
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2625
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2643
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2623
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2615
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2644
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2608
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 13.2.0.0 and 13.3.0.0.
        Easily exploitable vulnerability allows high privileged attacker with
        network access via HTTP to compromise Enterprise Manager Base
        Platform. Successful attacks of this vulnerability can result in
        unauthorized access to critical data or complete access to all
        Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 13.2.0.0, 13.3.0.0
        
        CVE-2020-2632
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2635
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Enterprise Manager Base Platform accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager Base Platform accessible data and unauthorized ability to
        cause a partial denial of service (partial DOS) of Enterprise Manager
        Base Platform.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2020-2614
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 13.2.0.0 and 13.3.0.0.
        Easily exploitable vulnerability allows high privileged attacker with
        network access via HTTP to compromise Enterprise Manager for Fusion
        Middleware. Successful attacks of this vulnerability can result in
        unauthorized access to critical data or complete access to all
        Enterprise Manager for Fusion Middleware accessible data as well as
        unauthorized update, insert or delete access to some of Enterprise
        Manager for Fusion Middleware accessible data and unauthorized
        ability to cause a partial denial of service (partial DOS) of
        Enterprise Manager for Fusion Middleware.
         Affects:
         o Enterprise Manager for Fusion Middleware 13.2.0.0, 13.3.0.0
        
        CVE-2020-2637
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager for Oracle Database. Successful attacks of this vulnerability
        can result in unauthorized access to critical data or complete access
        to all Enterprise Manager for Oracle Database accessible data as well
        as unauthorized update, insert or delete access to some of Enterprise
        Manager for Oracle Database accessible data and unauthorized ability
        to cause a partial denial of service (partial DOS) of Enterprise
        Manager for Oracle Database.
         Affects:
         o Enterprise Manager for Oracle Database 12.1.0.5, 13.2.0.0,
           13.3.0.0
        
        CVE-2020-2641
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager for Oracle Database. Successful attacks of this vulnerability
        can result in unauthorized access to critical data or complete access
        to all Enterprise Manager for Oracle Database accessible data as well
        as unauthorized update, insert or delete access to some of Enterprise
        Manager for Oracle Database accessible data and unauthorized ability
        to cause a partial denial of service (partial DOS) of Enterprise
        Manager for Oracle Database.
         Affects:
         o Enterprise Manager for Oracle Database 12.1.0.5, 13.2.0.0,
           13.3.0.0
        
        CVE-2020-2638
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager for Oracle Database. Successful attacks of this vulnerability
        can result in unauthorized access to critical data or complete access
        to all Enterprise Manager for Oracle Database accessible data as well
        as unauthorized update, insert or delete access to some of Enterprise
        Manager for Oracle Database accessible data and unauthorized ability
        to cause a partial denial of service (partial DOS) of Enterprise
        Manager for Oracle Database.
         Affects:
         o Enterprise Manager for Oracle Database 12.1.0.5, 13.2.0.0,
           13.3.0.0
        
        CVE-2020-2640
          6.0 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows high privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager for Oracle Database. Successful attacks of this vulnerability
        can result in unauthorized access to critical data or complete access
        to all Enterprise Manager for Oracle Database accessible data as well
        as unauthorized update, insert or delete access to some of Enterprise
        Manager for Oracle Database accessible data and unauthorized ability
        to cause a partial denial of service (partial DOS) of Enterprise
        Manager for Oracle Database.
         Affects:
         o Enterprise Manager for Oracle Database 12.1.0.5, 13.2.0.0,
           13.3.0.0
        
        CVE-2019-12415
          5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
        Supported versions that are affected are 12.5.0.3, 13.1.0.1, 13.2.0.1
        and 13.3.0.1. Easily exploitable vulnerability allows low privileged
        attacker with logon to the infrastructure where Oracle Application
        Testing Suite executes to compromise Oracle Application Testing
        Suite. Successful attacks of this vulnerability can result in
        unauthorized access to critical data or complete access to all Oracle
        Application Testing Suite accessible data.
         Affects:
         o Oracle Application Testing Suite 12.5.0.3, 13.1.0.1, 13.2.0.1,
           13.3.0.1
        
        CVE-2020-2646
          5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
        Supported versions that are affected are 12.1.0.5, 13.2.0.0 and
        13.3.0.0. Easily exploitable vulnerability allows low privileged
        attacker with network access via HTTP to compromise Enterprise
        Manager Base Platform. Successful attacks require human interaction
        from a person other than the attacker and while the vulnerability is
        in Enterprise Manager Base Platform, attacks may significantly impact
        additional products. Successful attacks of this vulnerability can
        result in unauthorized update, insert or delete access to some of
        Enterprise Manager Base Platform accessible data as well as
        unauthorized read access to a subset of Enterprise Manager Base
        Platform accessible data.
         Affects:
         o Enterprise Manager Base Platform 12.1.0.5, 13.2.0.0, 13.3.0.0
        
        CVE-2019-1547
          4.7 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N
        Supported versions that are affected are 12.3.3 and 12.4.0. Difficult
        to exploit vulnerability allows low privileged attacker with logon to
        the infrastructure where Enterprise Manager Ops Center executes to
        compromise Enterprise Manager Ops Center. Successful attacks of this
        vulnerability can result in unauthorized access to critical data or
        complete access to all Enterprise Manager Ops Center accessible data.
         Affects:
         o Enterprise Manager Ops Center 12.3.3, 12.4.0" [1]


MITIGATION

        Oracle states:
        
        "Due to the threat posed by a successful attack, Oracle strongly
        recommends that customers apply CPU fixes as soon as possible. Until
        you apply the CPU fixes, it may be possible to reduce the risk of
        successful attack by blocking network protocols required by an
        attack. For attacks that require certain privileges or access to
        certain packages, removing the privileges or the ability to access
        the packages from users that do not need the privileges may help
        reduce the risk of successful attack. Both approaches may break
        application functionality, so Oracle strongly recommends that
        customers test changes on non-production systems. Neither approach
        should be considered a long-term solution as neither corrects the
        underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - January 2020
            https://www.oracle.com/security-alerts/cpujan2020.html

        [2] Text Form of Oracle Critical Patch Update - January 2020 Risk
            Matrices
            https://www.oracle.com/security-alerts/cpujan2020verbose.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXh6l72aOgq3Tt24GAQiRGRAAxSCqFCcvrYGmP7f9i5qS3WGP/Lkbjrlp
3kdniWisxbmSLiTJB+85CN3OEiIt1kcz79e+9uEO4JigmZSl7iG4EXvgl9aBmKkk
b/XXh0y2T8F668CTaIOhVPDmw4+qMwcuCeGpZbGlaM8F9Fg0GnhoL1RM+WBCBjnK
8LVXIY5JUQmTM1KlokhVUnoWiF3mffVpfwF5EJwLx215QqsUdjiTwlNEv4b5y5bW
8rg94ICn32dCqVhIVc8x/HhUyUUwjGhkG6KtIgpUTvc6k/SeW9ww3NJaW7PMh+ce
O2DuKnzmTNJlhhIDG9l+JHAinPyiqZxfYELcX9Gfx2RH9U8klFInDo+TdJq57ZtU
X4GGMnkzN+k48zGH/VheMDGs29emCNTX0Ith2j1H81jzpFazK4T/HKj6Js3v6uOk
bkdghnowg/15qV6c9CV2jj2dJs2y0+TrAI7rIorpO1qmOk0XPgtRih5l2tS+U4zz
dqZmyA8PA0z24wG9D9eXZbsuODZ8ujH9LW5GG5ZVAwubd6/u4IcsnBUrqlY2YUkx
6PzMEWAFbByQ0+kmTpQyY3tkmEbHCcPdEBXoNttQGuPmLZ8EU1hpchX/+EKrruQx
5fYoA7hpnaAbkXgTyW54R+MdSllKyuM0Nu/ZE4eeo9k1YuYhdKAFsQWT8NaIrQp9
IrK+B0Lbs/4=
=mw5/
-----END PGP SIGNATURE-----