-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2020.0072
         Oracle CPU for April 2020 for Fusion Middleware products
                               15 April 2020

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle WebLogic
                      Oracle Fusion Middleware products
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
                      Virtualisation
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Read-only Data Access           -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2020-2952 CVE-2020-2950 CVE-2020-2949
                      CVE-2020-2915 CVE-2020-2884 CVE-2020-2883
                      CVE-2020-2869 CVE-2020-2867 CVE-2020-2829
                      CVE-2020-2828 CVE-2020-2811 CVE-2020-2801
                      CVE-2020-2798 CVE-2020-2787 CVE-2020-2786
                      CVE-2020-2785 CVE-2020-2784 CVE-2020-2783
                      CVE-2020-2766 CVE-2020-2747 CVE-2020-2745
                      CVE-2020-2740 CVE-2020-2739 CVE-2019-17571
                      CVE-2019-17359 CVE-2019-16943 CVE-2019-16168
                      CVE-2019-15903 CVE-2019-13990 CVE-2019-12415
                      CVE-2019-11358 CVE-2019-10247 CVE-2019-10088
                      CVE-2019-1547 CVE-2019-0222 CVE-2018-20843
                      CVE-2018-20622 CVE-2018-15756 CVE-2017-12626
                      CVE-2017-5130 CVE-2016-1000031 CVE-2016-10328
                      CVE-2015-7940  
Member content until: Friday, May 15 2020
Reference:            ASB-2020.0071
                      ESB-2018.1724
                      ESB-2017.2080
                      ESB-2015.3119

OVERVIEW

        Multiple vulnerabilities have been identified in:
         o Identity Manager Connector, version 9.0
         o Oracle Access Manager, versions 11.1.2.3.0, 12.2.1.3.0
         o Oracle API Gateway, version 11.1.2.4.0
         o Oracle Big Data Discovery, version 1.6
         o Oracle Business Intelligence Enterprise Edition, versions
           5.5.0.0.0, 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
         o Oracle Business Process Management Suite, version 12.2.1.4.0
         o Oracle Coherence, versions 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0,
           12.2.1.4.0
         o Oracle Endeca Information Discovery Integrator, version 3.2.0
         o Oracle Endeca Server, version 7.7.0
         o Oracle Fusion Middleware MapViewer, version 12.2.1.3.0
         o Oracle Global Lifecycle Management NextGen OUI Framework,
           versions 12.2.1.3.0, 12.2.1.4.0, 13.9.4.2.2
         o Oracle HTTP Server, version 11.1.1.9.0
         o Oracle Managed File Transfer, versions 12.2.1.3.0, 12.2.1.4.0
         o Oracle Outside In Technology, versions 8.5.4, 8.5.5
         o Oracle SOA Suite, versions 12.2.1.3.0, 12.2.1.4.0
         o Oracle Unified Directory, versions 12.2.1.3.0, 12.2.1.4.0
         o Oracle WebCenter Portal, versions 11.1.1.9.0, 12.2.1.3.0,
           12.2.1.4.0
         o Oracle WebCenter Sites, versions 12.2.1.3.0, 12.2.1.4.0
         o Oracle WebLogic Server, versions 10.3.6.0.0, 12.1.3.0.0,
           12.2.1.3.0, 12.2.1.4.0
        [1]


IMPACT

        The vendor has provided the following information regarding the
        vulnerabilities:
        
        "This Critical Patch Update contains 51 new security patches for
        Oracle Fusion Middleware. 44 of these vulnerabilities may be remotely
        exploitable without authentication, i.e., may be exploited over a
        network without requiring user credentials." [1]
        
        CVE-2020-2950
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
        Supported versions that are affected are 5.5.0.0.0, 11.1.1.9.0,
        12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to compromise
        Oracle Business Intelligence Enterprise Edition. Successful attacks
        of this vulnerability can result in takeover of Oracle Business
        Intelligence Enterprise Edition.
         Affects:
         o Oracle Business Intelligence Enterprise Edition 5.5.0.0.0,
           11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
        
        CVE-2016-1000031
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
        Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and
        12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle Business
        Intelligence Enterprise Edition. Successful attacks of this
        vulnerability can result in takeover of Oracle Business Intelligence
        Enterprise Edition.
         Affects:
         o Oracle Business Intelligence Enterprise Edition 11.1.1.9.0,
           12.2.1.3.0, 12.2.1.4.0
        
        CVE-2020-2915
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
        Supported versions that are affected are 3.7.1.0, 12.1.3.0.0,
        12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via T3 to compromise
        Oracle Coherence. Successful attacks of this vulnerability can result
        in takeover of Oracle Coherence.
         Affects:
         o Oracle Coherence 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
        
        CVE-2019-13990
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
        The supported version that is affected is 12.2.1.3.0. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Fusion Middleware
        MapViewer. Successful attacks of this vulnerability can result in
        takeover of Oracle Fusion Middleware MapViewer.
         Affects:
         o Oracle Fusion Middleware MapViewer 12.2.1.3.0
        
        CVE-2019-16943
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
        Supported versions that are affected are 13.9.4.2.2, 12.2.1.3.0 and
        12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle Global
        Lifecycle Management NextGen OUI Framework. Successful attacks of
        this vulnerability can result in takeover of Oracle Global Lifecycle
        Management NextGen OUI Framework.
         Affects:
         o Oracle Global Lifecycle Management NextGen OUI Framework
           13.9.4.2.2, 12.2.1.3.0, 12.2.1.4.0
         o Oracle WebCenter Portal 12.2.1.3.0, 12.2.1.4.0
         o Oracle WebCenter Sites 12.2.1.3.0, 12.2.1.4.0
        
        CVE-2016-10328
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
        Supported versions that are affected are 8.5.4 and 8.5.5. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Outside In Technology.
        Successful attacks of this vulnerability can result in takeover of
        Oracle Outside In Technology.
        Note : Outside In Technology is a suite of software development kits
        (SDKs). The protocol and CVSS score depend on the software that uses
        the Outside In Technology code. The CVSS score assumes that the
        software passes data received over a network directly to Outside In
        Technology code, but if data is not received over a network the CVSS
        score may be lower.
         Affects:
         o Oracle Outside In Technology 8.5.4, 8.5.5
        
        CVE-2019-17571
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
        Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0 and
        12.2.1.3.0. Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle WebLogic
        Server. Successful attacks of this vulnerability can result in
        takeover of Oracle WebLogic Server.
         Affects:
         o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0
        
        CVE-2020-2801
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
        Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
        12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via T3 to compromise
        Oracle WebLogic Server. Successful attacks of this vulnerability can
        result in takeover of Oracle WebLogic Server.
         Affects:
         o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
           12.2.1.4.0
        
        CVE-2020-2883
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
        Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
        12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via T3 to compromise
        Oracle WebLogic Server. Successful attacks of this vulnerability can
        result in takeover of Oracle WebLogic Server.
         Affects:
         o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
           12.2.1.4.0
        
        CVE-2020-2884
          9.8 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
        Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
        12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via T3 to compromise
        Oracle WebLogic Server. Successful attacks of this vulnerability can
        result in takeover of Oracle WebLogic Server.
         Affects:
         o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
           12.2.1.4.0
        
        CVE-2019-10088
          8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ( legend ) [ Advisory
        The supported version that is affected is 12.2.1.4.0. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Business Process
        Management Suite. Successful attacks require human interaction from a
        person other than the attacker. Successful attacks of this
        vulnerability can result in takeover of Oracle Business Process
        Management Suite.
         Affects:
         o Oracle Business Process Management Suite 12.2.1.4.0
        
        CVE-2017-5130
          8.8 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H ( legend ) [ Advisory
        The supported version that is affected is 11.1.1.9.0. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle HTTP Server. Successful
        attacks require human interaction from a person other than the
        attacker. Successful attacks of this vulnerability can result in
        takeover of Oracle HTTP Server.
         Affects:
         o Oracle HTTP Server 11.1.1.9.0
        
        CVE-2020-2867
          8.2 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N ( legend ) [ Advisory
        Supported versions that are affected are 12.1.3.0.0, 12.2.1.3.0 and
        12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTP to compromise Oracle WebLogic
        Server. Successful attacks of this vulnerability can result in
        unauthorized creation, deletion or modification access to critical
        data or all Oracle WebLogic Server accessible data as well as
        unauthorized read access to a subset of Oracle WebLogic Server
        accessible data.
         Affects:
         o Oracle WebLogic Server 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
        
        CVE-2019-0222
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
        The supported version that is affected is 9.0. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Identity Manager Connector. Successful attacks of
        this vulnerability can result in unauthorized ability to cause a hang
        or frequently repeatable crash (complete DOS) of Identity Manager
        Connector.
         Affects:
         o Identity Manager Connector 9.0
        
        CVE-2018-15756
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
        The supported version that is affected is 9.0. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Identity Manager Connector. Successful attacks of
        this vulnerability can result in unauthorized ability to cause a hang
        or frequently repeatable crash (complete DOS) of Identity Manager
        Connector.
         Affects:
         o Identity Manager Connector 9.0
        
        CVE-2015-7940
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ( legend ) [ Advisory
        Supported versions that are affected are 11.1.1.9.0, 12.2.1.3.0 and
        12.2.1.4.0. Easily exploitable vulnerability allows unauthenticated
        attacker with network access via HTTPS to compromise Oracle Business
        Intelligence Enterprise Edition. Successful attacks of this
        vulnerability can result in unauthorized access to critical data or
        complete access to all Oracle Business Intelligence Enterprise
        Edition accessible data.
         Affects:
         o Oracle Business Intelligence Enterprise Edition 11.1.1.9.0,
           12.2.1.3.0, 12.2.1.4.0
        
        CVE-2017-12626
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
        The supported version that is affected is 3.2.0. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle Endeca Information Discovery Integrator.
        Successful attacks of this vulnerability can result in unauthorized
        ability to cause a hang or frequently repeatable crash (complete DOS)
        of Oracle Endeca Information Discovery Integrator.
         Affects:
         o Oracle Endeca Information Discovery Integrator 3.2.0
        
        CVE-2019-17359
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
        Supported versions that are affected are 12.2.1.3.0 and 12.2.1.4.0.
        Easily exploitable vulnerability allows unauthenticated attacker with
        network access via HTTPS to compromise Oracle Managed File Transfer.
        Successful attacks of this vulnerability can result in unauthorized
        ability to cause a hang or frequently repeatable crash (complete DOS)
        of Oracle Managed File Transfer.
         Affects:
         o Oracle Managed File Transfer 12.2.1.3.0, 12.2.1.4.0
         o Oracle SOA Suite 12.2.1.3.0, 12.2.1.4.0
         o Oracle WebCenter Portal 11.1.1.9.0, 12.2.1.3.0, 12.2.1.4.0
        
        CVE-2019-15903
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
        Supported versions that are affected are 8.5.4 and 8.5.5. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Outside In Technology.
        Successful attacks of this vulnerability can result in unauthorized
        ability to cause a hang or frequently repeatable crash (complete DOS)
        of Oracle Outside In Technology.
        Note : Outside In Technology is a suite of software development kits
        (SDKs). The protocol and CVSS score depend on the software that uses
        the Outside In Technology code. The CVSS score assumes that the
        software passes data received over a network directly to Outside In
        Technology code, but if data is not received over a network the CVSS
        score may be lower.
         Affects:
         o Oracle Outside In Technology 8.5.4, 8.5.5
        
        CVE-2019-16168
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
        Supported versions that are affected are 8.5.5 and 8.5.4. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Outside In Technology.
        Successful attacks of this vulnerability can result in unauthorized
        ability to cause a hang or frequently repeatable crash (complete DOS)
        of Oracle Outside In Technology.
        Note : Outside In Technology is a suite of software development kits
        (SDKs). The protocol and CVSS score depend on the software that uses
        the Outside In Technology code. The CVSS score assumes that the
        software passes data received over a network directly to Outside In
        Technology code, but if data is not received over a network the CVSS
        score may be lower.
         Affects:
         o Oracle Outside In Technology 8.5.5, 8.5.4
        
        CVE-2018-20843
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H ( legend ) [ Advisory
        The supported version that is affected is 8.5.4. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle Outside In Technology. Successful attacks
        of this vulnerability can result in unauthorized ability to cause a
        hang or frequently repeatable crash (complete DOS) of Oracle Outside
        In Technology.                                                  Note
        : Outside In Technology is a suite of software development kits
        (SDKs). The protocol and CVSS score depend on the software that uses
        the Outside In Technology code. The CVSS score assumes that the
        software passes data received over a network directly to Outside In
        Technology code, but if data is not received over a network the CVSS
        score may be lower.
         Affects:
         o Oracle Outside In Technology 8.5.4
        
        CVE-2020-2828
          7.5 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N ( legend ) [ Advisory
        The supported version that is affected is 10.3.6.0.0. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via T3 to compromise Oracle WebLogic Server.
        Successful attacks of this vulnerability can result in unauthorized
        access to critical data or complete access to all Oracle WebLogic
        Server accessible data.
         Affects:
         o Oracle WebLogic Server 10.3.6.0.0
        
        CVE-2020-2739
          7.4 AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N ( legend ) [ Advisory
        The supported version that is affected is 12.2.1.3.0. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle WebCenter Sites.
        Successful attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle WebCenter
        Sites, attacks may significantly impact additional products.
        Successful attacks of this vulnerability can result in unauthorized
        access to critical data or complete access to all Oracle WebCenter
        Sites accessible data.
         Affects:
         o Oracle WebCenter Sites 12.2.1.3.0
        
        CVE-2020-2784
          7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L ( legend ) [ Advisory
        The supported version that is affected is 8.5.4. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle Outside In Technology. Successful attacks
        of this vulnerability can result in unauthorized update, insert or
        delete access to some of Oracle Outside In Technology accessible data
        as well as unauthorized read access to a subset of Oracle Outside In
        Technology accessible data and unauthorized ability to cause a
        partial denial of service (partial DOS) of Oracle Outside In
        Technology.                                                  Note :
        Outside In Technology is a suite of software development kits (SDKs).
        The protocol and CVSS score depend on the software that uses the
        Outside In Technology code. The CVSS score assumes that the software
        passes data received over a network directly to Outside In Technology
        code, but if data is not received over a network the CVSS score may
        be lower.
         Affects:
         o Oracle Outside In Technology 8.5.4
        
        CVE-2020-2785
          7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L ( legend ) [ Advisory
        Supported versions that are affected are 8.5.4 and 8.5.5. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Outside In Technology.
        Successful attacks of this vulnerability can result in unauthorized
        update, insert or delete access to some of Oracle Outside In
        Technology accessible data as well as unauthorized read access to a
        subset of Oracle Outside In Technology accessible data and
        unauthorized ability to cause a partial denial of service (partial
        DOS) of Oracle Outside In Technology.
        Note : Outside In Technology is a suite of software development kits
        (SDKs). The protocol and CVSS score depend on the software that uses
        the Outside In Technology code. The CVSS score assumes that the
        software passes data received over a network directly to Outside In
        Technology code, but if data is not received over a network the CVSS
        score may be lower.
         Affects:
         o Oracle Outside In Technology 8.5.4, 8.5.5
        
        CVE-2020-2786
          7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L ( legend ) [ Advisory
        Supported versions that are affected are 8.5.4 and 8.5.5. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Outside In Technology.
        Successful attacks of this vulnerability can result in unauthorized
        update, insert or delete access to some of Oracle Outside In
        Technology accessible data as well as unauthorized read access to a
        subset of Oracle Outside In Technology accessible data and
        unauthorized ability to cause a partial denial of service (partial
        DOS) of Oracle Outside In Technology.
        Note : Outside In Technology is a suite of software development kits
        (SDKs). The protocol and CVSS score depend on the software that uses
        the Outside In Technology code. The CVSS score assumes that the
        software passes data received over a network directly to Outside In
        Technology code, but if data is not received over a network the CVSS
        score may be lower.
         Affects:
         o Oracle Outside In Technology 8.5.4, 8.5.5
        
        CVE-2020-2787
          7.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L ( legend ) [ Advisory
        Supported versions that are affected are 8.5.4 and 8.5.5. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Outside In Technology.
        Successful attacks of this vulnerability can result in unauthorized
        update, insert or delete access to some of Oracle Outside In
        Technology accessible data as well as unauthorized read access to a
        subset of Oracle Outside In Technology accessible data and
        unauthorized ability to cause a partial denial of service (partial
        DOS) of Oracle Outside In Technology.
        Note : Outside In Technology is a suite of software development kits
        (SDKs). The protocol and CVSS score depend on the software that uses
        the Outside In Technology code. The CVSS score assumes that the
        software passes data received over a network directly to Outside In
        Technology code, but if data is not received over a network the CVSS
        score may be lower.
         Affects:
         o Oracle Outside In Technology 8.5.4, 8.5.5
        
        CVE-2020-2798
          7.2 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H ( legend ) [ Advisory
        Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
        12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
        high privileged attacker with network access via T3 to compromise
        Oracle WebLogic Server. Successful attacks of this vulnerability can
        result in takeover of Oracle WebLogic Server.
         Affects:
         o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
           12.2.1.4.0
        
        CVE-2020-2952
          6.5 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N ( legend ) [ Advisory
        The supported version that is affected is 11.1.1.9.0. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle HTTP Server. Successful
        attacks of this vulnerability can result in unauthorized update,
        insert or delete access to some of Oracle HTTP Server accessible data
        as well as unauthorized read access to a subset of Oracle HTTP Server
        accessible data.
         Affects:
         o Oracle HTTP Server 11.1.1.9.0
        
        CVE-2018-20622
          6.5 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H ( legend ) [ Advisory
        Supported versions that are affected are 8.5.4 and 8.5.5. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Outside In Technology.
        Successful attacks require human interaction from a person other than
        the attacker. Successful attacks of this vulnerability can result in
        unauthorized ability to cause a hang or frequently repeatable crash
        (complete DOS) of Oracle Outside In Technology.
        Note : Outside In Technology is a suite of software development kits
        (SDKs). The protocol and CVSS score depend on the software that uses
        the Outside In Technology code. The CVSS score assumes that the
        software passes data received over a network directly to Outside In
        Technology code, but if data is not received over a network the CVSS
        score may be lower.
         Affects:
         o Oracle Outside In Technology 8.5.4, 8.5.5
        
        CVE-2019-11358
          6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N ( legend ) [ Advisory
        The supported version that is affected is 1.6. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle Big Data Discovery. Successful attacks
        require human interaction from a person other than the attacker and
        while the vulnerability is in Oracle Big Data Discovery, attacks may
        significantly impact additional products. Successful attacks of this
        vulnerability can result in unauthorized update, insert or delete
        access to some of Oracle Big Data Discovery accessible data as well
        as unauthorized read access to a subset of Oracle Big Data Discovery
        accessible data.
         Affects:
         o Oracle Big Data Discovery 1.6
         o Oracle Fusion Middleware MapViewer 12.2.1.3.0
         o Oracle WebCenter Sites 12.2.1.3.0
        
        CVE-2020-2811
          6.1 AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N ( legend ) [ Advisory
        Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
        12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to compromise
        Oracle WebLogic Server. Successful attacks require human interaction
        from a person other than the attacker and while the vulnerability is
        in Oracle WebLogic Server, attacks may significantly impact
        additional products. Successful attacks of this vulnerability can
        result in unauthorized update, insert or delete access to some of
        Oracle WebLogic Server accessible data as well as unauthorized read
        access to a subset of Oracle WebLogic Server accessible data.
         Affects:
         o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
           12.2.1.4.0
        
        CVE-2019-12415
          5.5 AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N ( legend ) [ Advisory
        The supported version that is affected is 1.6. Easily exploitable
        vulnerability allows low privileged attacker with logon to the
        infrastructure where Oracle Big Data Discovery executes to compromise
        Oracle Big Data Discovery. Successful attacks of this vulnerability
        can result in unauthorized access to critical data or complete access
        to all Oracle Big Data Discovery accessible data.
         Affects:
         o Oracle Big Data Discovery 1.6
        
        CVE-2020-2747
          5.4 AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N ( legend ) [ Advisory
        Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0.
        Easily exploitable vulnerability allows low privileged attacker with
        network access via HTTP to compromise Oracle Access Manager.
        Successful attacks require human interaction from a person other than
        the attacker and while the vulnerability is in Oracle Access Manager,
        attacks may significantly impact additional products. Successful
        attacks of this vulnerability can result in unauthorized update,
        insert or delete access to some of Oracle Access Manager accessible
        data as well as unauthorized read access to a subset of Oracle Access
        Manager accessible data.
         Affects:
         o Oracle Access Manager 11.1.2.3.0, 12.2.1.3.0
        
        CVE-2020-2949
          5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ( legend ) [ Advisory
        Supported versions that are affected are 3.7.1.0, 12.1.3.0.0,
        12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to compromise
        Oracle Coherence. Successful attacks of this vulnerability can result
        in unauthorized read access to a subset of Oracle Coherence
        accessible data.
         Affects:
         o Oracle Coherence 3.7.1.0, 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0
        
        CVE-2019-10247
          5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ( legend ) [ Advisory
        The supported version that is affected is 3.2.0. Easily exploitable
        vulnerability allows unauthenticated attacker with network access via
        HTTP to compromise Oracle Endeca Information Discovery Integrator.
        Successful attacks of this vulnerability can result in unauthorized
        read access to a subset of Oracle Endeca Information Discovery
        Integrator accessible data.
         Affects:
         o Oracle Endeca Information Discovery Integrator 3.2.0
         o Oracle Unified Directory 12.2.1.3.0, 12.2.1.4.0
        
        CVE-2020-2783
          5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N ( legend ) [ Advisory
        Supported versions that are affected are 8.5.4 and 8.5.5. Easily
        exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Outside In Technology.
        Successful attacks of this vulnerability can result in unauthorized
        update, insert or delete access to some of Oracle Outside In
        Technology accessible data.
        Note : Outside In Technology is a suite of software development kits
        (SDKs). The protocol and CVSS score depend on the software that uses
        the Outside In Technology code. The CVSS score assumes that the
        software passes data received over a network directly to Outside In
        Technology code, but if data is not received over a network the CVSS
        score may be lower.
         Affects:
         o Oracle Outside In Technology 8.5.4, 8.5.5
        
        CVE-2020-2766
          5.3 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N ( legend ) [ Advisory
        Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
        12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to compromise
        Oracle WebLogic Server. Successful attacks of this vulnerability can
        result in unauthorized read access to a subset of Oracle WebLogic
        Server accessible data.
         Affects:
         o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
           12.2.1.4.0
        
        CVE-2020-2829
          4.9 AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N ( legend ) [ Advisory
        The supported version that is affected is 10.3.6.0.0. Easily
        exploitable vulnerability allows high privileged attacker with
        network access via HTTP to compromise Oracle WebLogic Server.
        Successful attacks of this vulnerability can result in unauthorized
        access to critical data or complete access to all Oracle WebLogic
        Server accessible data.
         Affects:
         o Oracle WebLogic Server 10.3.6.0.0
        
        CVE-2019-1547
          4.7 AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N ( legend ) [ Advisory
        The supported version that is affected is 11.1.2.4.0. Difficult to
        exploit vulnerability allows low privileged attacker with logon to
        the infrastructure where Oracle API Gateway executes to compromise
        Oracle API Gateway. Successful attacks of this vulnerability can
        result in unauthorized access to critical data or complete access to
        all Oracle API Gateway accessible data.
         Affects:
         o Oracle API Gateway 11.1.2.4.0
         o Oracle Endeca Server 7.7.0
        
        CVE-2020-2740
          4.6 AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N ( legend ) [ Advisory
        Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0.
        Easily exploitable vulnerability allows low privileged attacker with
        network access via HTTP to compromise Oracle Access Manager.
        Successful attacks require human interaction from a person other than
        the attacker. Successful attacks of this vulnerability can result in
        unauthorized update, insert or delete access to some of Oracle Access
        Manager accessible data as well as unauthorized read access to a
        subset of Oracle Access Manager accessible data.
         Affects:
         o Oracle Access Manager 11.1.2.3.0, 12.2.1.3.0
        
        CVE-2020-2745
          4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L ( legend ) [ Advisory
        Supported versions that are affected are 11.1.2.3.0 and 12.2.1.3.0.
        Easily exploitable vulnerability allows unauthenticated attacker with
        network access via HTTP to compromise Oracle Access Manager.
        Successful attacks require human interaction from a person other than
        the attacker. Successful attacks of this vulnerability can result in
        unauthorized ability to cause a partial denial of service (partial
        DOS) of Oracle Access Manager.
         Affects:
         o Oracle Access Manager 11.1.2.3.0, 12.2.1.3.0
        
        CVE-2020-2869
          4.3 AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N ( legend ) [ Advisory
        Supported versions that are affected are 10.3.6.0.0, 12.1.3.0.0,
        12.2.1.3.0 and 12.2.1.4.0. Easily exploitable vulnerability allows
        unauthenticated attacker with network access via HTTP to compromise
        Oracle WebLogic Server. Successful attacks require human interaction
        from a person other than the attacker. Successful attacks of this
        vulnerability can result in unauthorized update, insert or delete
        access to some of Oracle WebLogic Server accessible data.
         Affects:
         o Oracle WebLogic Server 10.3.6.0.0, 12.1.3.0.0, 12.2.1.3.0,
           12.2.1.4.0
        [1]


MITIGATION

        Oracle states:
        
        "Due to the threat posed by a successful attack, Oracle strongly
        recommends that customers apply CPU fixes as soon as possible. Until
        you apply the CPU fixes, it may be possible to reduce the risk of
        successful attack by blocking network protocols required by an
        attack. For attacks that require certain privileges or access to
        certain packages, removing the privileges or the ability to access
        the packages from users that do not need the privileges may help
        reduce the risk of successful attack. Both approaches may break
        application functionality, so Oracle strongly recommends that
        customers test changes on non-production systems. Neither approach
        should be considered a long-term solution as neither corrects the
        underlying problem." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - April 2020
            https://www.oracle.com/security-alerts/cpuapr2020.html

        [2] Text Form of Oracle Critical Patch Update - April 2020 Risk
            Matrices
            https://www.oracle.com/security-alerts/cpuapr2020verbose.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBXpZ30WaOgq3Tt24GAQgc1w//VQa+OScVnTZBQDXhg0PLuiKHgPUPvp05
4pdgVlaz6dVol9OGoFLbs80F0XLAPQsjQ4E3kCgtfec7Ra4SdyiY3kxdKqUpL+bm
engAFNe3wVgJ0dQE2hCOCkdTq0JGERQ0mYk/W10XVxk57/IRx1PNsGYQAq9Q44Qv
tV0E3UZk8JZX96B64KmkfQRmmylg6O9WhLVhNbHuw1r7pxcrQspCrK4MoH6abPJN
w4j40ZWIGYOSAoBvtkBomOsUYh506eAK/gECGCCIYEC1LtrMMDN14PigMG08lGiD
RaWf/BtqzpkN/YDlxqKNpUqcwbd7314pTnxR+P4pVIhTCF5s8tP1KcszALBLqX3i
f17jNE9KKtQOZ+TwP8dZi2ulhC0EbffIygWHwKAuTLixHSs/X3dMbvyTlaXSgnMc
SEIQ5bhlk6+Kg/lZIBzeh1d00zRblx+FM7oicTcDs9uPys9gX30DhXXCK2A5O7A0
8smK08B27vJBqPxlv/LU+G73MsgorYaCMWikBP/Yx/hXjSAzUdsGpxRBg4sgdlAy
fCbf5e33L1dailQVnsWVNn177DQS6umxjJtEd+lLSXlMIqLH/bvZO88w8St0EV2P
EvLeYM0kF+caJYcKYv4CpwlLO5CjBfQiT5WjIl71POSIGrj25pWvnQ5vQSyut22Y
+UPF6TX4FL0=
=el6T
-----END PGP SIGNATURE-----