Oracle security advisory – April 2021 Quarterly Rollup

From: Canadian Centre for Cyber Security

Number: AV21-180
Date: 21 April 2021

On 20 April 2021 Oracle published a Critical Patch Update Advisory to address vulnerabilities in multiple products. Included were critical updates for the following:

  • Oracle Communications Design Studio: Inventory Services (Netty) - version 7.4.2
  • Oracle Communications Messaging Server: Message Store (Apache PDFBox) - version 8.1.0
  • Oracle Communications Messaging Server: Message Store (Netty) - version 8.1.0
  • Oracle Communications Messaging Server: Message Store (Bouncy Castle Java Library) - version 8.0.2
  • Oracle Communications Application Session Controller: Security (Bouncy Castle Java Library) - version 3.9m0p3
  • Instantis EnterpriseTrack: Browser (Apache Cordova InAppBrowser) - versions 17.1, 17.2 and 17.3
  • Oracle Applications Framework: Home page - version 12.2.10
  • Oracle Marketing: Marketing Administration - versions 12.2.7 to 12.2.10
  • Enterprise Manager Base Platform: Enterprise Manager Install (Nimbus JOSE+JWT) - version 13.4.0.0
  • Oracle FLEXCUBE Private Banking: Financial Planning (Apache ActiveMQ) - versions 12.0.0 and 12.1.0
  • Oracle FLEXCUBE Private Banking: Order Management (Spring Integration) - versions 12.0.0 and 12.1.0
  • Oracle FLEXCUBE Private Banking: Order Management (Spring Web Services) - versions 12.0.0 and 12.1.0
  • Oracle FLEXCUBE Private Banking: Demographics (Eclipse Jetty) - versions 12.0.0 and 12.1.0
  • Oracle Business Intelligence Enterprise Edition: Analytics Server (Apache Spark) - version 5.5.0.0.0
  • Oracle Fusion Middleware: Centralized Thirdparty Jars (dom4j) - versions 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0
  • Oracle Platform Security for Java: OPSS - versions 11.1.1.9.0, 12.2.1.3.0 and 12.2.1.4.0
  • Oracle WebCenter Portal: Security Framework (Netty) - versions 12.2.1.3.0 and 12.2.1.4.0
  • Oracle WebLogic Server: Core - versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
  • Oracle WebLogic Server: Coherence Container - versions 12.1.3.0.0, 12.2.1.3.0, 12.2.1.4.0 and 14.1.1.0.0
  • FMW Platform: Common Components (Eclipse Jetty) - versions 12.2.1.3.0 and 12.2.1.4.0
  • Oracle Health Sciences Information Manager: Health Record Locator (Apache Ant) - versions 3.0.0 to 3.0.2
  • Oracle Hospitality OPERA 5: Logging (Apache log4net) - versions 5.5 and 5.6
  • Oracle Hospitality OPERA 5: Login (Apache Struts) - version 5.6
  • Hyperion Analytic Provider Services: JAPI - versions 11.1.2.4 and 12.2.1.4
  • JD Edwards EnterpriseOne Tools: E1 Dev Platform Tech - Cloud (Bouncy Castle Java Library) - versions prior to 9.2.5.3
  • MySQL Enterprise Monitor: Monitoring: General (Apache Struts) - version 8.0.23 and prior
  • Oracle Retail Xstore Point of Service: Xenvironment (dom4j) - versions 15.0.4, 16.0.6, 17.0.4 and 18.0.3
  • Oracle Retail Xstore Point of Service: Xstore Office (Apache PDFbox) - versions 16.0.6 and 18.0.3
  • Oracle Cloud Infrastructure Storage Gateway: Management Console - versions prior to 1.4
  • Oracle Storage Cloud Software Appliance: Management Console - versions prior to 16.3.1.4.2
  • Oracle Cloud Infrastructure Storage Gateway: Management Console - versions prior to 1.4
  • Oracle Rapid Planning: User interface (Application Development Framework) - version 12.1.3
  • Oracle Advanced Supply Chain Planning: Core - versions 12.1 and 12.2
  • Oracle ZFS Storage Appliance Kit: Operating System Image - version 8.8
  • Oracle Utilities Framework: General (Swagger UI) - versions 4.3.0.6.0, 4.4.0.0.0 and 4.4.0.2.0
  • Oracle Utilities Framework: Securty (Bouncy Castle Java Library) - versions 4.3.0.6.0, 4.4.0.0.0, 4.4.0.2.0 and 4.4.0.3.0
  • Oracle Secure Global Desktop: Gateway - version 5.6
  • Oracle Secure Global Desktop: Server - version 5.6
  • Oracle Secure Global Desktop: Client - version 5.6

The Cyber Centre encourages users and administrators to review the provided web link and apply the necessary updates.

Oracle Critical Patch Update Advisory - April 2021
https://www.oracle.com/security-alerts/cpuapr2021.html

Note to Readers

The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment.  We are Canada’s national authority on cyber security and we lead the government’s response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: