My Oracle Support Banner

Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products (Doc ID 1074055.1)

Last updated on JULY 17, 2019

Applies to:

Oracle WebLogic Server - Version 9.0 and later
Oracle Fusion Middleware - Version 10.1.2.0.0 and later
Oracle Database - Enterprise Edition - Version 10.1.0.5 and later
Information in this document applies to any platform.



Purpose

Oracle Security Alert & Vulnerability Fixing Policy/Process

This My Oracle Support document provides information on how to handle suspected vulnerabilities within Oracle products.  The questions and answers provided within this FAQ are derived from the following Oracle Security site:

Critical Patch Updates and Security Alerts
https://www.oracle.com/technetwork/topics/security/alerts-086861.html

Security Vulnerability Fixing Policy and Process
https://www.oracle.com/corporate/security-practices/assurance/vulnerability/security-fixing.html

Popular Requests:

New! CVE-2019-2729 - Deserialization Vulnerability (2019)

The following Security Alert for Oracle WebLogic Server was released on June 18, 2019:

https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2729-5570780.html

The Alert provides a document to supply a patch to be applied on top of the January 2019 or April 2019 WLS PSU:

<Note 2555019.1> Security Alert CVE-2019-2729 Patch Availability Document for Oracle WebLogic Server

Patches are supplied to combine CVE-2019-2729 and CVE-2019-2725 fixes (see April 26 alert below).

FAQs

New! CVE-2019-2725 - Deserialization Vulnerability (2019)

The following Security Alert for Oracle WebLogic Server was released on April 26, 2019:

https://www.oracle.com/technetwork/security-advisory/alert-cve-2019-2725-5466295.html

The Alert provides a document to supply a patch to be applied on top of the January 2019 or April 2019 WLS PSU:

<Note 2535708.1> Security Alert CVE-2019-2725 Patch Availability Document for Oracle WebLogic Server

Deserialization Vulnerabilities in General

See the following document provided with the WLS PSU:

<Note 2421487.1> Restricting Incoming Serialized Java Objects to Oracle WebLogic Server - New with WLS PSUs



Previously released Security Alerts which now have fixes cumulatively included in the latest Critical Patch Update patches:

CVE-2018-2628 - Deserialization Vulnerability (2018)

<Note 2395745.1> Additional Information About the Oracle WebLogic Server Vulnerability CVE-2018-2628

CVE-2015-4852 - Deserialization Vulnerability (2015)

https://www.oracle.com/technetwork/topics/security/alert-cve-2015-4852-2763333.html

<Note 2075927.1> CVE-2015-4852 Patch Availability Document for Oracle WebLogic Server Component of Oracle Fusion Middleware     
<Note 2076338.1> CVE-2015-4852 Mitigation Recommendations for Oracle WebLogic Server Component of Oracle Fusion Middleware

CVE-2014-3566 - SSL V3.0 "Poodle" Vulnerability (2014)

https://www.oracle.com/technetwork/topics/security/poodlecve-2014-3566-2339408.html

<Note 1936300.1> How to Change SSL Protocols (to Disable SSL 2.0/3.0) in Oracle WebLogic Server & Fusion Middleware Products

CVE-2014-0160 - OpenSSL Security Bug - Heartbleed (2014)

https://www.oracle.com/technetwork/topics/security/alert-cve-2014-0160-2190703.html

and
https://www.oracle.com/technetwork/topics/security/opensslheartbleedcve-2014-0160-2188454.html


Important: This is not a comprehensive list, see the Security Alert page above.

Questions and Answers

To view full details, sign in with your My Oracle Support account.

Don't have a My Oracle Support account? Click to get started!


In this Document
Purpose
 Oracle Security Alert & Vulnerability Fixing Policy/Process
 Popular Requests:
 New! CVE-2019-2729 - Deserialization Vulnerability (2019)
 New! CVE-2019-2725 - Deserialization Vulnerability (2019)
 Deserialization Vulnerabilities in General
 CVE-2018-2628 - Deserialization Vulnerability (2018)
 CVE-2015-4852 - Deserialization Vulnerability (2015)
 CVE-2014-3566 - SSL V3.0 "Poodle" Vulnerability (2014)
 CVE-2014-0160 - OpenSSL Security Bug - Heartbleed (2014)
Questions and Answers
 PART I: Vulnerability FAQs for All Oracle Products
 1. The First Step
 2. Vulnerability Information
 3. Scan Reports
 4. Researching a CVE Number
 5. How to Open a Service Request for a Vulnerability
 PART II: Vulnerability FAQs for Oracle WebLogic Server (WLS)
 1. The First Step
 2. Security Best Practices
 PART III: Vulnerability FAQs for Oracle Fusion Middleware (10g/11g/12c)
 1. The First Step
 2. Security Best Practices
 3. Apache Vulnerabilities
 4. Java Vulnerabilities
References

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.