Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products
(Doc ID 1074055.1)
Last updated on JULY 17, 2019
Oracle WebLogic Server - Version 9.0 and later Oracle Fusion Middleware - Version 10.1.2.0.0 and later Oracle Database - Enterprise Edition - Version 10.1.0.5 and later Information in this document applies to any platform.
This My Oracle Support document provides information on how to handle suspected vulnerabilities within Oracle products. The questions and answers provided within this FAQ are derived from the following Oracle Security site:
The Alert provides a document to supply a patch to be applied on top of the January 2019 or April 2019 WLS PSU:
<Note 2555019.1> Security Alert CVE-2019-2729 Patch Availability Document for Oracle WebLogic Server
Patches are supplied to combine CVE-2019-2729 and CVE-2019-2725 fixes (see April 26 alert below).
Why does the patch for 188.8.131.52 conflict with the PSU? Answer: You may have downloaded the wrong patch. Ensure to select the version matching PSU, see <Note 2541027.1> Understanding Overlay Patch Release Versions.
My version is not listed, e.g. 10.3.5, 12.1.2, 184.108.40.206, 220.127.116.11, 18.104.22.168? Answer: See the Alert section, "Supported Products and Versions". To fix vulnerabilities on older versions, you must upgrade as per <Note 950131.1>.
Is there a workaround? Answer: There are no approved or Oracle endorsed workarounds - the only solution is to upgrade and/or apply the patch.
I have applied the previous overlay for CVE-2019-2725, why does the new patch conflict? Answer: On 10.3.6, you need to roll back the older overlay first.
Update July 16, 2019: Fixes for CVE-2019-2729 and CVE-2019-2725 are included in the July 2019 PSU.
- On 10.3.6 it is expected to roll these back along with the previous PSU before applying the new July PSU - See <Note 2566635.1> for an issue where the July PSU is incorrectly conflicting on 12.1.3 and 22.214.171.124
<Note 2075927.1> CVE-2015-4852 Patch Availability Document for Oracle WebLogic Server Component of Oracle Fusion Middleware <Note 2076338.1> CVE-2015-4852 Mitigation Recommendations for Oracle WebLogic Server Component of Oracle Fusion Middleware