Security Vulnerability FAQ for Oracle Database and Fusion Middleware Products
(Doc ID 1074055.1)
Last updated on OCTOBER 29, 2019
Oracle WebLogic Server - Version 9.0 and later Oracle Fusion Middleware - Version 10.1.2.0.0 and later Oracle Database - Enterprise Edition - Version 10.1.0.5 and later Information in this document applies to any platform.
This My Oracle Support document provides information on how to handle suspected vulnerabilities within Oracle products. The questions and answers provided within this FAQ are derived from the following Oracle Security site:
The Alert provides a document to supply a patch to be applied on top of the January 2019 or April 2019 WLS PSU:
<Note 2555019.1> Security Alert CVE-2019-2729 Patch Availability Document for Oracle WebLogic Server
Patches are supplied to combine CVE-2019-2729 and CVE-2019-2725 fixes from April 26 (see below).
Update July 16, 2019: Fixes for both CVE-2019-2729 and CVE-2019-2725 are now included in the July 2019 and newer PSUs
The latest PSU can be found using <Note 1470197.1> Patch Set Update (PSU) Release Listing for Oracle WebLogic Server (WLS)
Why does the new PSU conflict with the patches provided for these CVEs? Answer: On 10.3.6, it is always expected to rollback any previously supplied overlay patches along with the previous PSU before applying the new cumulative PSU. On 12c, cumulative patches are normally seen as a superset when using OPatch, so a conflict should not been seen.
Refer to <Note 2566635.1> for Patch Conflict issue between previous interim patches and the PSU. It says "This issue is the result of using different bug numbers to track the one off interim patch and to include the same fix in the PSU". In all versions, see the patch readme for the Bugs Fixed list to confirm what fixes are cumulatively included. The proper action for all versions is to rollback the previous patches and apply the new cumulative PSU.
My version is not listed, e.g. 10.3.5, 12.1.2, 126.96.36.199, 188.8.131.52, 184.108.40.206? Answer: See the Alert section, "Supported Products and Versions". To fix vulnerabilities on older versions, you must upgrade as per <Note 950131.1>.
Is there a workaround? Answer: There are no approved or Oracle endorsed workarounds - the only solution is to upgrade and/or apply the patch.
<Note 2075927.1> CVE-2015-4852 Patch Availability Document for Oracle WebLogic Server Component of Oracle Fusion Middleware <Note 2076338.1> CVE-2015-4852 Mitigation Recommendations for Oracle WebLogic Server Component of Oracle Fusion Middleware