Recently Oracle published its periodically security advisory. The advisory contains fixes for 334 CVEs, 231 of them are exploitable over the HTTP protocol.

Oracle tends not to publicly disclose details related to the attack vectors of the vulnerabilities they publish; however, we could tell based on public information that already exist for some of the vulnerabilities whether we are able to mitigate the attack vector with existing ASM signatures.

BIG-IP ASM customers are already protected against the following vulnerabilities published in the advisory:

CVE Identifier

Product

Signature IDs / Attack Type

CVE-2018-2943

Oracle Fusion Middleware MapViewer

Path Traversal Signatures

CVE-2018-3101

Oracle WebCenter Portal

200018018,200018030,200018036,200018037

CVE-2018-2894

Oracle WebLogic Server

200004048, Java Server Side Code Injection Signatures

CVE-2018-2945

JD Edwards EnterpriseOne Tools

Cross Site Scripting (XSS) Signatures

CVE-2018-2946

JD Edwards EnterpriseOne Tools

Cross Site Scripting (XSS) Signatures

CVE-2018-2947

JD Edwards EnterpriseOne Tools

Path Traversal Signatures

CVE-2018-2948

JD Edwards EnterpriseOne Tools

Cross Site Scripting (XSS) Signatures

CVE-2018-2949

JD Edwards EnterpriseOne Tools

Cross Site Scripting (XSS) Signatures

CVE-2018-2950

JD Edwards EnterpriseOne Tools

Cross Site Scripting (XSS) Signatures

CVE-2018-3100

Oracle Business Process Management Suite

SQL-Injection Signatures

CVE-2018-3105

Oracle SOA Suite

Path Traversal Signatures

CVE-2018-2999

JD Edwards EnterpriseOne Tools

Cross Site Scripting (XSS) Signatures

CVE-2018-3006

JD Edwards EnterpriseOne Tools

Cross Site Scripting (XSS) Signatures

CVE-2018-3016

PeopleSoft Enterprise PeopleTools

Cross Site Scripting (XSS) Signatures

CVE-2018-7489

Oracle WebLogic Server

Java Server Side Code Injection Signatures

 

We are constantly monitoring newly disclosed information and PoCs containing the attack vectors for the other vulnerabilities not mentioned in the table above and will release ASM signature updates if required.