-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0009
       Oracle has released 78 updates which correct vulnerabilities
                             in their products
                              18 January 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
                      Oracle Database 11g Release 1, version 11.1.0.7
                      Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
                      Oracle Database 10g Release 1, version 10.1.0.5
                      Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
                      Oracle Application Server 10g Release 3, version 10.1.3.5.0
                      Oracle Outside In Technology, versions 8.3.5, 8.3.7
                      Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5)
                      Oracle E-Business Suite Release 12, versions 12.1.2, 12.1.3
                      Oracle E-Business Suite Release 11i, version 11.5.10.2
                      Oracle Transportation Management, versions 5.5, 6.0, 6.1, 6.2
                      Oracle PeopleSoft Enterprise CRM, version 8.9
                      Oracle PeopleSoft Enterprise HCM, versions 8.9, 9.0, 9.1
                      Oracle PeopleSoft Enterprise PeopleTools, version 8.52
                      Oracle JDEdwards, version 8.98
                      Oracle Sun Product Suite
                      Oracle VM VirtualBox, version 4.1
                      Oracle Virtual Desktop Infrastructure, version 3.2
                      Oracle MySQL Server, versions 5.0, 5.1, 5.5
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Reduced Security  -- Unknown/Unspecified   
                      Denial of Service -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-0496 CVE-2012-0495 CVE-2012-0494
                      CVE-2012-0493 CVE-2012-0492 CVE-2012-0491
                      CVE-2012-0490 CVE-2012-0489 CVE-2012-0488
                      CVE-2012-0487 CVE-2012-0486 CVE-2012-0485
                      CVE-2012-0484 CVE-2012-0120 CVE-2012-0119
                      CVE-2012-0118 CVE-2012-0117 CVE-2012-0116
                      CVE-2012-0115 CVE-2012-0114 CVE-2012-0113
                      CVE-2012-0112 CVE-2012-0111 CVE-2012-0110
                      CVE-2012-0109 CVE-2012-0105 CVE-2012-0104
                      CVE-2012-0103 CVE-2012-0102 CVE-2012-0101
                      CVE-2012-0100 CVE-2012-0099 CVE-2012-0098
                      CVE-2012-0097 CVE-2012-0096 CVE-2012-0094
                      CVE-2012-0091 CVE-2012-0089 CVE-2012-0088
                      CVE-2012-0087 CVE-2012-0085 CVE-2012-0084
                      CVE-2012-0083 CVE-2012-0081 CVE-2012-0080
                      CVE-2012-0079 CVE-2012-0078 CVE-2012-0077
                      CVE-2012-0076 CVE-2012-0075 CVE-2012-0074
                      CVE-2012-0073 CVE-2011-5035 CVE-2011-4517
                      CVE-2011-4516 CVE-2011-3574 CVE-2011-3573
                      CVE-2011-3571 CVE-2011-3570 CVE-2011-3569
                      CVE-2011-3568 CVE-2011-3566 CVE-2011-3565
                      CVE-2011-3564 CVE-2011-3531 CVE-2011-3524
                      CVE-2011-3514 CVE-2011-3509 CVE-2011-3192
                      CVE-2011-2326 CVE-2011-2325 CVE-2011-2324
                      CVE-2011-2321 CVE-2011-2317 CVE-2011-2271
                      CVE-2011-2262  
Member content until: Friday, February 17 2012
Reference:            ASB-2012.0007
                      ASB-2011.0091
                      ASB-2011.0080
                      ASB-2011.0076.2

OVERVIEW

        Oracle have released updates which correct vulnerabilities in their
        products. [1]


IMPACT

        Specific impacts have not been published by Oracle at this time 
        however the following information regarding CVSS 2.0 scoring and 
        affected products is available from the Oracle site [1].
                                
        Oracle states, "Due to the threat posed by a successful attack, Oracle strongly 
        recommends that customers apply CPU fixes as soon as possible. 
        This Critical Patch Update contains 78 new security fixes across all 
        product families listed below." [1]
        
        Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
        Oracle Database 11g Release 1, version 11.1.0.7
        Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
        Oracle Database 10g Release 1, version 10.1.0.5
        Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
        Oracle Application Server 10g Release 3, version 10.1.3.5.0
        Oracle Outside In Technology, versions 8.3.5, 8.3.7
        Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5)
        Oracle E-Business Suite Release 12, versions 12.1.2, 12.1.3
        Oracle E-Business Suite Release 11i, version 11.5.10.2
        Oracle Transportation Management, versions 5.5, 6.0, 6.1, 6.2
        Oracle PeopleSoft Enterprise CRM, version 8.9
        Oracle PeopleSoft Enterprise HCM, versions 8.9, 9.0, 9.1
        Oracle PeopleSoft Enterprise PeopleTools, version 8.52
        Oracle JDEdwards, version 8.98
        Oracle Sun Product Suite
        Oracle VM VirtualBox, version 4.1
        Oracle Virtual Desktop Infrastructure, version 3.2
        Oracle MySQL Server, versions 5.0, 5.1, 5.5


MITIGATION

        
        Oracle states, "Due to the threat posed by a successful attack, Oracle strongly 
        recommends that customers apply CPU fixes as soon as possible. "
        
        Links to the appropriate patches are available at the Oracle 
        website. [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - January 2012
            http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTxYafu4yVqjM2NGpAQJfbA/+IYlzaL4xiT4t+FIEcvJCgRrVBQJ+Jy3X
AvXCBjLMA1DgZzAgmRxDUrZnVNdYm0P00KDYjXxlSk9yNGiYlh/DaWcO7RzpOzMl
pi1bbzuGvxFoCRoWVk70mIBQ154wcZ2+fYlhKF5n8vagjljgfT/VV1ERGjHuSq2h
S2DD7mwBNVD4pnrjkK8seB4pJPo7X6DY7TrCS6FGwUL5Kc03+YYz+xNNMEicOQm1
XWHtQl2GPdXrzZZU2mkDUe6kU83iTL63lez/FUgj7njVVHprKhjOdSuy+pp1uvX8
gMB8b1+B67IN07u4mihdua6WL4nkAXDT6zySJpf/YxjBXIsLA2u3BKVFkcM3LdJi
YwGTmwIMzSoVsjTd/OJ8F5P1F759m8YpH9kTOhvl+bnTltAmXEcrbdOHtyg4qeTl
5rRoiH1BdmLcruLaw+3zUZR0uyWXY2GKvWZMh+eECz9SD0YVP7G9qzhq+omDCvSP
B38Abc4/ww31t8edWnMCMvQcV1JUKLFSRpBaK5NZwfCIqTflPXS/ToYxxW6cLmyU
LzN2Kq75OMgII7GXQVI1YFlPlMHepKBH/BfuR9ab4Sipfq+XFydHh1WJSg9XVQ/M
+AWT2CX9wAGAmUH90yAAovAYGIsine/H2WnTrlAf/bP/dCBhIQCYNilUfpm/0V0c
69tdWpeHdqo=
=n0sv
-----END PGP SIGNATURE-----