Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0060 Oracle have released updates which correct vulnerabilities in numerous products 18 April 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3 Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 Oracle Application Server 10g Release 3, version 10.1.3.5.0 Oracle BI Publisher, versions 10.1.3.4.1, 10.1.3.4.2 Oracle DB UM Connector for Oracle Identity Manager, Version 9.1.0.4 Oracle Identity Manager 11g, versions 11.1.1.3, 11.1.1.5 Oracle JDeveloper, version 10.1.3.5.0 Oracle JRockit versions, R28.2.2 and earlier, R27.7.1 and earlier Oracle Outside In Technology, versions 8.3.5, 8.3.7 Oracle WebCenter Forms Recognition, version 10.1.3.5 Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1 Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5 Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3 Oracle E-Business Suite Release 11i, version 11.5.10.2 Oracle Agile, version 6.0.0 Oracle AutoVue version 20.0.2 Oracle PeopleSoft Enterprise CRM, version 9.1 Oracle PeopleSoft Enterprise HCM, version 9.1 Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1 Oracle PeopleSoft Enterprise FCSM, versions 9.0, 9.1 Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52 Oracle PeopleSoft Enterprise Portal version 9.1 Oracle PeopleSoft Enterprise SCM, versions 9.0, 9.1 Oracle Siebel Life Sciences, versions 8.0.0, 8.1.1, 8.2.2 Oracle FLEXCUBE Direct Banking, versions 5.0.2, 5.3.0-5.3.4, 6.0.1, 6.2.0 Oracle FLEXCUBE Universal Banking, versions 10.0.0-10.5.0, 11.0.0-11.4.0 Primavera P6 Enterprise Project Portfolio Management, versions 6.2.1, 8.0, 8.1, 8.2 Oracle Sun Product Suite Oracle MySQL Server, versions 5.1, 5.5 Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Denial of Service -- Remote/Unauthenticated Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2012-1710 CVE-2012-1709 CVE-2012-1708 CVE-2012-1707 CVE-2012-1706 CVE-2012-1704 CVE-2012-1703 CVE-2012-1698 CVE-2012-1697 CVE-2012-1696 CVE-2012-1695 CVE-2012-1694 CVE-2012-1693 CVE-2012-1692 CVE-2012-1691 CVE-2012-1690 CVE-2012-1688 CVE-2012-1684 CVE-2012-1683 CVE-2012-1681 CVE-2012-1679 CVE-2012-1676 CVE-2012-1674 CVE-2012-0583 CVE-2012-0582 CVE-2012-0581 CVE-2012-0580 CVE-2012-0579 CVE-2012-0577 CVE-2012-0576 CVE-2012-0575 CVE-2012-0573 CVE-2012-0571 CVE-2012-0567 CVE-2012-0566 CVE-2012-0565 CVE-2012-0564 CVE-2012-0562 CVE-2012-0561 CVE-2012-0560 CVE-2012-0559 CVE-2012-0558 CVE-2012-0557 CVE-2012-0556 CVE-2012-0555 CVE-2012-0554 CVE-2012-0552 CVE-2012-0551 CVE-2012-0550 CVE-2012-0549 CVE-2012-0548 CVE-2012-0546 CVE-2012-0545 CVE-2012-0544 CVE-2012-0543 CVE-2012-0542 CVE-2012-0541 CVE-2012-0539 CVE-2012-0538 CVE-2012-0537 CVE-2012-0536 CVE-2012-0535 CVE-2012-0534 CVE-2012-0533 CVE-2012-0532 CVE-2012-0531 CVE-2012-0530 CVE-2012-0529 CVE-2012-0528 CVE-2012-0527 CVE-2012-0526 CVE-2012-0525 CVE-2012-0524 CVE-2012-0523 CVE-2012-0522 CVE-2012-0521 CVE-2012-0520 CVE-2012-0519 CVE-2012-0517 CVE-2012-0516 CVE-2012-0515 CVE-2012-0514 CVE-2012-0513 CVE-2012-0512 CVE-2012-0511 CVE-2012-0510 CVE-2012-0509 CVE-2012-0501 CVE-2012-0499 CVE-2012-0498 CVE-2012-0497 CVE-2012-0208 CVE-2011-5035 CVE-2011-3563 Member content until: Friday, May 18 2012 OVERVIEW Oracle have released updates which correct vulnerabilities in numerous products. [1] IMPACT Specific impacts have not been published by Oracle at this time however the information regarding CVSS 2.0 scoring and affected products is available from the Oracle site. [1] Oracle states, "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 88 new security fixes across the product families listed below." [1] Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3 Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 Oracle Application Server 10g Release 3, version 10.1.3.5.0 Oracle BI Publisher, versions 10.1.3.4.1, 10.1.3.4.2 Oracle DB UM Connector for Oracle Identity Manager, Version 9.1.0.4 Oracle Identity Manager 11g, versions 11.1.1.3, 11.1.1.5 Oracle JDeveloper, version 10.1.3.5.0 Oracle JRockit versions, R28.2.2 and earlier, R27.7.1 and earlier Oracle Outside In Technology, versions 8.3.5, 8.3.7 Oracle WebCenter Forms Recognition, version 10.1.3.5 Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1 Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5 Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3 Oracle E-Business Suite Release 11i, version 11.5.10.2 Oracle Agile, version 6.0.0 Oracle AutoVue version 20.0.2 Oracle PeopleSoft Enterprise CRM, version 9.1 Oracle PeopleSoft Enterprise HCM, version 9.1 Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1 Oracle PeopleSoft Enterprise FCSM, versions 9.0, 9.1 Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52 Oracle PeopleSoft Enterprise Portal version 9.1 Oracle PeopleSoft Enterprise SCM, versions 9.0, 9.1 Oracle Siebel Life Sciences, versions 8.0.0, 8.1.1, 8.2.2 Oracle FLEXCUBE Direct Banking, versions 5.0.2, 5.3.0-5.3.4, 6.0.1, 6.2.0 Oracle FLEXCUBE Universal Banking, versions 10.0.0-10.5.0, 11.0.0-11.4.0 Primavera P6 Enterprise Project Portfolio Management, versions 6.2.1, 8.0, 8.1, 8.2 Oracle Sun Product Suite Oracle MySQL Server, versions 5.1, 5.5 MITIGATION Oracle recommends applying the latest patches for the affected products to correct these issues. [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2012 http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBT44X4O4yVqjM2NGpAQIapg//fI59zCti4GiuUeKYsabbMck3HcZll47r BvJa4xqFJHVW57mRwHkxQp3RHHcLu6esjfvHpF5eGjZXEk67g2di0P6eOEuoRJdw mYoaPTy4dLqTyTmyJEaAdS1HjfG0Zc3QrV2mkWzzWw/l/e3Qei7yZ79D1Bp+Qlsk eVdnD5VfFOmiYkyK5Lu3ks1HjoR0FJs6ZBNK1gVs6VCzyVnT2aMQhVhnlNI6B2SI AoX0Umv/mmVv5Ggp68qUu54VgES7+uSwRsTZNHIlOKjKSd5bz+iTwNB7T2Hqj/wM bdBIY6s1VKyYiAhDYAJk93VJWnVdW1lhGjSmubobI2mw/14hSPiM9pH3PV7DpOSb Clm5bgQnJvG/n7O89+FjkAlqM3iZ4z79Oq9MbukOVhSdR/bQdvl1C4y9PtYvwelZ mNrZVQ5emNi2oANP5CrEAYvkZB5DHGab+nyIQ48WWV0NtVFi4uswFS9mjkouIXA9 ZDJrZ4WilKxtSe7wEbxEzDMrlKQqB99wWOa+TfZgkwpyoiMWJwRV6JefnzdWLL8o FzXnYhlvNPVjIdOlWSxbdj64ES2qC/ijSHZZbtKu0qYIa3ln+yIN9vPFpUvTa7A1 dnyw5+bHM3ASGRve14DiF7s4tnGvbBoSnW7bcvHYK6dl/1cy/FiQddpf4UOwlwXf XRu/uW50RVM= =3gbZ -----END PGP SIGNATURE-----