Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0060
Oracle have released updates which correct vulnerabilities
in numerous products
18 April 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
Oracle Application Server 10g Release 3, version 10.1.3.5.0
Oracle BI Publisher, versions 10.1.3.4.1, 10.1.3.4.2
Oracle DB UM Connector for Oracle Identity Manager, Version 9.1.0.4
Oracle Identity Manager 11g, versions 11.1.1.3, 11.1.1.5
Oracle JDeveloper, version 10.1.3.5.0
Oracle JRockit versions, R28.2.2 and earlier, R27.7.1 and earlier
Oracle Outside In Technology, versions 8.3.5, 8.3.7
Oracle WebCenter Forms Recognition, version 10.1.3.5
Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle Agile, version 6.0.0
Oracle AutoVue version 20.0.2
Oracle PeopleSoft Enterprise CRM, version 9.1
Oracle PeopleSoft Enterprise HCM, version 9.1
Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1
Oracle PeopleSoft Enterprise FCSM, versions 9.0, 9.1
Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52
Oracle PeopleSoft Enterprise Portal version 9.1
Oracle PeopleSoft Enterprise SCM, versions 9.0, 9.1
Oracle Siebel Life Sciences, versions 8.0.0, 8.1.1, 8.2.2
Oracle FLEXCUBE Direct Banking, versions 5.0.2, 5.3.0-5.3.4, 6.0.1, 6.2.0
Oracle FLEXCUBE Universal Banking, versions 10.0.0-10.5.0, 11.0.0-11.4.0
Primavera P6 Enterprise Project Portfolio Management, versions 6.2.1, 8.0, 8.1, 8.2
Oracle Sun Product Suite
Oracle MySQL Server, versions 5.1, 5.5
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Denial of Service -- Remote/Unauthenticated
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2012-1710 CVE-2012-1709 CVE-2012-1708
CVE-2012-1707 CVE-2012-1706 CVE-2012-1704
CVE-2012-1703 CVE-2012-1698 CVE-2012-1697
CVE-2012-1696 CVE-2012-1695 CVE-2012-1694
CVE-2012-1693 CVE-2012-1692 CVE-2012-1691
CVE-2012-1690 CVE-2012-1688 CVE-2012-1684
CVE-2012-1683 CVE-2012-1681 CVE-2012-1679
CVE-2012-1676 CVE-2012-1674 CVE-2012-0583
CVE-2012-0582 CVE-2012-0581 CVE-2012-0580
CVE-2012-0579 CVE-2012-0577 CVE-2012-0576
CVE-2012-0575 CVE-2012-0573 CVE-2012-0571
CVE-2012-0567 CVE-2012-0566 CVE-2012-0565
CVE-2012-0564 CVE-2012-0562 CVE-2012-0561
CVE-2012-0560 CVE-2012-0559 CVE-2012-0558
CVE-2012-0557 CVE-2012-0556 CVE-2012-0555
CVE-2012-0554 CVE-2012-0552 CVE-2012-0551
CVE-2012-0550 CVE-2012-0549 CVE-2012-0548
CVE-2012-0546 CVE-2012-0545 CVE-2012-0544
CVE-2012-0543 CVE-2012-0542 CVE-2012-0541
CVE-2012-0539 CVE-2012-0538 CVE-2012-0537
CVE-2012-0536 CVE-2012-0535 CVE-2012-0534
CVE-2012-0533 CVE-2012-0532 CVE-2012-0531
CVE-2012-0530 CVE-2012-0529 CVE-2012-0528
CVE-2012-0527 CVE-2012-0526 CVE-2012-0525
CVE-2012-0524 CVE-2012-0523 CVE-2012-0522
CVE-2012-0521 CVE-2012-0520 CVE-2012-0519
CVE-2012-0517 CVE-2012-0516 CVE-2012-0515
CVE-2012-0514 CVE-2012-0513 CVE-2012-0512
CVE-2012-0511 CVE-2012-0510 CVE-2012-0509
CVE-2012-0501 CVE-2012-0499 CVE-2012-0498
CVE-2012-0497 CVE-2012-0208 CVE-2011-5035
CVE-2011-3563
Member content until: Friday, May 18 2012
OVERVIEW
Oracle have released updates which correct vulnerabilities in
numerous products. [1]
IMPACT
Specific impacts have not been published by Oracle at this time
however the information regarding CVSS 2.0 scoring and affected
products is available from the Oracle site. [1]
Oracle states, "Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon as possible.
This Critical Patch Update contains 88 new security fixes across the
product families listed below." [1]
Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
Oracle Application Server 10g Release 3, version 10.1.3.5.0
Oracle BI Publisher, versions 10.1.3.4.1, 10.1.3.4.2
Oracle DB UM Connector for Oracle Identity Manager, Version 9.1.0.4
Oracle Identity Manager 11g, versions 11.1.1.3, 11.1.1.5
Oracle JDeveloper, version 10.1.3.5.0
Oracle JRockit versions, R28.2.2 and earlier, R27.7.1 and earlier
Oracle Outside In Technology, versions 8.3.5, 8.3.7
Oracle WebCenter Forms Recognition, version 10.1.3.5
Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle Agile, version 6.0.0
Oracle AutoVue version 20.0.2
Oracle PeopleSoft Enterprise CRM, version 9.1
Oracle PeopleSoft Enterprise HCM, version 9.1
Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1
Oracle PeopleSoft Enterprise FCSM, versions 9.0, 9.1
Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52
Oracle PeopleSoft Enterprise Portal version 9.1
Oracle PeopleSoft Enterprise SCM, versions 9.0, 9.1
Oracle Siebel Life Sciences, versions 8.0.0, 8.1.1, 8.2.2
Oracle FLEXCUBE Direct Banking, versions 5.0.2, 5.3.0-5.3.4, 6.0.1, 6.2.0
Oracle FLEXCUBE Universal Banking, versions 10.0.0-10.5.0, 11.0.0-11.4.0
Primavera P6 Enterprise Project Portfolio Management, versions 6.2.1, 8.0, 8.1, 8.2
Oracle Sun Product Suite
Oracle MySQL Server, versions 5.1, 5.5
MITIGATION
Oracle recommends applying the latest patches for the affected
products to correct these issues. [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2012
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBT44X4O4yVqjM2NGpAQIapg//fI59zCti4GiuUeKYsabbMck3HcZll47r
BvJa4xqFJHVW57mRwHkxQp3RHHcLu6esjfvHpF5eGjZXEk67g2di0P6eOEuoRJdw
mYoaPTy4dLqTyTmyJEaAdS1HjfG0Zc3QrV2mkWzzWw/l/e3Qei7yZ79D1Bp+Qlsk
eVdnD5VfFOmiYkyK5Lu3ks1HjoR0FJs6ZBNK1gVs6VCzyVnT2aMQhVhnlNI6B2SI
AoX0Umv/mmVv5Ggp68qUu54VgES7+uSwRsTZNHIlOKjKSd5bz+iTwNB7T2Hqj/wM
bdBIY6s1VKyYiAhDYAJk93VJWnVdW1lhGjSmubobI2mw/14hSPiM9pH3PV7DpOSb
Clm5bgQnJvG/n7O89+FjkAlqM3iZ4z79Oq9MbukOVhSdR/bQdvl1C4y9PtYvwelZ
mNrZVQ5emNi2oANP5CrEAYvkZB5DHGab+nyIQ48WWV0NtVFi4uswFS9mjkouIXA9
ZDJrZ4WilKxtSe7wEbxEzDMrlKQqB99wWOa+TfZgkwpyoiMWJwRV6JefnzdWLL8o
FzXnYhlvNPVjIdOlWSxbdj64ES2qC/ijSHZZbtKu0qYIa3ln+yIN9vPFpUvTa7A1
dnyw5+bHM3ASGRve14DiF7s4tnGvbBoSnW7bcvHYK6dl/1cy/FiQddpf4UOwlwXf
XRu/uW50RVM=
=3gbZ
-----END PGP SIGNATURE-----