-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2012.0143
           Oracle Critical Patch Update Advisory - October 2012
                              17 October 2012

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Database
                      Oracle Fusion Middleware
                      Oracle Forms and Reports
                      Oracle BI Publisher
                      Oracle Event Processing
                      Oracle Identity Management
                      Oracle Imaging and Process Management
                      Oracle JRockit
                      Oracle Outside In Technology
                      Oracle WebLogic Server
                      Oracle WebCenter Sites
                      Oracle E-Business Suite
                      Oracle Agile PLM For Process
                      Oracle Agile PLM Framework
                      Oracle Agile Product Supplier Collaboration for Process
                      Oracle PeopleSoft
                      Oracle Siebel UI Framework
                      Oracle Central Designer
                      Oracle Clinical/ Remote Data Capture
                      Oracle FLEXCUBE Direct Banking
                      Oracle FLEXCUBE Universal Banking
                      Oracle Sun Product Suite
                      Oracle Secure Global Desktop
                      Oracle VM Virtual Box
                      Oracle MySQL Server
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Access Privileged Data          -- Remote/Unauthenticated
                      Increased Privileges            -- Existing Account      
                      Denial of Service               -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
                      Unauthorised Access             -- Remote/Unauthenticated
                      Reduced Security                -- Unknown/Unspecified   
Resolution:           Patch/Upgrade
CVE Names:            CVE-2012-5095 CVE-2012-5094 CVE-2012-5093
                      CVE-2012-5092 CVE-2012-5091 CVE-2012-5090
                      CVE-2012-5085 CVE-2012-5083 CVE-2012-5081
                      CVE-2012-5066 CVE-2012-5065 CVE-2012-5064
                      CVE-2012-5063 CVE-2012-5061 CVE-2012-5058
                      CVE-2012-3230 CVE-2012-3229 CVE-2012-3228
                      CVE-2012-3227 CVE-2012-3226 CVE-2012-3225
                      CVE-2012-3224 CVE-2012-3223 CVE-2012-3222
                      CVE-2012-3221 CVE-2012-3217 CVE-2012-3215
                      CVE-2012-3214 CVE-2012-3212 CVE-2012-3211
                      CVE-2012-3210 CVE-2012-3209 CVE-2012-3208
                      CVE-2012-3207 CVE-2012-3206 CVE-2012-3205
                      CVE-2012-3204 CVE-2012-3203 CVE-2012-3202
                      CVE-2012-3201 CVE-2012-3200 CVE-2012-3199
                      CVE-2012-3198 CVE-2012-3197 CVE-2012-3196
                      CVE-2012-3195 CVE-2012-3194 CVE-2012-3193
                      CVE-2012-3191 CVE-2012-3189 CVE-2012-3188
                      CVE-2012-3187 CVE-2012-3186 CVE-2012-3185
                      CVE-2012-3184 CVE-2012-3183 CVE-2012-3182
                      CVE-2012-3181 CVE-2012-3180 CVE-2012-3179
                      CVE-2012-3177 CVE-2012-3176 CVE-2012-3175
                      CVE-2012-3173 CVE-2012-3171 CVE-2012-3167
                      CVE-2012-3166 CVE-2012-3165 CVE-2012-3164
                      CVE-2012-3163 CVE-2012-3162 CVE-2012-3161
                      CVE-2012-3160 CVE-2012-3158 CVE-2012-3157
                      CVE-2012-3156 CVE-2012-3155 CVE-2012-3154
                      CVE-2012-3153 CVE-2012-3152 CVE-2012-3151
                      CVE-2012-3150 CVE-2012-3149 CVE-2012-3148
                      CVE-2012-3147 CVE-2012-3146 CVE-2012-3145
                      CVE-2012-3144 CVE-2012-3142 CVE-2012-3141
                      CVE-2012-3140 CVE-2012-3139 CVE-2012-3138
                      CVE-2012-3137 CVE-2012-3132 CVE-2012-1763
                      CVE-2012-1751 CVE-2012-1686 CVE-2012-1685
                      CVE-2012-1531 CVE-2012-0518 CVE-2012-0217
                      CVE-2012-0108 CVE-2012-0107 CVE-2012-0106
                      CVE-2012-0095 CVE-2012-0093 CVE-2012-0092
                      CVE-2012-0090 CVE-2012-0086 CVE-2012-0071
                      CVE-2011-1411  
Member content until: Friday, November 16 2012
Reference:            ASB-2012.0114
                      ESB-2012.0538
                      ESB-2011.0765

OVERVIEW

        Oracle have released updates which correct vulnerabilities in
        numerous products. [1]


IMPACT

        Specific impacts have not been published by Oracle at this time
        however the following information regarding CVSS 2.0 scoring and
        affected products is available from the Oracle site. [1]
                
        According to Oracle, "This Critical Patch Update contains 109 new
        security fixes across the product families listed below." [1]
        
        Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
        Oracle Database 11g Release 1, version 11.1.0.7
        Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
        Oracle Fusion Middleware 11g Release 1, version 11.1.1.6
        Oracle Forms and Reports 11g, Release 2, version 11.1.2.0
        Oracle Forms and Reports 11g Release 1, version 11.1.1.4
        Oracle BI Publisher, versions 10.1.3.4.2, 11.1.1.5.0, 11.1.1.6.0,
        11.1.1.6.2
        Oracle Event Processing, versions 2.0, 11.1.1.4.0, 11.1.1.6.0
        Oracle Identity Management 10g, version 10.1.4.3
        Oracle Imaging and Process Management, version 10.1.3.6.0
        Oracle JRockit versions, R28.2.4 and earlier, R27.7.3 and earlier
        Oracle Outside In Technology, version 8.3.7
        Oracle WebLogic Server, versions 9.2.4.0, 10.0.2.0, 10.3.5.0, 10.3.6.0,
        12.1.1.0
        Oracle WebCenter Sites, versions 6.1, 6.2, 6.3.x, 7, 7.0.1, 7.0.2,
        7.0.3, 7.5, 7.6.1, 7.6.2, 11.1.1.6.0
        Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2,
        12.1.3
        Oracle E-Business Suite Release 11i, version 11.5.10.2
        Oracle Agile PLM For Process, versions 5.2.2, 6.0.0.6.3, 6.1.0.0,
        6.1.0.1.14
        Oracle Agile PLM Framework, versions 9.3.1.0, 9.3.1.1
        Oracle Agile Product Supplier Collaboration for Process, versions
        5.2.2, 6.1.0.0
        Oracle PeopleSoft Enterprise Campus Solutions, version 9.0
        Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52
        Oracle Siebel UI Framework, version 8.1.1
        Oracle Central Designer, versions 1.3, 1.4, 1.4.2
        Oracle Clinical/Remote Data Capture, versions 4.6.0, 4.6.2
        Oracle FLEXCUBE Direct Banking, versions 5.0.2, 5.0.5, 5.1.0, 5.2.0,
        5.3.0-5.3.4, 6.0.1, 6.2.0, 12
        Oracle FLEXCUBE Universal Banking, versions 10.0.0-10.5.0,
        11.0.0-11.4.0, 12
        Oracle Sun Product Suite
        Oracle Secure Global Desktop, version 4.6
        Oracle VM Virtual Box, versions 3.2, 4.0, 4.1
        Oracle MySQL Server, versions 5.1.63 and earlier, 5.5.25 and earlier
        
        CVE-2012-3137 is the most critical with a CVSS score of 10.0 and
        Proof-of-concept available, the NIST National Vulnerability Database
        has more:
        "The authentication protocol in Oracle Database 11g 1 and 2 allows
        remote attackers to obtain the session key and salt for arbitrary
        users, which leaks information about the cryptographic hash and makes
        it easier to conduct brute force password guessing attacks, aka
        "stealth password cracking vulnerability."" [2]
        
        CVE-2012-3202 also has a CVSS score of 10.0 however information on this
        vulnerability is not specific, the following is from the NIST
        National Vulnerability Database:
        "Multiple unspecified vulnerabilities in the Oracle JRockit component
        in Oracle Fusion Middleware 28.2.4 and earlier, and 27.7.3 and earlier,
        when using JDK/JRE 5 or 6, allow remote attackers to affect
        confidentiality, integrity, and availability via unknown vectors. NOTE:
        this overlaps CVE-2012-5083, CVE-2012-1531, CVE-2012-5081, and
        CVE-2012-5085." [3]


MITIGATION

        Oracle states that: "Due to the threat posed by a successful attack,
        Oracle strongly recommends that customers apply CPU fixes as soon as
        possible." [1]
        
        All users should apply the fixes available from the Oracle website. [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - October 2012
            http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html

        [2] Vulnerability Summary for CVE-2012-3137
            http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3137

        [3] Vulnerability Summary for CVE-2012-3202
            http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3202

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUH4dPu4yVqjM2NGpAQJZbw/9HTr8h17qLaPW25VktaiLrM9YDgkz7UJZ
/OaAw1oFr3Pq9JN2TfENw0FZyVxJ2464Evx+JFnkphg/4+bMv1E/Ic+vKuRgr/6T
2xu+MzF9aqyMRF/wVKzpYxzsjP2P8Z5Et7DXhD74F2M8fHU/LDxqOfi3oOXfVfqu
uFzyKsoHZXVzd+HWuveapAQ4ZvXEDqNOg5WC1pY1i8SQTe2uNnyA1YBfQppz0KU0
hycv0fcw1llE8k+wdo7fCO+Y4Xnxx5qdh9ZKj6oFQlTeUrcUcShQ9shsX/ZkeDn6
HjoAwaanrSpCkgdyUWFPokZqvGUVqXo7y3Pgo5RRTxEUwHM1S5W2iZa+18YM+RiG
3ju8qO2BjW10nuqTp2ReOlqWVBxF+Jqfnv5/tjJnqUYAf4emO+iw+miDFlZmx/mB
9X8boDy4DimyL+VBTZGGWQiAqX/jC3lAqlhMYLDqmk40e3RDTD2uxYrPh8irafhK
+nDTpxfkyYjsOknbkXenEQ3lN34PtqZZvrszcxsGYnS3DDEfVlZs9SCBlplrrjLr
XCc787uxYKZjiBvU7XX1ryZ5KHidU8feOsAXWKSM3IV0xr52Km+S4L7erfEjlYjl
A0Bh3e6y8ZOTNrQox+BhuzidOv/gRTkNQxyOEVxN3yeiDfAzyRKfOx1DRiSCdP8+
hRV+G8C9Wkw=
=DVjg
-----END PGP SIGNATURE-----