Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2012.0143 Oracle Critical Patch Update Advisory - October 2012 17 October 2012 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Database Oracle Fusion Middleware Oracle Forms and Reports Oracle BI Publisher Oracle Event Processing Oracle Identity Management Oracle Imaging and Process Management Oracle JRockit Oracle Outside In Technology Oracle WebLogic Server Oracle WebCenter Sites Oracle E-Business Suite Oracle Agile PLM For Process Oracle Agile PLM Framework Oracle Agile Product Supplier Collaboration for Process Oracle PeopleSoft Oracle Siebel UI Framework Oracle Central Designer Oracle Clinical/ Remote Data Capture Oracle FLEXCUBE Direct Banking Oracle FLEXCUBE Universal Banking Oracle Sun Product Suite Oracle Secure Global Desktop Oracle VM Virtual Box Oracle MySQL Server Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Increased Privileges -- Existing Account Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Reduced Security -- Unknown/Unspecified Resolution: Patch/Upgrade CVE Names: CVE-2012-5095 CVE-2012-5094 CVE-2012-5093 CVE-2012-5092 CVE-2012-5091 CVE-2012-5090 CVE-2012-5085 CVE-2012-5083 CVE-2012-5081 CVE-2012-5066 CVE-2012-5065 CVE-2012-5064 CVE-2012-5063 CVE-2012-5061 CVE-2012-5058 CVE-2012-3230 CVE-2012-3229 CVE-2012-3228 CVE-2012-3227 CVE-2012-3226 CVE-2012-3225 CVE-2012-3224 CVE-2012-3223 CVE-2012-3222 CVE-2012-3221 CVE-2012-3217 CVE-2012-3215 CVE-2012-3214 CVE-2012-3212 CVE-2012-3211 CVE-2012-3210 CVE-2012-3209 CVE-2012-3208 CVE-2012-3207 CVE-2012-3206 CVE-2012-3205 CVE-2012-3204 CVE-2012-3203 CVE-2012-3202 CVE-2012-3201 CVE-2012-3200 CVE-2012-3199 CVE-2012-3198 CVE-2012-3197 CVE-2012-3196 CVE-2012-3195 CVE-2012-3194 CVE-2012-3193 CVE-2012-3191 CVE-2012-3189 CVE-2012-3188 CVE-2012-3187 CVE-2012-3186 CVE-2012-3185 CVE-2012-3184 CVE-2012-3183 CVE-2012-3182 CVE-2012-3181 CVE-2012-3180 CVE-2012-3179 CVE-2012-3177 CVE-2012-3176 CVE-2012-3175 CVE-2012-3173 CVE-2012-3171 CVE-2012-3167 CVE-2012-3166 CVE-2012-3165 CVE-2012-3164 CVE-2012-3163 CVE-2012-3162 CVE-2012-3161 CVE-2012-3160 CVE-2012-3158 CVE-2012-3157 CVE-2012-3156 CVE-2012-3155 CVE-2012-3154 CVE-2012-3153 CVE-2012-3152 CVE-2012-3151 CVE-2012-3150 CVE-2012-3149 CVE-2012-3148 CVE-2012-3147 CVE-2012-3146 CVE-2012-3145 CVE-2012-3144 CVE-2012-3142 CVE-2012-3141 CVE-2012-3140 CVE-2012-3139 CVE-2012-3138 CVE-2012-3137 CVE-2012-3132 CVE-2012-1763 CVE-2012-1751 CVE-2012-1686 CVE-2012-1685 CVE-2012-1531 CVE-2012-0518 CVE-2012-0217 CVE-2012-0108 CVE-2012-0107 CVE-2012-0106 CVE-2012-0095 CVE-2012-0093 CVE-2012-0092 CVE-2012-0090 CVE-2012-0086 CVE-2012-0071 CVE-2011-1411 Member content until: Friday, November 16 2012 Reference: ASB-2012.0114 ESB-2012.0538 ESB-2011.0765 OVERVIEW Oracle have released updates which correct vulnerabilities in numerous products. [1] IMPACT Specific impacts have not been published by Oracle at this time however the following information regarding CVSS 2.0 scoring and affected products is available from the Oracle site. [1] According to Oracle, "This Critical Patch Update contains 109 new security fixes across the product families listed below." [1] Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3 Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 Oracle Fusion Middleware 11g Release 1, version 11.1.1.6 Oracle Forms and Reports 11g, Release 2, version 11.1.2.0 Oracle Forms and Reports 11g Release 1, version 11.1.1.4 Oracle BI Publisher, versions 10.1.3.4.2, 11.1.1.5.0, 11.1.1.6.0, 11.1.1.6.2 Oracle Event Processing, versions 2.0, 11.1.1.4.0, 11.1.1.6.0 Oracle Identity Management 10g, version 10.1.4.3 Oracle Imaging and Process Management, version 10.1.3.6.0 Oracle JRockit versions, R28.2.4 and earlier, R27.7.3 and earlier Oracle Outside In Technology, version 8.3.7 Oracle WebLogic Server, versions 9.2.4.0, 10.0.2.0, 10.3.5.0, 10.3.6.0, 12.1.1.0 Oracle WebCenter Sites, versions 6.1, 6.2, 6.3.x, 7, 7.0.1, 7.0.2, 7.0.3, 7.5, 7.6.1, 7.6.2, 11.1.1.6.0 Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3 Oracle E-Business Suite Release 11i, version 11.5.10.2 Oracle Agile PLM For Process, versions 5.2.2, 6.0.0.6.3, 6.1.0.0, 6.1.0.1.14 Oracle Agile PLM Framework, versions 9.3.1.0, 9.3.1.1 Oracle Agile Product Supplier Collaboration for Process, versions 5.2.2, 6.1.0.0 Oracle PeopleSoft Enterprise Campus Solutions, version 9.0 Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52 Oracle Siebel UI Framework, version 8.1.1 Oracle Central Designer, versions 1.3, 1.4, 1.4.2 Oracle Clinical/Remote Data Capture, versions 4.6.0, 4.6.2 Oracle FLEXCUBE Direct Banking, versions 5.0.2, 5.0.5, 5.1.0, 5.2.0, 5.3.0-5.3.4, 6.0.1, 6.2.0, 12 Oracle FLEXCUBE Universal Banking, versions 10.0.0-10.5.0, 11.0.0-11.4.0, 12 Oracle Sun Product Suite Oracle Secure Global Desktop, version 4.6 Oracle VM Virtual Box, versions 3.2, 4.0, 4.1 Oracle MySQL Server, versions 5.1.63 and earlier, 5.5.25 and earlier CVE-2012-3137 is the most critical with a CVSS score of 10.0 and Proof-of-concept available, the NIST National Vulnerability Database has more: "The authentication protocol in Oracle Database 11g 1 and 2 allows remote attackers to obtain the session key and salt for arbitrary users, which leaks information about the cryptographic hash and makes it easier to conduct brute force password guessing attacks, aka "stealth password cracking vulnerability."" [2] CVE-2012-3202 also has a CVSS score of 10.0 however information on this vulnerability is not specific, the following is from the NIST National Vulnerability Database: "Multiple unspecified vulnerabilities in the Oracle JRockit component in Oracle Fusion Middleware 28.2.4 and earlier, and 27.7.3 and earlier, when using JDK/JRE 5 or 6, allow remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: this overlaps CVE-2012-5083, CVE-2012-1531, CVE-2012-5081, and CVE-2012-5085." [3] MITIGATION Oracle states that: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible." [1] All users should apply the fixes available from the Oracle website. [1] REFERENCES [1] Oracle Critical Patch Update Advisory - October 2012 http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html [2] Vulnerability Summary for CVE-2012-3137 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3137 [3] Vulnerability Summary for CVE-2012-3202 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3202 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUH4dPu4yVqjM2NGpAQJZbw/9HTr8h17qLaPW25VktaiLrM9YDgkz7UJZ /OaAw1oFr3Pq9JN2TfENw0FZyVxJ2464Evx+JFnkphg/4+bMv1E/Ic+vKuRgr/6T 2xu+MzF9aqyMRF/wVKzpYxzsjP2P8Z5Et7DXhD74F2M8fHU/LDxqOfi3oOXfVfqu uFzyKsoHZXVzd+HWuveapAQ4ZvXEDqNOg5WC1pY1i8SQTe2uNnyA1YBfQppz0KU0 hycv0fcw1llE8k+wdo7fCO+Y4Xnxx5qdh9ZKj6oFQlTeUrcUcShQ9shsX/ZkeDn6 HjoAwaanrSpCkgdyUWFPokZqvGUVqXo7y3Pgo5RRTxEUwHM1S5W2iZa+18YM+RiG 3ju8qO2BjW10nuqTp2ReOlqWVBxF+Jqfnv5/tjJnqUYAf4emO+iw+miDFlZmx/mB 9X8boDy4DimyL+VBTZGGWQiAqX/jC3lAqlhMYLDqmk40e3RDTD2uxYrPh8irafhK +nDTpxfkyYjsOknbkXenEQ3lN34PtqZZvrszcxsGYnS3DDEfVlZs9SCBlplrrjLr XCc787uxYKZjiBvU7XX1ryZ5KHidU8feOsAXWKSM3IV0xr52Km+S4L7erfEjlYjl A0Bh3e6y8ZOTNrQox+BhuzidOv/gRTkNQxyOEVxN3yeiDfAzyRKfOx1DRiSCdP8+ hRV+G8C9Wkw= =DVjg -----END PGP SIGNATURE-----