Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0007 Oracle have released 86 updates which correct vulnerabilities 16 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3 Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 Oracle Database Mobile Server, version 11.1.0.0 Oracle Database Lite Server, version 10.3.0.3 Oracle Access Manager/Webgate, versions 10.1.4.3.0, 11.1.1.5.0, 11.1.2.0.0 Oracle GoldenGate Veridata, version 3.0.0.11.0 Management Pack for Oracle GoldenGate, version 11.1.1.1.0 Oracle Outside In Technology, versions 8.3.7, 8.4 Oracle WebLogic Server, versions 9.2.4, 10.0.2, 10.3.5, 10.3.6, 12.1.1 Application Performance Management versions 6.5, 11.1, 12.1.0.2 Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1 Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5 Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.1, 12.1.0.2 Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3 Oracle E-Business Suite Release 11i, version 11.5.10.2 Oracle Agile PLM Framework, version 9.3.1.1 Oracle PeopleSoft HRMS, versions 9.0, 9.1 Oracle PeopleSoft PeopleTools, versions 8.51, 8.52 Oracle JD Edwards EnterpriseOne Tools, versions 8.9, 9.1, SP24 Oracle Siebel CRM, versions 8.1.1, 8.2.2 Oracle Sun Product Suite Oracle VM VirtualBox, versions 4.0, 4.1, 4.2 Oracle MySQL Server, versions 5.1.66 and earlier, 5.5.28 and earlier Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Read-only Data Access -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Increased Privileges -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2013-0420 CVE-2013-0418 CVE-2013-0417 CVE-2013-0415 CVE-2013-0414 CVE-2013-0407 CVE-2013-0400 CVE-2013-0399 CVE-2013-0397 CVE-2013-0396 CVE-2013-0395 CVE-2013-0394 CVE-2013-0393 CVE-2013-0392 CVE-2013-0391 CVE-2013-0390 CVE-2013-0389 CVE-2013-0388 CVE-2013-0387 CVE-2013-0386 CVE-2013-0385 CVE-2013-0384 CVE-2013-0383 CVE-2013-0382 CVE-2013-0381 CVE-2013-0380 CVE-2013-0379 CVE-2013-0378 CVE-2013-0377 CVE-2013-0376 CVE-2013-0375 CVE-2013-0374 CVE-2013-0373 CVE-2013-0372 CVE-2013-0371 CVE-2013-0370 CVE-2013-0369 CVE-2013-0368 CVE-2013-0367 CVE-2013-0366 CVE-2013-0365 CVE-2013-0364 CVE-2013-0363 CVE-2013-0362 CVE-2013-0361 CVE-2013-0360 CVE-2013-0359 CVE-2013-0358 CVE-2013-0357 CVE-2013-0356 CVE-2013-0355 CVE-2013-0354 CVE-2013-0353 CVE-2013-0352 CVE-2012-5612 CVE-2012-5611 CVE-2012-5097 CVE-2012-5096 CVE-2012-5062 CVE-2012-5060 CVE-2012-5059 CVE-2012-3220 CVE-2012-3219 CVE-2012-3218 CVE-2012-3192 CVE-2012-3190 CVE-2012-3178 CVE-2012-3172 CVE-2012-3170 CVE-2012-3169 CVE-2012-3168 CVE-2012-1755 CVE-2012-1705 CVE-2012-1702 CVE-2012-1701 CVE-2012-1700 CVE-2012-1680 CVE-2012-1678 CVE-2012-1677 CVE-2012-0578 CVE-2012-0574 CVE-2012-0572 CVE-2012-0569 CVE-2012-0022 CVE-2011-5035 Member content until: Friday, February 15 2013 Reference: ASB-2012.0060 ASB-2012.0009 ESB-2012.0937 ESB-2012.0682 ESB-2012.0321 ASB-2012.0024.2 ASB-2012.0023.2 ESB-2012.0289.4 OVERVIEW Oracle have released updates which correct vulnerabilities in numerous products. [1] IMPACT Limited impact details have been published by Oracle in their Text Form Risk Matrices. [2] The Oracle Database Mobile/Lite Server has two with a CVSS score of 10, the highest possible score. [1] Oracle states, "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 86 new security fixes across the product families listed below." [1] Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3 Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 Oracle Database Mobile Server, version 11.1.0.0 Oracle Database Lite Server, version 10.3.0.3 Oracle Access Manager/Webgate, versions 10.1.4.3.0, 11.1.1.5.0, 11.1.2.0.0 Oracle GoldenGate Veridata, version 3.0.0.11.0 Management Pack for Oracle GoldenGate, version 11.1.1.1.0 Oracle Outside In Technology, versions 8.3.7, 8.4 Oracle WebLogic Server, versions 9.2.4, 10.0.2, 10.3.5, 10.3.6, 12.1.1 Application Performance Management versions 6.5, 11.1, 12.1.0.2 Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1 Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5 Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.1, 12.1.0.2 Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3 Oracle E-Business Suite Release 11i, version 11.5.10.2 Oracle Agile PLM Framework, version 9.3.1.1 Oracle PeopleSoft HRMS, versions 9.0, 9.1 Oracle PeopleSoft PeopleTools, versions 8.51, 8.52 Oracle JD Edwards EnterpriseOne Tools, versions 8.9, 9.1, SP24 Oracle Siebel CRM, versions 8.1.1, 8.2.2 Oracle Sun Product Suite Oracle VM VirtualBox, versions 4.0, 4.1, 4.2 Oracle MySQL Server, versions 5.1.66 and earlier, 5.5.28 and earlier MITIGATION Oracle states, "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible." Links to the appropriate patches are available at the Oracle site. [1] REFERENCES [1] Oracle Critical Patch Update Advisory - January 2013 http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html [2] Text Form of Oracle Critical Patch Update - January 2013 Risk Matrices www.oracle.com/technetwork/topics/security/cpujan2013verbose-1897756.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUPYc8e4yVqjM2NGpAQJefA//Y+JDhS50IdX7BE+jgo6aDhOyCK5fEf60 bg0pzgiJ1Eov3avVMs+y7c66wRLJVVDGNwru0hAysCNrW5JX7Oj92upITxSjNcHR bbUsjMu9a6PSQn3KGacNVZdJ86tix5Tix/otM155O2SiU4MNRatg+h5iUuv8/evw 2zbfd8b42V1LogfNFP4VYST/ZnNh4mGnw6ZLl6YNtNm7+5An0mupVdbrQ0Fg5SXW xG94RR+59zwkJmC68lVIcrQP3wmyfM+jPi4y/YP+NypM1TtWm5AfAXb8hZjilmHW KYJadV1osP6VaiLkZxELAwP1n7JxZMXSbO+dF496frNa3Gb8vE/cvShkJcw74bgQ xrFOPZOpb/Eey/zpAbvqcd52hTUiintLD9CZV+S+wf4fzdAfzI+NjfqaAhGx7XvX dKZW2BsSDXIB8A1qr7seI41s0ztv24MMJrajsQr04ytLQgRCBugc74ZO5La+bGaf VZSPJ46BEHKY7kd2+V0iGd3rq0qXCoiY5syiiuRlPVTPhogIC1J05O+tsPg2q+uI 61dPIgSxUBJgz2fWTWAxJy3VxLelpiBWW6nyObslovCUA5Awa23dbH/OxidARsVf +tjypgFU+1QMSlftDwGqZhzVY23O1tUmzb9jmABvIqRaV4iupR5qWxM+K3gvTj07 Wnz5kMmb4/A= =U5F6 -----END PGP SIGNATURE-----