-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0007
       Oracle have released 86 updates which correct vulnerabilities
                              16 January 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
                      Oracle Database 11g Release 1, version 11.1.0.7
                      Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
                      Oracle Database Mobile Server, version 11.1.0.0
                      Oracle Database Lite Server, version 10.3.0.3
                      Oracle Access Manager/Webgate, versions 10.1.4.3.0, 11.1.1.5.0, 11.1.2.0.0
                      Oracle GoldenGate Veridata, version 3.0.0.11.0
                      Management Pack for Oracle GoldenGate, version 11.1.1.1.0
                      Oracle Outside In Technology, versions 8.3.7, 8.4
                      Oracle WebLogic Server, versions 9.2.4, 10.0.2, 10.3.5, 10.3.6, 12.1.1
                      Application Performance Management versions 6.5, 11.1, 12.1.0.2
                      Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
                      Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
                      Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.1, 12.1.0.2
                      Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
                      Oracle E-Business Suite Release 11i, version 11.5.10.2
                      Oracle Agile PLM Framework, version 9.3.1.1
                      Oracle PeopleSoft HRMS, versions 9.0, 9.1
                      Oracle PeopleSoft PeopleTools, versions 8.51, 8.52
                      Oracle JD Edwards EnterpriseOne Tools, versions 8.9, 9.1, SP24
                      Oracle Siebel CRM, versions 8.1.1, 8.2.2
                      Oracle Sun Product Suite
                      Oracle VM VirtualBox, versions 4.0, 4.1, 4.2
                      Oracle MySQL Server, versions 5.1.66 and earlier, 5.5.28 and earlier
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Read-only Data Access           -- Remote/Unauthenticated
                      Unauthorised Access             -- Remote/Unauthenticated
                      Increased Privileges            -- Existing Account      
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-0420 CVE-2013-0418 CVE-2013-0417
                      CVE-2013-0415 CVE-2013-0414 CVE-2013-0407
                      CVE-2013-0400 CVE-2013-0399 CVE-2013-0397
                      CVE-2013-0396 CVE-2013-0395 CVE-2013-0394
                      CVE-2013-0393 CVE-2013-0392 CVE-2013-0391
                      CVE-2013-0390 CVE-2013-0389 CVE-2013-0388
                      CVE-2013-0387 CVE-2013-0386 CVE-2013-0385
                      CVE-2013-0384 CVE-2013-0383 CVE-2013-0382
                      CVE-2013-0381 CVE-2013-0380 CVE-2013-0379
                      CVE-2013-0378 CVE-2013-0377 CVE-2013-0376
                      CVE-2013-0375 CVE-2013-0374 CVE-2013-0373
                      CVE-2013-0372 CVE-2013-0371 CVE-2013-0370
                      CVE-2013-0369 CVE-2013-0368 CVE-2013-0367
                      CVE-2013-0366 CVE-2013-0365 CVE-2013-0364
                      CVE-2013-0363 CVE-2013-0362 CVE-2013-0361
                      CVE-2013-0360 CVE-2013-0359 CVE-2013-0358
                      CVE-2013-0357 CVE-2013-0356 CVE-2013-0355
                      CVE-2013-0354 CVE-2013-0353 CVE-2013-0352
                      CVE-2012-5612 CVE-2012-5611 CVE-2012-5097
                      CVE-2012-5096 CVE-2012-5062 CVE-2012-5060
                      CVE-2012-5059 CVE-2012-3220 CVE-2012-3219
                      CVE-2012-3218 CVE-2012-3192 CVE-2012-3190
                      CVE-2012-3178 CVE-2012-3172 CVE-2012-3170
                      CVE-2012-3169 CVE-2012-3168 CVE-2012-1755
                      CVE-2012-1705 CVE-2012-1702 CVE-2012-1701
                      CVE-2012-1700 CVE-2012-1680 CVE-2012-1678
                      CVE-2012-1677 CVE-2012-0578 CVE-2012-0574
                      CVE-2012-0572 CVE-2012-0569 CVE-2012-0022
                      CVE-2011-5035  
Member content until: Friday, February 15 2013
Reference:            ASB-2012.0060
                      ASB-2012.0009
                      ESB-2012.0937
                      ESB-2012.0682
                      ESB-2012.0321
                      ASB-2012.0024.2
                      ASB-2012.0023.2
                      ESB-2012.0289.4

OVERVIEW

        Oracle have released updates which correct vulnerabilities in
        numerous products. [1]


IMPACT

        Limited impact details have been published by Oracle in their Text Form 
        Risk Matrices. [2]
        
        The Oracle Database Mobile/Lite Server has two with a CVSS score of 
        10, the highest possible score. [1]
        
        Oracle states, "Due to the threat posed by a successful attack, Oracle
        strongly recommends that customers apply CPU fixes as soon as possible.
        This Critical Patch Update contains 86 new security fixes across the
        product families listed below." [1]
        
        Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
        Oracle Database 11g Release 1, version 11.1.0.7
        Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
        Oracle Database Mobile Server, version 11.1.0.0
        Oracle Database Lite Server, version 10.3.0.3
        Oracle Access Manager/Webgate, versions 10.1.4.3.0, 11.1.1.5.0, 11.1.2.0.0
        Oracle GoldenGate Veridata, version 3.0.0.11.0
        Management Pack for Oracle GoldenGate, version 11.1.1.1.0
        Oracle Outside In Technology, versions 8.3.7, 8.4
        Oracle WebLogic Server, versions 9.2.4, 10.0.2, 10.3.5, 10.3.6, 12.1.1
        Application Performance Management versions 6.5, 11.1, 12.1.0.2
        Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
        Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
        Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.1, 12.1.0.2
        Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
        Oracle E-Business Suite Release 11i, version 11.5.10.2
        Oracle Agile PLM Framework, version 9.3.1.1
        Oracle PeopleSoft HRMS, versions 9.0, 9.1
        Oracle PeopleSoft PeopleTools, versions 8.51, 8.52
        Oracle JD Edwards EnterpriseOne Tools, versions 8.9, 9.1, SP24
        Oracle Siebel CRM, versions 8.1.1, 8.2.2
        Oracle Sun Product Suite
        Oracle VM VirtualBox, versions 4.0, 4.1, 4.2
        Oracle MySQL Server, versions 5.1.66 and earlier, 5.5.28 and earlier


MITIGATION

        Oracle states, "Due to the threat posed by a successful attack, Oracle
        strongly recommends that customers apply CPU fixes as soon as possible."
        
        Links to the appropriate patches are available at the Oracle site. [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - January 2013
            http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html

        [2] Text Form of Oracle Critical Patch Update - January 2013 Risk
            Matrices
            www.oracle.com/technetwork/topics/security/cpujan2013verbose-1897756.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUPYc8e4yVqjM2NGpAQJefA//Y+JDhS50IdX7BE+jgo6aDhOyCK5fEf60
bg0pzgiJ1Eov3avVMs+y7c66wRLJVVDGNwru0hAysCNrW5JX7Oj92upITxSjNcHR
bbUsjMu9a6PSQn3KGacNVZdJ86tix5Tix/otM155O2SiU4MNRatg+h5iUuv8/evw
2zbfd8b42V1LogfNFP4VYST/ZnNh4mGnw6ZLl6YNtNm7+5An0mupVdbrQ0Fg5SXW
xG94RR+59zwkJmC68lVIcrQP3wmyfM+jPi4y/YP+NypM1TtWm5AfAXb8hZjilmHW
KYJadV1osP6VaiLkZxELAwP1n7JxZMXSbO+dF496frNa3Gb8vE/cvShkJcw74bgQ
xrFOPZOpb/Eey/zpAbvqcd52hTUiintLD9CZV+S+wf4fzdAfzI+NjfqaAhGx7XvX
dKZW2BsSDXIB8A1qr7seI41s0ztv24MMJrajsQr04ytLQgRCBugc74ZO5La+bGaf
VZSPJ46BEHKY7kd2+V0iGd3rq0qXCoiY5syiiuRlPVTPhogIC1J05O+tsPg2q+uI
61dPIgSxUBJgz2fWTWAxJy3VxLelpiBWW6nyObslovCUA5Awa23dbH/OxidARsVf
+tjypgFU+1QMSlftDwGqZhzVY23O1tUmzb9jmABvIqRaV4iupR5qWxM+K3gvTj07
Wnz5kMmb4/A=
=U5F6
-----END PGP SIGNATURE-----