Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0057
Oracle have released updates which correct vulnerabilities
in numerous products
17 April 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database
Oracle Application Express
Oracle Containers for J2EE
Oracle COREid Access
Oracle GoldenGate Veridata
Oracle HTTP Server
Oracle JRockit
Oracle Outside In Technology
Oracle WebCenter
Oracle WebLogic Server
Oracle Web Services Manager
Oracle E-Business Suite
Oracle Agile EDM
Oracle Transportation Management
Oracle PeopleSoft HRMS
Oracle PeopleSoft PeopleTools
Oracle Siebel CRM
Oracle Clinical Remote Data Capture Option
Oracle Retail Central Office
Oracle Retail Integration Bus
Oracle FLEXCUBE Direct Banking
Primavera P6 Enterprise Project Portfolio Management
Oracle and Sun Systems Product Suite
Oracle Sun Middleware Products
Oracle MySQL Server
Oracle Automatic Service Request
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2013-2441 CVE-2013-2415 CVE-2013-2413
CVE-2013-2411 CVE-2013-2410 CVE-2013-2409
CVE-2013-2408 CVE-2013-2406 CVE-2013-2405
CVE-2013-2404 CVE-2013-2403 CVE-2013-2402
CVE-2013-2401 CVE-2013-2399 CVE-2013-2398
CVE-2013-2397 CVE-2013-2396 CVE-2013-2395
CVE-2013-2393 CVE-2013-2392 CVE-2013-2391
CVE-2013-2390 CVE-2013-2389 CVE-2013-2388
CVE-2013-2387 CVE-2013-2386 CVE-2013-2385
CVE-2013-2382 CVE-2013-2381 CVE-2013-2380
CVE-2013-2379 CVE-2013-2378 CVE-2013-2377
CVE-2013-2376 CVE-2013-2375 CVE-2013-2374
CVE-2013-1570 CVE-2013-1568 CVE-2013-1567
CVE-2013-1566 CVE-2013-1565 CVE-2013-1562
CVE-2013-1560 CVE-2013-1559 CVE-2013-1556
CVE-2013-1555 CVE-2013-1554 CVE-2013-1553
CVE-2013-1552 CVE-2013-1551 CVE-2013-1550
CVE-2013-1549 CVE-2013-1548 CVE-2013-1547
CVE-2013-1546 CVE-2013-1545 CVE-2013-1544
CVE-2013-1543 CVE-2013-1542 CVE-2013-1541
CVE-2013-1539 CVE-2013-1538 CVE-2013-1537
CVE-2013-1536 CVE-2013-1535 CVE-2013-1534
CVE-2013-1533 CVE-2013-1532 CVE-2013-1531
CVE-2013-1530 CVE-2013-1529 CVE-2013-1528
CVE-2013-1527 CVE-2013-1526 CVE-2013-1525
CVE-2013-1524 CVE-2013-1523 CVE-2013-1522
CVE-2013-1521 CVE-2013-1520 CVE-2013-1519
CVE-2013-1517 CVE-2013-1516 CVE-2013-1515
CVE-2013-1514 CVE-2013-1513 CVE-2013-1512
CVE-2013-1511 CVE-2013-1510 CVE-2013-1509
CVE-2013-1508 CVE-2013-1507 CVE-2013-1506
CVE-2013-1505 CVE-2013-1504 CVE-2013-1503
CVE-2013-1502 CVE-2013-1501 CVE-2013-1499
CVE-2013-1498 CVE-2013-1497 CVE-2013-1496
CVE-2013-1495 CVE-2013-1494 CVE-2013-0416
CVE-2013-0413 CVE-2013-0412 CVE-2013-0411
CVE-2013-0410 CVE-2013-0408 CVE-2013-0406
CVE-2013-0405 CVE-2013-0404 CVE-2013-0403
CVE-2012-5614 CVE-2012-4303 CVE-2012-2751
CVE-2012-0841 CVE-2012-0570 CVE-2012-0568
CVE-2010-2791 CVE-2010-2068 CVE-2010-0408
CVE-2009-2699 CVE-2009-1956 CVE-2009-1955
CVE-2009-1890 CVE-2009-1191 CVE-2009-0023
CVE-2007-1862
Member content until: Friday, May 17 2013
Reference: ESB-2013.0495
ESB-2012.0635
ESB-2012.0344
ASB-2010.0122
ASB-2010.0087
ASB-2010.0073
ASB-2010.0070
ASB-2010.0030
ESB-2010.1114
ASB-2009.1081
AA-2009.0103
AA-2007.0078
ASB-2010.0181.2
ESB-2012.0833.2
OVERVIEW
Oracle have released updates which correct vulnerabilities in
numerous products. [1]
Oracle states, "This Critical Patch Update contains 128 new security
fixes across the product families listed below." [1]
Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.4, 10.2.0.5
Oracle Application Express, versions prior to 4.2.1
Oracle Containers for J2EE, version 10.1.3.5
Oracle COREid Access, version 10.1.4.3
Oracle GoldenGate Veridata, version 3.0.0.11
Oracle HTTP Server, versions 10.1.3.5.0, 11.1.1.5.0, 11.1.1.6.0
Oracle JRockit, versions R27.7.4 and earlier, R28.2.6 and earlier
Oracle Outside In Technology, versions 8.3.7, 8.4.0
Oracle WebCenter Capture, version 10.1.3.5.1
Oracle WebCenter Content, versions 10.1.3.5.1, 11.1.1.6.0
Oracle WebCenter Interaction, versions 6.5.1, 10.3.3.0
Oracle WebCenter Sites, versions 7.6.2, 11.1.1.6.0, 11.1.1.6.1
Oracle WebLogic Server, versions 10.0.2, 10.3.5, 10.3.6, 12.1.1
Oracle Web Services Manager, version 11.1.1.6
Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2,
12.1.3
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle Agile EDM, versions 6.1.1.0, 6.1.2.0, 6.1.2.2
Oracle Transportation Management, versions 5.5.05, 6.2
Oracle PeopleSoft HRMS, version 9.1
Oracle PeopleSoft PeopleTools, versions 8.51, 8.52, 8.53
Oracle Siebel CRM, versions 8.1.1, 8.2.2
Oracle Clinical Remote Data Capture Option, versions 4.6.0, 4.6.6
Oracle Retail Central Office, versions 13.1, 13.2, 13.3, 13.4
Oracle Retail Integration Bus, versions 13.0, 13.1, 13.2
Oracle FLEXCUBE Direct Banking, versions 2.8.0 - 12.0.1
Primavera P6 Enterprise Project Portfolio Management, versions 7.0,
8.1, 8.2
Oracle and Sun Systems Product Suite
Oracle Sun Middleware Products1
Oracle MySQL Server, versions 5.1, 5.5, 5.6
Oracle Automatic Service Request, versions prior to 4.3.2
IMPACT
Limited impact details have been published by Oracle in their Text
Form Risk Matrices. [2]
MITIGATION
Oracle states, "Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon as possible."
Links to the appropriate patches are available at the Oracle site. [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2013
http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html
[2] Text Form of Oracle Critical Patch Update - April 2013 Risk
Matrices
http://www.oracle.com/technetwork/topics/security/cpuapril2013verbose-1899563.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUW41Hu4yVqjM2NGpAQKO8g/+IXuuvSRVFjsnAmGmJtHf/SGldChelDT8
YEekXhOLy/bI5zNlSQSXS7OcN0Q1Lp+YlOPar0QUoDw/CX1qX+ilieUx6B3FaE3W
hr1vgYpacHIbHsiByCpi0aKx3pEmyP9GRdc0+7gF8+7HIEWLS+uo/HgO7bbVrsHG
AgGxIMNAXmumDoNIV3jbAiWPhhbql+N4KLUA/TCoqYxqz6SaLoOgkdanxHFar0ZL
XXtYGTQgbRx3s0z3pH2F4eS8k18stYMZBN+pR9qxoXZ/FnmrCJb5CAaInUvgRAZG
p0bVorILMkloQ4O31eWEstvgyHyIak2/BD4/NX0OBTIJ41Uapfamac+lZoQlQwp2
ZUR0dnMb7fSfNxHpVrvu65eWeeIR1vMgHbkp6mHPQTemuvMKa3c0ZUX1PpepxbNJ
ioaink0k3PghWjAz0R8/fSIeegOUor/vg/8UvGDmTqozQ40AEa+4aRBRsyAj8sUB
LrsHd2bkxw73VVgWkFS+0/ybBq9mkFAYaKJXS5AD8KhewEfi2237P3fRSQCj2Ekt
q20WajmUc8GXt0J3HuWRHnwgSFL4iMAbQbqFkGYew7YOB5UrEImUrsHM2c75Cxkw
wdcOvBRi/VxeajfuiWlCllkrhxxw1YhGgsSBKWkAHrQKJV0IDJBpVy8ZdxRzcqJ+
ZfkSa82tZCI=
=PZan
-----END PGP SIGNATURE-----