Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0057 Oracle have released updates which correct vulnerabilities in numerous products 17 April 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Database Oracle Application Express Oracle Containers for J2EE Oracle COREid Access Oracle GoldenGate Veridata Oracle HTTP Server Oracle JRockit Oracle Outside In Technology Oracle WebCenter Oracle WebLogic Server Oracle Web Services Manager Oracle E-Business Suite Oracle Agile EDM Oracle Transportation Management Oracle PeopleSoft HRMS Oracle PeopleSoft PeopleTools Oracle Siebel CRM Oracle Clinical Remote Data Capture Option Oracle Retail Central Office Oracle Retail Integration Bus Oracle FLEXCUBE Direct Banking Primavera P6 Enterprise Project Portfolio Management Oracle and Sun Systems Product Suite Oracle Sun Middleware Products Oracle MySQL Server Oracle Automatic Service Request Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Increased Privileges -- Existing Account Delete Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-2441 CVE-2013-2415 CVE-2013-2413 CVE-2013-2411 CVE-2013-2410 CVE-2013-2409 CVE-2013-2408 CVE-2013-2406 CVE-2013-2405 CVE-2013-2404 CVE-2013-2403 CVE-2013-2402 CVE-2013-2401 CVE-2013-2399 CVE-2013-2398 CVE-2013-2397 CVE-2013-2396 CVE-2013-2395 CVE-2013-2393 CVE-2013-2392 CVE-2013-2391 CVE-2013-2390 CVE-2013-2389 CVE-2013-2388 CVE-2013-2387 CVE-2013-2386 CVE-2013-2385 CVE-2013-2382 CVE-2013-2381 CVE-2013-2380 CVE-2013-2379 CVE-2013-2378 CVE-2013-2377 CVE-2013-2376 CVE-2013-2375 CVE-2013-2374 CVE-2013-1570 CVE-2013-1568 CVE-2013-1567 CVE-2013-1566 CVE-2013-1565 CVE-2013-1562 CVE-2013-1560 CVE-2013-1559 CVE-2013-1556 CVE-2013-1555 CVE-2013-1554 CVE-2013-1553 CVE-2013-1552 CVE-2013-1551 CVE-2013-1550 CVE-2013-1549 CVE-2013-1548 CVE-2013-1547 CVE-2013-1546 CVE-2013-1545 CVE-2013-1544 CVE-2013-1543 CVE-2013-1542 CVE-2013-1541 CVE-2013-1539 CVE-2013-1538 CVE-2013-1537 CVE-2013-1536 CVE-2013-1535 CVE-2013-1534 CVE-2013-1533 CVE-2013-1532 CVE-2013-1531 CVE-2013-1530 CVE-2013-1529 CVE-2013-1528 CVE-2013-1527 CVE-2013-1526 CVE-2013-1525 CVE-2013-1524 CVE-2013-1523 CVE-2013-1522 CVE-2013-1521 CVE-2013-1520 CVE-2013-1519 CVE-2013-1517 CVE-2013-1516 CVE-2013-1515 CVE-2013-1514 CVE-2013-1513 CVE-2013-1512 CVE-2013-1511 CVE-2013-1510 CVE-2013-1509 CVE-2013-1508 CVE-2013-1507 CVE-2013-1506 CVE-2013-1505 CVE-2013-1504 CVE-2013-1503 CVE-2013-1502 CVE-2013-1501 CVE-2013-1499 CVE-2013-1498 CVE-2013-1497 CVE-2013-1496 CVE-2013-1495 CVE-2013-1494 CVE-2013-0416 CVE-2013-0413 CVE-2013-0412 CVE-2013-0411 CVE-2013-0410 CVE-2013-0408 CVE-2013-0406 CVE-2013-0405 CVE-2013-0404 CVE-2013-0403 CVE-2012-5614 CVE-2012-4303 CVE-2012-2751 CVE-2012-0841 CVE-2012-0570 CVE-2012-0568 CVE-2010-2791 CVE-2010-2068 CVE-2010-0408 CVE-2009-2699 CVE-2009-1956 CVE-2009-1955 CVE-2009-1890 CVE-2009-1191 CVE-2009-0023 CVE-2007-1862 Member content until: Friday, May 17 2013 Reference: ESB-2013.0495 ESB-2012.0635 ESB-2012.0344 ASB-2010.0122 ASB-2010.0087 ASB-2010.0073 ASB-2010.0070 ASB-2010.0030 ESB-2010.1114 ASB-2009.1081 AA-2009.0103 AA-2007.0078 ASB-2010.0181.2 ESB-2012.0833.2 OVERVIEW Oracle have released updates which correct vulnerabilities in numerous products. [1] Oracle states, "This Critical Patch Update contains 128 new security fixes across the product families listed below." [1] Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3 Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 10g Release 2, versions 10.2.0.4, 10.2.0.5 Oracle Application Express, versions prior to 4.2.1 Oracle Containers for J2EE, version 10.1.3.5 Oracle COREid Access, version 10.1.4.3 Oracle GoldenGate Veridata, version 3.0.0.11 Oracle HTTP Server, versions 10.1.3.5.0, 11.1.1.5.0, 11.1.1.6.0 Oracle JRockit, versions R27.7.4 and earlier, R28.2.6 and earlier Oracle Outside In Technology, versions 8.3.7, 8.4.0 Oracle WebCenter Capture, version 10.1.3.5.1 Oracle WebCenter Content, versions 10.1.3.5.1, 11.1.1.6.0 Oracle WebCenter Interaction, versions 6.5.1, 10.3.3.0 Oracle WebCenter Sites, versions 7.6.2, 11.1.1.6.0, 11.1.1.6.1 Oracle WebLogic Server, versions 10.0.2, 10.3.5, 10.3.6, 12.1.1 Oracle Web Services Manager, version 11.1.1.6 Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3 Oracle E-Business Suite Release 11i, version 11.5.10.2 Oracle Agile EDM, versions 6.1.1.0, 6.1.2.0, 6.1.2.2 Oracle Transportation Management, versions 5.5.05, 6.2 Oracle PeopleSoft HRMS, version 9.1 Oracle PeopleSoft PeopleTools, versions 8.51, 8.52, 8.53 Oracle Siebel CRM, versions 8.1.1, 8.2.2 Oracle Clinical Remote Data Capture Option, versions 4.6.0, 4.6.6 Oracle Retail Central Office, versions 13.1, 13.2, 13.3, 13.4 Oracle Retail Integration Bus, versions 13.0, 13.1, 13.2 Oracle FLEXCUBE Direct Banking, versions 2.8.0 - 12.0.1 Primavera P6 Enterprise Project Portfolio Management, versions 7.0, 8.1, 8.2 Oracle and Sun Systems Product Suite Oracle Sun Middleware Products1 Oracle MySQL Server, versions 5.1, 5.5, 5.6 Oracle Automatic Service Request, versions prior to 4.3.2 IMPACT Limited impact details have been published by Oracle in their Text Form Risk Matrices. [2] MITIGATION Oracle states, "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible." Links to the appropriate patches are available at the Oracle site. [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2013 http://www.oracle.com/technetwork/topics/security/cpuapr2013-1899555.html [2] Text Form of Oracle Critical Patch Update - April 2013 Risk Matrices http://www.oracle.com/technetwork/topics/security/cpuapril2013verbose-1899563.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUW41Hu4yVqjM2NGpAQKO8g/+IXuuvSRVFjsnAmGmJtHf/SGldChelDT8 YEekXhOLy/bI5zNlSQSXS7OcN0Q1Lp+YlOPar0QUoDw/CX1qX+ilieUx6B3FaE3W hr1vgYpacHIbHsiByCpi0aKx3pEmyP9GRdc0+7gF8+7HIEWLS+uo/HgO7bbVrsHG AgGxIMNAXmumDoNIV3jbAiWPhhbql+N4KLUA/TCoqYxqz6SaLoOgkdanxHFar0ZL XXtYGTQgbRx3s0z3pH2F4eS8k18stYMZBN+pR9qxoXZ/FnmrCJb5CAaInUvgRAZG p0bVorILMkloQ4O31eWEstvgyHyIak2/BD4/NX0OBTIJ41Uapfamac+lZoQlQwp2 ZUR0dnMb7fSfNxHpVrvu65eWeeIR1vMgHbkp6mHPQTemuvMKa3c0ZUX1PpepxbNJ ioaink0k3PghWjAz0R8/fSIeegOUor/vg/8UvGDmTqozQ40AEa+4aRBRsyAj8sUB LrsHd2bkxw73VVgWkFS+0/ybBq9mkFAYaKJXS5AD8KhewEfi2237P3fRSQCj2Ekt q20WajmUc8GXt0J3HuWRHnwgSFL4iMAbQbqFkGYew7YOB5UrEImUrsHM2c75Cxkw wdcOvBRi/VxeajfuiWlCllkrhxxw1YhGgsSBKWkAHrQKJV0IDJBpVy8ZdxRzcqJ+ ZfkSa82tZCI= =PZan -----END PGP SIGNATURE-----