Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0086
Oracle has released updates which correct vulnerabilities in
numerous products
18 July 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database Server
Oracle Fusion Middleware
Oracle Hyperion
Oracle Enterprise Manager Grid Control
Oracle E-Business Suite
Oracle Supply Chain Products Suite
Oracle PeopleSoft Products
Oracle iLearning
Oracle Industry Applications
Oracle and Sun Systems Products Suite
Oracle Virtualization
Oracle MySQL
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2013-3825 CVE-2013-3824 CVE-2013-3823
CVE-2013-3822 CVE-2013-3821 CVE-2013-3820
CVE-2013-3819 CVE-2013-3818 CVE-2013-3816
CVE-2013-3813 CVE-2013-3812 CVE-2013-3811
CVE-2013-3810 CVE-2013-3809 CVE-2013-3808
CVE-2013-3807 CVE-2013-3806 CVE-2013-3805
CVE-2013-3804 CVE-2013-3803 CVE-2013-3802
CVE-2013-3801 CVE-2013-3800 CVE-2013-3799
CVE-2013-3798 CVE-2013-3797 CVE-2013-3796
CVE-2013-3795 CVE-2013-3794 CVE-2013-3793
CVE-2013-3791 CVE-2013-3790 CVE-2013-3789
CVE-2013-3788 CVE-2013-3787 CVE-2013-3786
CVE-2013-3784 CVE-2013-3783 CVE-2013-3782
CVE-2013-3781 CVE-2013-3780 CVE-2013-3779
CVE-2013-3778 CVE-2013-3777 CVE-2013-3776
CVE-2013-3775 CVE-2013-3774 CVE-2013-3773
CVE-2013-3772 CVE-2013-3771 CVE-2013-3770
CVE-2013-3769 CVE-2013-3768 CVE-2013-3767
CVE-2013-3765 CVE-2013-3764 CVE-2013-3763
CVE-2013-3761 CVE-2013-3760 CVE-2013-3759
CVE-2013-3758 CVE-2013-3757 CVE-2013-3756
CVE-2013-3755 CVE-2013-3754 CVE-2013-3753
CVE-2013-3752 CVE-2013-3751 CVE-2013-3750
CVE-2013-3749 CVE-2013-3748 CVE-2013-3747
CVE-2013-3746 CVE-2013-3745 CVE-2013-2461
CVE-2013-1861 CVE-2013-0398 CVE-2012-2687
CVE-2011-3348 CVE-2011-0419 CVE-2010-2068
CVE-2010-0434 CVE-2010-0425 CVE-2008-2364
CVE-2007-6388 CVE-2007-5000 CVE-2007-3847
CVE-2006-5752 CVE-2005-3352
Member content until: Saturday, August 17 2013
Reference: ASB-2013.0075
ASB-2013.0057
ESB-2013.0976
ESB-2013.0923
ESB-2013.0874
ESB-2013.0873
ASB-2012.0103
ESB-2012.0991
ESB-2012.0799
ESB-2011.1104
ESB-2011.0668
ESB-2011.0552
ESB-2011.0523
ESB-2011.0314
ASB-2010.0122
ASB-2010.0087
ESB-2010.0531
ESB-2009.1211
ESB-2009.0317
ESB-2008.0074
AA-2007.0078
ESB-2007.0468
ESB-2006.0430
ESB-2006.0006
ASB-2011.0076.2
ASB-2010.0181.2
ESB-2010.1039.2
ESB-2010.0871.2
ESB-2010.0842.2
OVERVIEW
Oracle has released updates which correct vulnerabilities in
numerous products. [1]
Oracle states, "This Critical Patch Update contains 89 new security
fixes across the product families listed below." [1]
Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.4, 10.2.0.5
Oracle Access Manager, versions 11.1.1.5.0, 11.1.1.7.0, 11.1.2.0.0
Oracle Endeca Server, versions 7.4.0, 7.5.1.1
Oracle HTTP Server, versions 10.1.3.5.0
Oracle JRockit, versions R27.7.5 and earlier, R28.2.7 and earlier
Oracle Outside In Technology, versions 8.3.7, 8.4.0, 8.4.1
Oracle WebCenter Content, versions 10.1.3.5.1, 11.1.1.6.0, 11.1.1.7.0
Oracle Hyperion BI, versions 11.1.1.3, 11.1.1.4.107 and earlier,
11.1.2.1.129 and earlier, 11.1.2.2.305 and earlier
Enterprise Manager Plugin for Database 12c Release 1, versions
12.1.0.2, 12.1.0.3
Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2,
12.1.3
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle Agile Collaboration Framework, version 9.3.1
Oracle Agile PLM Framework, version 9.3.1
Oracle Agile Product Framework, version 9.3.1
Oracle PeopleSoft Enterprise Portal, version 9.1
Oracle PeopleSoft HRMS, version 9.1
Oracle PeopleSoft PeopleTools, versions 8.51, 8.52, 8.53
Oracle iLearning, versions 5.2.1, 6.0
Oracle Policy Automation, versions 10.2.0, 10.3.0, 10.3.1, 10.4.0,
10.4.1, 10.4.2
Oracle and Sun Systems Product Suite
Oracle Secure Global Desktop, versions 4.6 prior to 4.63, 4.7 prior to
4.71
Oracle MySQL Server, versions 5.1, 5.5, 5.6
IMPACT
Limited impact details have been published by Oracle in their Text
Form Risk Matrices. [2]
MITIGATION
Oracle states, "Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon as
possible." [1]
Links to the appropriate patches are available at the Oracle site. [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - July 2013
http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
[2] Text Form of Oracle Critical Patch Update - July 2013 Risk Matrices
http://www.oracle.com/technetwork/topics/security/cpujuly2013verbose-1899830.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUedBQhLndAQH1ShLAQL0WxAAiMPYz62bmAyAi2Fr6I1oKIQ/ujT7P0eH
eQqaiRJQSPtqVqy6Macgibg4g6u6pppZ3Z+lnRiZUuKBAk01HaLLOlxLQL9Wxw3n
IuQInUawG85+pcwwjdwFRMg7oVBD7P1iaar9LrY4Y8konxRvr1Jq1EhSJCXIp+nx
r7preGncbL3ECHjcXab/DM+Z5VQKJqwfuU2uyp3YtjzUYR2A8PmgC6mj7aP9xIKS
XdnNg/xxRkCZ/thbOsbPIE1q5m3zHYWq+Uem9Px13zvgy99OzoD+7of+drkb3f9d
sxxcbQLOPgYTZfFOD+YIfU56x9SwcMRm6nmJxez2U9pDjxuXdB0mEsK93CnSMXcR
yjpMiUdHdTKWeV3vc7W4BX9MqF3mYIQNm9MUXsx32NBl/dyf9rmhYZc2DSlmTqjz
rPhGVYLdbuJamDdv5nJFzRK1MQxA8ulKO91wvLplk8DU/vWlX+wKbJ5sL0/1zILR
F+r1SfwFVcmMCMdaq8cjXvIylniNuCGxQ/WDuR3A0AR+DM6Fw67LVLxJ3BZCdRxC
+G1xgzgv2Ak2YRLKHa2LwnqU10QHSR3lIhT5h8QRKj2PbFAt03UkOvv7GhO2D+a/
OdDFfABFFNwF+LjQu+xBCbsP+fqSC2r49MalraM0eZZ9GTlbScf0tBhTU0XA1JEV
y77VkRJO6zQ=
=e3Wu
-----END PGP SIGNATURE-----