-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2013.0113
        Oracle have released updates which correct vulnerabilities
                           in numerous products
                              16 October 2013

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Database
                      Oracle Fusion Middleware
                      Oracle Access Manager
                      Oracle Forms and Reports
                      Oracle GlassFish Server
                      Oracle HTTP Server
                      Oracle Identity Analytics
                      Oracle Identity Manager
                      Oracle JDeveloper
                      Oracle Outside In Technology
                      Oracle Portal
                      Oracle Web Cache
                      Oracle WebCenter Content
                      Oracle WebLogic Server
                      Oracle Web Services
                      Oracle Enterprise Manager Grid Control
                      Oracle Enterprise Manager Plugin for Database
                      Oracle E-Business Suite
                      Oracle Agile PLM Framework
                      Oracle Transportation Management
                      Oracle PeopleSoft HRMS
                      Oracle PeopleSoft HRMS eCompensation
                      Oracle PeopleSoft PeopleTools
                      Oracle Siebel Core
                      Oracle Siebel Server Remote
                      Oracle Siebel UI Framework
                      Oracle iLearning
                      Oracle Health Sciences InForm
                      Oracle Siebel CTMS
                      Oracle Retail Invoice Matching
                      Oracle FLEXCUBE Private Banking
                      Oracle Instantis EnterpriseTrack
                      Oracle Primavera P6 Enterprise Project Portfolio Management
                      Oracle JavaFX
                      Oracle Java JDK and JRE
                      Oracle Java SE Embedded
                      Oracle JRockit
                      Oracle Solaris
                      Oracle SPARC Enterprise T series and M Series Servers Firmware
                      Oracle Sun Blade
                      Oracle Secure Global Desktop
                      Oracle VM VirtualBox
                      Oracle MySQL Server
                      Oracle MySQL Enterprise Monitor
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Platform:             SPARC
                      IA-32
                      IA-64
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Access Privileged Data          -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Increased Privileges            -- Existing Account      
                      Delete Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2013-5867 CVE-2013-5866 CVE-2013-5865
                      CVE-2013-5864 CVE-2013-5863 CVE-2013-5862
                      CVE-2013-5861 CVE-2013-5859 CVE-2013-5857
                      CVE-2013-5856 CVE-2013-5854 CVE-2013-5852
                      CVE-2013-5851 CVE-2013-5850 CVE-2013-5849
                      CVE-2013-5848 CVE-2013-5847 CVE-2013-5846
                      CVE-2013-5845 CVE-2013-5844 CVE-2013-5843
                      CVE-2013-5842 CVE-2013-5841 CVE-2013-5840
                      CVE-2013-5839 CVE-2013-5838 CVE-2013-5837
                      CVE-2013-5836 CVE-2013-5835 CVE-2013-5832
                      CVE-2013-5831 CVE-2013-5830 CVE-2013-5829
                      CVE-2013-5828 CVE-2013-5827 CVE-2013-5826
                      CVE-2013-5825 CVE-2013-5824 CVE-2013-5823
                      CVE-2013-5822 CVE-2013-5820 CVE-2013-5819
                      CVE-2013-5818 CVE-2013-5817 CVE-2013-5816
                      CVE-2013-5815 CVE-2013-5814 CVE-2013-5813
                      CVE-2013-5812 CVE-2013-5811 CVE-2013-5810
                      CVE-2013-5809 CVE-2013-5807 CVE-2013-5806
                      CVE-2013-5805 CVE-2013-5804 CVE-2013-5803
                      CVE-2013-5802 CVE-2013-5801 CVE-2013-5800
                      CVE-2013-5799 CVE-2013-5798 CVE-2013-5797
                      CVE-2013-5796 CVE-2013-5794 CVE-2013-5793
                      CVE-2013-5792 CVE-2013-5791 CVE-2013-5790
                      CVE-2013-5789 CVE-2013-5788 CVE-2013-5787
                      CVE-2013-5786 CVE-2013-5784 CVE-2013-5783
                      CVE-2013-5782 CVE-2013-5781 CVE-2013-5780
                      CVE-2013-5779 CVE-2013-5778 CVE-2013-5777
                      CVE-2013-5776 CVE-2013-5775 CVE-2013-5774
                      CVE-2013-5773 CVE-2013-5772 CVE-2013-5771
                      CVE-2013-5770 CVE-2013-5769 CVE-2013-5768
                      CVE-2013-5767 CVE-2013-5766 CVE-2013-5765
                      CVE-2013-5762 CVE-2013-5761 CVE-2013-4002
                      CVE-2013-3842 CVE-2013-3841 CVE-2013-3840
                      CVE-2013-3839 CVE-2013-3838 CVE-2013-3837
                      CVE-2013-3836 CVE-2013-3835 CVE-2013-3834
                      CVE-2013-3833 CVE-2013-3832 CVE-2013-3831
                      CVE-2013-3829 CVE-2013-3828 CVE-2013-3827
                      CVE-2013-3827 CVE-2013-3827 CVE-2013-3826
                      CVE-2013-3814 CVE-2013-3792 CVE-2013-3785
                      CVE-2013-3766 CVE-2013-3762 CVE-2013-3624
                      CVE-2013-2251 CVE-2013-2251 CVE-2013-2172
                      CVE-2013-0169 CVE-2013-0169 CVE-2013-0149
                      CVE-2012-2750 CVE-2011-3389 CVE-2011-3389
Member content until: Friday, November 15 2013
Reference:            ASB-2013.0025
                      ESB-2013.0204
                      ESB-2013.0183
                      ASB-2012.0016
                      ASB-2012.0003
                      ASB-2011.0092

OVERVIEW

        Oracle has released updates which correct vulnerabilities in
        numerous products. [1]
        
        Oracle states, "This Critical Patch Update contains 127 new security 
        fixes (including 51 Java fixes) across the product families listed 
        below." [1]
        
        Oracle Database 11g Release 1, version 11.1.0.7
        Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
        Oracle Database 12c Release 1, version 12.1.0.1
        Oracle Fusion Middleware 11g Release 1, versions 11.1.1.6, 11.1.1.7
        Oracle Access Manager, versions 11.1.1.5.0, 11.1.2.0.0
        Oracle Forms and Reports 11g, Release 2, version 11.1.2.1
        Oracle GlassFish Server, versions 2.1.1, 3.0.1, 3.1.2
        Oracle HTTP Server 12c, version 12.1.2
        Oracle Identity Analytics, version 11.1.1.5; Sun Role Manager, 
           versions 4.1, 5.0
        Oracle Identity Manager, versions 11.1.2.0.0, 11.1.2.1.0
        Oracle JDeveloper, versions 11.1.2.3.0, 11.1.2.4.0, 12.1.2.0.0
        Oracle Outside In Technology, versions 8.4.0, 8.4.1
        Oracle Portal, version 11.1.1.6.0
        Oracle Web Cache, versions 11.1.1.6, 11.1.1.7
        Oracle WebCenter Content, versions 10.1.3.5.1, 11.1.1.6.0, 11.1.1.7.0, 
           11.1.1.8.0
        Oracle WebLogic Server, versions 10.3.6.0, 12.1.1.0
        Oracle Web Services, versions 10.1.3.5, 11.1.1.6.0
        Oracle Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
        Oracle Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
        Oracle Enterprise Manager Plugin for Database 12c Release 1, versions 
           12.1.0.2, 12.1.0.3, 12.1.0.4
        Oracle E-Business Suite Release 12i, version 12.1
        Oracle Agile PLM Framework, version 9.3.2
        Oracle Transportation Management, versions 6.2, 6.3, 6.3.1, 6.3.2
        Oracle PeopleSoft HRMS, version 9.1
        Oracle PeopleSoft HRMS eCompensation, versions 9.1, 9.2
        Oracle PeopleSoft PeopleTools, versions 8.51, 8.52, 8.53
        Oracle Siebel Core, versions 8.1.1, 8.2.2
        Oracle Siebel Server Remote, versions 8.1.1, 8.2.2
        Oracle Siebel UI Framework, versions 8.1.1, 8.2.2
        Oracle iLearning, versions 5.2.1, 6.0
        Oracle Health Sciences InForm, versions 4.5.x, 4.6.x, 5.0.x, 5.5.x 
           and 6.0.0
        Oracle Siebel CTMS, version 8.1.1.x
        Oracle Retail Invoice Matching, versions 10.2, 11.0, 12.0, 12.0IN, 
           12.1, 13.0, 13.1, 13.2
        Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 2.2.0.1, 
           3.0, 12.0.1
        Oracle Instantis EnterpriseTrack, versions 8.0.6, 8.5
        Oracle Primavera P6 Enterprise Project Portfolio Management, versions 
           8.1, 8.2, 8.3
        Oracle JavaFX, versions 2.2.40 and earlier
        Oracle Java JDK and JRE, versions 5.0u51 and earlier, 6u60 and earlier, 
           7u40 and earlier
        Oracle Java SE Embedded, versions 7u40 and earlier
        Oracle JRockit, versions R27.7.6 and earlier, R28.2.8 and earlier
        Oracle Solaris versions 10, 11.1
        Oracle SPARC Enterprise T series and M Series Servers Firmware 
           versions prior to 6.7.13, 7.4.6.c, 8.3.0.b, 9.0.0.d, 9.0.1.e
        Oracle Sun Blade 6000 10GBE switched NEM 1.2, Sun Network 10GBE Switch 
           72P 1.2, Oracle Switch ES1-24 1.3
        Oracle Secure Global Desktop, version 5
        Oracle VM VirtualBox, versions prior to 3.2.18, 4.0.20, 4.1.28, 4.2.18
        Oracle MySQL Server, versions 5.1, 5.5, 5.6
        Oracle MySQL Enterprise Monitor, version 2.3


IMPACT

        Limited impact details have been published by Oracle in their Text
        Form Risk Matrices. [2]


MITIGATION

        Oracle states, "Due to the threat posed by a successful attack, Oracle 
        strongly recommends that customers apply CPU fixes as soon as possible."
        
        Links to the appropriate patches are available at the Oracle site. [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - October 2013
            http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html

        [2] Text Form of Oracle Critical Patch Update - October 2013 Risk
            Matrices
            http://www.oracle.com/technetwork/topics/security/cpuoct2013verbose-1899842.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBUl3yrxLndAQH1ShLAQKF7BAAhZDUHcPpVwTMFak6STWy8DZK9V/8lgvq
2+LmM11PlQdQ59MyuTW3F/OA20zMCIlmvdyIOycL1JgQJIhbIr7CPrVQLOWb1LF0
1hiBCQyXOKXEKXLpMSYA1lD7iZMlqZtyWLhwJqrGAPlezUB8hY72Y0g0s0ZyU96Z
g3dM6+z/6KZWzPOkzkzsQ7rWrxbtDtcMlxtNitnmWtvMRw3ODou7paCvPq2M5OGF
aPjKgvkulK9mfdAOLbUDePSsy2nyW6lgxmIa+f5LaMZJ8d3kiMC1yhJ5IdkLBGPp
O3EUHVlqVEDPFmpT04XWVnQ9pW7/lT2QRULGSmkZ/7s9x4LYoZBMMExaGINLnSTu
0ia2n2w2B5mW5b+dHhtI2onpxDReViqzABBIog4ZFehKsGhMTlWkP11TPFsdkJrT
LJ3WVQWrhPMd/yV04a45jCzqyE2H/ppzDcO51CW/XeMkMMQ0Ah8dJz5QEIXjIJC/
97VgN6z4tl1cl53qyrlwdYPyCRGs+RzIsAGKRmOevv04RK1rMp4evyNSnYxCYcQC
C8YZZ1l5NvAnrKtdzehGINhkTgiA9s4JiKgslbUDr6G1xtEb0Mn7xmmk9plMYFqk
BhYPhIx5pJu7DSith/uM8cDBfh0p6Lu4eI35mDkc01aDBJ/D1DulARQy+RwBqZ/G
EOU/VEeGeUc=
=HZeM
-----END PGP SIGNATURE-----