Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0113 Oracle have released updates which correct vulnerabilities in numerous products 16 October 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Database Oracle Fusion Middleware Oracle Access Manager Oracle Forms and Reports Oracle GlassFish Server Oracle HTTP Server Oracle Identity Analytics Oracle Identity Manager Oracle JDeveloper Oracle Outside In Technology Oracle Portal Oracle Web Cache Oracle WebCenter Content Oracle WebLogic Server Oracle Web Services Oracle Enterprise Manager Grid Control Oracle Enterprise Manager Plugin for Database Oracle E-Business Suite Oracle Agile PLM Framework Oracle Transportation Management Oracle PeopleSoft HRMS Oracle PeopleSoft HRMS eCompensation Oracle PeopleSoft PeopleTools Oracle Siebel Core Oracle Siebel Server Remote Oracle Siebel UI Framework Oracle iLearning Oracle Health Sciences InForm Oracle Siebel CTMS Oracle Retail Invoice Matching Oracle FLEXCUBE Private Banking Oracle Instantis EnterpriseTrack Oracle Primavera P6 Enterprise Project Portfolio Management Oracle JavaFX Oracle Java JDK and JRE Oracle Java SE Embedded Oracle JRockit Oracle Solaris Oracle SPARC Enterprise T series and M Series Servers Firmware Oracle Sun Blade Oracle Secure Global Desktop Oracle VM VirtualBox Oracle MySQL Server Oracle MySQL Enterprise Monitor Operating System: UNIX variants (UNIX, Linux, OSX) Windows Platform: SPARC IA-32 IA-64 Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Increased Privileges -- Existing Account Delete Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2013-5867 CVE-2013-5866 CVE-2013-5865 CVE-2013-5864 CVE-2013-5863 CVE-2013-5862 CVE-2013-5861 CVE-2013-5859 CVE-2013-5857 CVE-2013-5856 CVE-2013-5854 CVE-2013-5852 CVE-2013-5851 CVE-2013-5850 CVE-2013-5849 CVE-2013-5848 CVE-2013-5847 CVE-2013-5846 CVE-2013-5845 CVE-2013-5844 CVE-2013-5843 CVE-2013-5842 CVE-2013-5841 CVE-2013-5840 CVE-2013-5839 CVE-2013-5838 CVE-2013-5837 CVE-2013-5836 CVE-2013-5835 CVE-2013-5832 CVE-2013-5831 CVE-2013-5830 CVE-2013-5829 CVE-2013-5828 CVE-2013-5827 CVE-2013-5826 CVE-2013-5825 CVE-2013-5824 CVE-2013-5823 CVE-2013-5822 CVE-2013-5820 CVE-2013-5819 CVE-2013-5818 CVE-2013-5817 CVE-2013-5816 CVE-2013-5815 CVE-2013-5814 CVE-2013-5813 CVE-2013-5812 CVE-2013-5811 CVE-2013-5810 CVE-2013-5809 CVE-2013-5807 CVE-2013-5806 CVE-2013-5805 CVE-2013-5804 CVE-2013-5803 CVE-2013-5802 CVE-2013-5801 CVE-2013-5800 CVE-2013-5799 CVE-2013-5798 CVE-2013-5797 CVE-2013-5796 CVE-2013-5794 CVE-2013-5793 CVE-2013-5792 CVE-2013-5791 CVE-2013-5790 CVE-2013-5789 CVE-2013-5788 CVE-2013-5787 CVE-2013-5786 CVE-2013-5784 CVE-2013-5783 CVE-2013-5782 CVE-2013-5781 CVE-2013-5780 CVE-2013-5779 CVE-2013-5778 CVE-2013-5777 CVE-2013-5776 CVE-2013-5775 CVE-2013-5774 CVE-2013-5773 CVE-2013-5772 CVE-2013-5771 CVE-2013-5770 CVE-2013-5769 CVE-2013-5768 CVE-2013-5767 CVE-2013-5766 CVE-2013-5765 CVE-2013-5762 CVE-2013-5761 CVE-2013-4002 CVE-2013-3842 CVE-2013-3841 CVE-2013-3840 CVE-2013-3839 CVE-2013-3838 CVE-2013-3837 CVE-2013-3836 CVE-2013-3835 CVE-2013-3834 CVE-2013-3833 CVE-2013-3832 CVE-2013-3831 CVE-2013-3829 CVE-2013-3828 CVE-2013-3827 CVE-2013-3827 CVE-2013-3827 CVE-2013-3826 CVE-2013-3814 CVE-2013-3792 CVE-2013-3785 CVE-2013-3766 CVE-2013-3762 CVE-2013-3624 CVE-2013-2251 CVE-2013-2251 CVE-2013-2172 CVE-2013-0169 CVE-2013-0169 CVE-2013-0149 CVE-2012-2750 CVE-2011-3389 CVE-2011-3389 Member content until: Friday, November 15 2013 Reference: ASB-2013.0025 ESB-2013.0204 ESB-2013.0183 ASB-2012.0016 ASB-2012.0003 ASB-2011.0092 OVERVIEW Oracle has released updates which correct vulnerabilities in numerous products. [1] Oracle states, "This Critical Patch Update contains 127 new security fixes (including 51 Java fixes) across the product families listed below." [1] Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3 Oracle Database 12c Release 1, version 12.1.0.1 Oracle Fusion Middleware 11g Release 1, versions 11.1.1.6, 11.1.1.7 Oracle Access Manager, versions 11.1.1.5.0, 11.1.2.0.0 Oracle Forms and Reports 11g, Release 2, version 11.1.2.1 Oracle GlassFish Server, versions 2.1.1, 3.0.1, 3.1.2 Oracle HTTP Server 12c, version 12.1.2 Oracle Identity Analytics, version 11.1.1.5; Sun Role Manager, versions 4.1, 5.0 Oracle Identity Manager, versions 11.1.2.0.0, 11.1.2.1.0 Oracle JDeveloper, versions 11.1.2.3.0, 11.1.2.4.0, 12.1.2.0.0 Oracle Outside In Technology, versions 8.4.0, 8.4.1 Oracle Portal, version 11.1.1.6.0 Oracle Web Cache, versions 11.1.1.6, 11.1.1.7 Oracle WebCenter Content, versions 10.1.3.5.1, 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0 Oracle WebLogic Server, versions 10.3.6.0, 12.1.1.0 Oracle Web Services, versions 10.1.3.5, 11.1.1.6.0 Oracle Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5 Oracle Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1 Oracle Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.2, 12.1.0.3, 12.1.0.4 Oracle E-Business Suite Release 12i, version 12.1 Oracle Agile PLM Framework, version 9.3.2 Oracle Transportation Management, versions 6.2, 6.3, 6.3.1, 6.3.2 Oracle PeopleSoft HRMS, version 9.1 Oracle PeopleSoft HRMS eCompensation, versions 9.1, 9.2 Oracle PeopleSoft PeopleTools, versions 8.51, 8.52, 8.53 Oracle Siebel Core, versions 8.1.1, 8.2.2 Oracle Siebel Server Remote, versions 8.1.1, 8.2.2 Oracle Siebel UI Framework, versions 8.1.1, 8.2.2 Oracle iLearning, versions 5.2.1, 6.0 Oracle Health Sciences InForm, versions 4.5.x, 4.6.x, 5.0.x, 5.5.x and 6.0.0 Oracle Siebel CTMS, version 8.1.1.x Oracle Retail Invoice Matching, versions 10.2, 11.0, 12.0, 12.0IN, 12.1, 13.0, 13.1, 13.2 Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1 Oracle Instantis EnterpriseTrack, versions 8.0.6, 8.5 Oracle Primavera P6 Enterprise Project Portfolio Management, versions 8.1, 8.2, 8.3 Oracle JavaFX, versions 2.2.40 and earlier Oracle Java JDK and JRE, versions 5.0u51 and earlier, 6u60 and earlier, 7u40 and earlier Oracle Java SE Embedded, versions 7u40 and earlier Oracle JRockit, versions R27.7.6 and earlier, R28.2.8 and earlier Oracle Solaris versions 10, 11.1 Oracle SPARC Enterprise T series and M Series Servers Firmware versions prior to 6.7.13, 7.4.6.c, 8.3.0.b, 9.0.0.d, 9.0.1.e Oracle Sun Blade 6000 10GBE switched NEM 1.2, Sun Network 10GBE Switch 72P 1.2, Oracle Switch ES1-24 1.3 Oracle Secure Global Desktop, version 5 Oracle VM VirtualBox, versions prior to 3.2.18, 4.0.20, 4.1.28, 4.2.18 Oracle MySQL Server, versions 5.1, 5.5, 5.6 Oracle MySQL Enterprise Monitor, version 2.3 IMPACT Limited impact details have been published by Oracle in their Text Form Risk Matrices. [2] MITIGATION Oracle states, "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible." Links to the appropriate patches are available at the Oracle site. [1] REFERENCES [1] Oracle Critical Patch Update Advisory - October 2013 http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html [2] Text Form of Oracle Critical Patch Update - October 2013 Risk Matrices http://www.oracle.com/technetwork/topics/security/cpuoct2013verbose-1899842.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUl3yrxLndAQH1ShLAQKF7BAAhZDUHcPpVwTMFak6STWy8DZK9V/8lgvq 2+LmM11PlQdQ59MyuTW3F/OA20zMCIlmvdyIOycL1JgQJIhbIr7CPrVQLOWb1LF0 1hiBCQyXOKXEKXLpMSYA1lD7iZMlqZtyWLhwJqrGAPlezUB8hY72Y0g0s0ZyU96Z g3dM6+z/6KZWzPOkzkzsQ7rWrxbtDtcMlxtNitnmWtvMRw3ODou7paCvPq2M5OGF aPjKgvkulK9mfdAOLbUDePSsy2nyW6lgxmIa+f5LaMZJ8d3kiMC1yhJ5IdkLBGPp O3EUHVlqVEDPFmpT04XWVnQ9pW7/lT2QRULGSmkZ/7s9x4LYoZBMMExaGINLnSTu 0ia2n2w2B5mW5b+dHhtI2onpxDReViqzABBIog4ZFehKsGhMTlWkP11TPFsdkJrT LJ3WVQWrhPMd/yV04a45jCzqyE2H/ppzDcO51CW/XeMkMMQ0Ah8dJz5QEIXjIJC/ 97VgN6z4tl1cl53qyrlwdYPyCRGs+RzIsAGKRmOevv04RK1rMp4evyNSnYxCYcQC C8YZZ1l5NvAnrKtdzehGINhkTgiA9s4JiKgslbUDr6G1xtEb0Mn7xmmk9plMYFqk BhYPhIx5pJu7DSith/uM8cDBfh0p6Lu4eI35mDkc01aDBJ/D1DulARQy+RwBqZ/G EOU/VEeGeUc= =HZeM -----END PGP SIGNATURE-----