Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0005
Oracle have released updates which correct vulnerabilities
in numerous products
15 January 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database
Oracle Fusion Middleware
Oracle Containers for J2EE
Oracle Enterprise Data Quality
Oracle Forms and Reports
Oracle GlassFish Server
Oracle HTTP Server
Oracle Identity Manager
Oracle Internet Directory
Oracle iPlanet Web Proxy Server
Oracle iPlanet Web Server
Oracle Outside In Technology
Oracle Portal
Oracle Reports Developer
Oracle Traffic Director
Oracle WebCenter Portal
Oracle WebCenter Sites
Oracle Hyperion Essbase Administration Services
Oracle Hyperion Strategic Finance
Oracle E-Business Suite Release
Oracle Agile Product Lifecycle Management for Process
Oracle AutoVue
Oracle Demantra Demand Management
Oracle Transportation Management
Oracle PeopleSoft Enterprise HRMS
Oracle PeopleSoft Enterprise PeopleTools
Oracle PeopleSoft Enterprise SCM Services Procurement
Oracle Siebel Core
Oracle Siebel Life Sciences
Oracle iLearning
Oracle FLEXCUBE Private Banking
Oracle JavaFX
Oracle Java JDK and JRE
Oracle Java SE Embedded
Oracle JRockit
Oracle Solaris
Oracle Secure Global Desktop
Oracle VM VirtualBox
Oracle MySQL Enterprise Monitor
Oracle MySQL Server
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-0445 CVE-2014-0444 CVE-2014-0443
CVE-2014-0441 CVE-2014-0440 CVE-2014-0439
CVE-2014-0438 CVE-2014-0437 CVE-2014-0435
CVE-2014-0434 CVE-2014-0433 CVE-2014-0431
CVE-2014-0430 CVE-2014-0428 CVE-2014-0427
CVE-2014-0425 CVE-2014-0424 CVE-2014-0423
CVE-2014-0422 CVE-2014-0420 CVE-2014-0419
CVE-2014-0418 CVE-2014-0417 CVE-2014-0416
CVE-2014-0415 CVE-2014-0412 CVE-2014-0411
CVE-2014-0410 CVE-2014-0408 CVE-2014-0407
CVE-2014-0406 CVE-2014-0405 CVE-2014-0404
CVE-2014-0403 CVE-2014-0402 CVE-2014-0401
CVE-2014-0400 CVE-2014-0399 CVE-2014-0398
CVE-2014-0396 CVE-2014-0395 CVE-2014-0394
CVE-2014-0393 CVE-2014-0392 CVE-2014-0391
CVE-2014-0390 CVE-2014-0389 CVE-2014-0388
CVE-2014-0387 CVE-2014-0386 CVE-2014-0385
CVE-2014-0383 CVE-2014-0382 CVE-2014-0381
CVE-2014-0380 CVE-2014-0379 CVE-2014-0378
CVE-2014-0377 CVE-2014-0376 CVE-2014-0375
CVE-2014-0374 CVE-2014-0373 CVE-2014-0372
CVE-2014-0371 CVE-2014-0370 CVE-2014-0369
CVE-2014-0368 CVE-2014-0367 CVE-2014-0366
CVE-2013-5910 CVE-2013-5909 CVE-2013-5908
CVE-2013-5907 CVE-2013-5906 CVE-2013-5905
CVE-2013-5904 CVE-2013-5902 CVE-2013-5901
CVE-2013-5900 CVE-2013-5899 CVE-2013-5898
CVE-2013-5897 CVE-2013-5896 CVE-2013-5895
CVE-2013-5894 CVE-2013-5893 CVE-2013-5892
CVE-2013-5891 CVE-2013-5890 CVE-2013-5889
CVE-2013-5888 CVE-2013-5887 CVE-2013-5886
CVE-2013-5885 CVE-2013-5884 CVE-2013-5883
CVE-2013-5882 CVE-2013-5881 CVE-2013-5880
CVE-2013-5879 CVE-2013-5878 CVE-2013-5877
CVE-2013-5876 CVE-2013-5875 CVE-2013-5874
CVE-2013-5873 CVE-2013-5872 CVE-2013-5871
CVE-2013-5870 CVE-2013-5869 CVE-2013-5868
CVE-2013-5860 CVE-2013-5858 CVE-2013-5853
CVE-2013-5834 CVE-2013-5833 CVE-2013-5821
CVE-2013-5808 CVE-2013-5795 CVE-2013-5785
CVE-2013-5764 CVE-2013-4316 CVE-2013-3830
CVE-2013-2924 CVE-2013-2071 CVE-2013-2067
CVE-2013-1862 CVE-2013-1654 CVE-2013-1620
CVE-2012-4605 CVE-2012-3544 CVE-2012-3499
CVE-2007-1858 CVE-2007-0009 CVE-2003-1067
Member content until: Friday, February 14 2014
Reference: ESB-2013.1808
ESB-2013.1741
ESB-2013.1625
ESB-2013.1530
ESB-2013.1470
ESB-2013.1275
ESB-2013.1166
ESB-2013.0667
ESB-2009.0093
AL-2007.0028
OVERVIEW
Oracle has released updates which correct vulnerabilities in
numerous products. [1]
Oracle states, "This Critical Patch Update contains 144 new security
fixes across the product families listed below." [1]
Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
Oracle Database 12c Release 1, version 12.1.0.1
Oracle Fusion Middleware 11g Release 1, versions 11.1.1.6, 11.1.1.7
Oracle Fusion Middleware 11g Release 2, versions 11.1.2.0, 11.1.2.1
Oracle Fusion Middleware 12c Release 2, version 12.1.2
Oracle Containers for J2EE, version 10.1.3.5
Oracle Enterprise Data Quality, versions 8.1, 9.0.8
Oracle Forms and Reports 11g, Release 2, version 11.1.2.1
Oracle GlassFish Server, version 2.1.1, Sun Java Application Server,
versions 8.1, 8.2
Oracle HTTP Server 11g, versions 11.1.1.6, 11.1.1.7
Oracle HTTP Server 12c, version 12.1.2
Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.0,
11.1.2.1
Oracle Internet Directory, versions 11.1.1.6, 11.1.1.7
Oracle iPlanet Web Proxy Server, version 4.0
Oracle iPlanet Web Server, versions 6.1, 7.0
Oracle Outside In Technology, versions 8.4.0, 8.4.1
Oracle Portal, version 11.1.1.6
Oracle Reports Developer, versions 11.1.1.6, 11.1.1.7, 11.1.2.1
Oracle Traffic Director, versions 11.1.1.6, 11.1.1.7
Oracle WebCenter Portal versions 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0
Oracle WebCenter Sites versions 11.1.1.6.1, 11.1.1.8.0
Oracle Hyperion Essbase Administration Services, versions 11.1.2.1,
11.1.2.2, 11.1.2.3
Oracle Hyperion Strategic Finance, versions 11.1.2.1, 11.1.2.2
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2,
12.1.3
Oracle Agile Product Lifecycle Management for Process, versions 6.0,
6.1, 6.1.1
Oracle AutoVue, versions 20.1.1
Oracle Demantra Demand Management, versions 7.2.0.3 SQL-Server, 7.3.0,
7.3.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3
Oracle Transportation Management, versions 6.0, 6.1, 6.2, 6.3, 6.3.1,
6.3.2
Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0
Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2
Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53
Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2
Oracle Siebel Core, versions 8.1.1, 8.2.2
Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2
Oracle iLearning, version 6.0
Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 2.2.0.1,
3.0, 12.0.1, 12.0.2
Oracle JavaFX, versions 2.2.45 and earlier
Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier,
7u45 and earlier
Oracle Java SE Embedded, versions 7u45 and earlier
Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier
Oracle Solaris versions 8, 9, 10, 11.1
Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10
Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20,
4.3.6
Oracle MySQL Enterprise Monitor, versions 2.3, 3.0
Oracle MySQL Server, versions 5.1, 5.5, 5.6
IMPACT
Limited impact details have been published by Oracle in their Text
Form Risk Matrices. [2]
MITIGATION
Oracle states, "Due to the threat posed by a successful attack,
Oracle strongly recommends that customers apply CPU fixes as soon as
possible." [1]
Links to the appropriate patches are available at the Oracle site. [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - January 2014
http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html
[2] Text Form of Oracle Critical Patch Update - January 2014 Risk
Matrices
http://www.oracle.com/technetwork/topics/security/cpujan2014verbose-1972951.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUtXhHxLndAQH1ShLAQKnsxAAjLHsRHKt0Nae0bYbD1XxtjmRHPNFhdTA
L42AFgUVGzOYT2asCTlA71R78y75Q0rKtEfEUnU09hfqqrRuoZbnJ9HHV55+oh5g
2wpyaxxksCA2tjFrFPStZUrGatNZi6tlBmgm6HWx6/V1oUbhYh6m1qFI0vKyLKWh
MtdgikO2RcWsmhJn4IZZXPoCh3WIqBaZd4kZvGJ9lCuMoqNT6ETmC326UzCHoZcn
+adM7rd3/+ee+DnYsf0lYOu6XiV7snU2yaPKlCJcTQt/n7RhYuz11t12mrp79/4A
DEwpEpfysWxgmvX4a4hUaAEQQIp4CDpvdyJ2NKtLwtHHkMiJOw2aINx3U0FGe1BD
wYb27xU22RZxgqzaJ2IPxQwXaDPxp+BRuqkePviwXqhNjdcgjbuwvyKxDeocDcap
CL7Hb2tT6GF8S2Fn37ZEhpr+6l3kPXD28WuS0ZV5z4O86YuyXi1ar2f3Dx5/7pV/
D1CPrL7Szrw04GHHTO5cZV7bX7lkdabTyUyvQ+wsQed76wSjg0IozVWOQ8Pkpxnd
iXDsl4hvc5MpJ0W7ZrM/zDxeNjjMd5LSShpPy9WRNukX8zaBUaQ1U62pT30n4YnH
ntXR2aQPZcFIdDc+iayg3xkoVj3ePgNQ/YB/BbE8vuDlGsguiQJPP3E8Bxr0xJuu
5bFVfmJCDT8=
=5+PJ
-----END PGP SIGNATURE-----