Hash: SHA1

                         AUSCERT Security Bulletin

        Oracle have released updates which correct vulnerabilities
                           in numerous products
                              15 January 2014


        AusCERT Security Bulletin Summary

Product:              Oracle Database
                      Oracle Fusion Middleware
                      Oracle Containers for J2EE
                      Oracle Enterprise Data Quality
                      Oracle Forms and Reports
                      Oracle GlassFish Server
                      Oracle HTTP Server
                      Oracle Identity Manager
                      Oracle Internet Directory
                      Oracle iPlanet Web Proxy Server
                      Oracle iPlanet Web Server
                      Oracle Outside In Technology
                      Oracle Portal
                      Oracle Reports Developer
                      Oracle Traffic Director
                      Oracle WebCenter Portal
                      Oracle WebCenter Sites
                      Oracle Hyperion Essbase Administration Services
                      Oracle Hyperion Strategic Finance
                      Oracle E-Business Suite Release
                      Oracle Agile Product Lifecycle Management for Process
                      Oracle AutoVue
                      Oracle Demantra Demand Management
                      Oracle Transportation Management
                      Oracle PeopleSoft Enterprise HRMS
                      Oracle PeopleSoft Enterprise PeopleTools
                      Oracle PeopleSoft Enterprise SCM Services Procurement
                      Oracle Siebel Core
                      Oracle Siebel Life Sciences
                      Oracle iLearning
                      Oracle FLEXCUBE Private Banking
                      Oracle JavaFX
                      Oracle Java JDK and JRE
                      Oracle Java SE Embedded
                      Oracle JRockit
                      Oracle Solaris
                      Oracle Secure Global Desktop
                      Oracle VM VirtualBox
                      Oracle MySQL Enterprise Monitor
                      Oracle MySQL Server
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Access Privileged Data          -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Increased Privileges            -- Existing Account      
                      Delete Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
                      Unauthorised Access             -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-0445 CVE-2014-0444 CVE-2014-0443
                      CVE-2014-0441 CVE-2014-0440 CVE-2014-0439
                      CVE-2014-0438 CVE-2014-0437 CVE-2014-0435
                      CVE-2014-0434 CVE-2014-0433 CVE-2014-0431
                      CVE-2014-0430 CVE-2014-0428 CVE-2014-0427
                      CVE-2014-0425 CVE-2014-0424 CVE-2014-0423
                      CVE-2014-0422 CVE-2014-0420 CVE-2014-0419
                      CVE-2014-0418 CVE-2014-0417 CVE-2014-0416
                      CVE-2014-0415 CVE-2014-0412 CVE-2014-0411
                      CVE-2014-0410 CVE-2014-0408 CVE-2014-0407
                      CVE-2014-0406 CVE-2014-0405 CVE-2014-0404
                      CVE-2014-0403 CVE-2014-0402 CVE-2014-0401
                      CVE-2014-0400 CVE-2014-0399 CVE-2014-0398
                      CVE-2014-0396 CVE-2014-0395 CVE-2014-0394
                      CVE-2014-0393 CVE-2014-0392 CVE-2014-0391
                      CVE-2014-0390 CVE-2014-0389 CVE-2014-0388
                      CVE-2014-0387 CVE-2014-0386 CVE-2014-0385
                      CVE-2014-0383 CVE-2014-0382 CVE-2014-0381
                      CVE-2014-0380 CVE-2014-0379 CVE-2014-0378
                      CVE-2014-0377 CVE-2014-0376 CVE-2014-0375
                      CVE-2014-0374 CVE-2014-0373 CVE-2014-0372
                      CVE-2014-0371 CVE-2014-0370 CVE-2014-0369
                      CVE-2014-0368 CVE-2014-0367 CVE-2014-0366
                      CVE-2013-5910 CVE-2013-5909 CVE-2013-5908
                      CVE-2013-5907 CVE-2013-5906 CVE-2013-5905
                      CVE-2013-5904 CVE-2013-5902 CVE-2013-5901
                      CVE-2013-5900 CVE-2013-5899 CVE-2013-5898
                      CVE-2013-5897 CVE-2013-5896 CVE-2013-5895
                      CVE-2013-5894 CVE-2013-5893 CVE-2013-5892
                      CVE-2013-5891 CVE-2013-5890 CVE-2013-5889
                      CVE-2013-5888 CVE-2013-5887 CVE-2013-5886
                      CVE-2013-5885 CVE-2013-5884 CVE-2013-5883
                      CVE-2013-5882 CVE-2013-5881 CVE-2013-5880
                      CVE-2013-5879 CVE-2013-5878 CVE-2013-5877
                      CVE-2013-5876 CVE-2013-5875 CVE-2013-5874
                      CVE-2013-5873 CVE-2013-5872 CVE-2013-5871
                      CVE-2013-5870 CVE-2013-5869 CVE-2013-5868
                      CVE-2013-5860 CVE-2013-5858 CVE-2013-5853
                      CVE-2013-5834 CVE-2013-5833 CVE-2013-5821
                      CVE-2013-5808 CVE-2013-5795 CVE-2013-5785
                      CVE-2013-5764 CVE-2013-4316 CVE-2013-3830
                      CVE-2013-2924 CVE-2013-2071 CVE-2013-2067
                      CVE-2013-1862 CVE-2013-1654 CVE-2013-1620
                      CVE-2012-4605 CVE-2012-3544 CVE-2012-3499
                      CVE-2007-1858 CVE-2007-0009 CVE-2003-1067
Member content until: Friday, February 14 2014
Reference:            ESB-2013.1808


        Oracle has released updates which correct vulnerabilities in 
        numerous products. [1]
        Oracle states, "This Critical Patch Update contains 144 new security 
        fixes across the product families listed below." [1]
        Oracle Database 11g Release 1, version
        Oracle Database 11g Release 2, versions,
        Oracle Database 12c Release 1, version
        Oracle Fusion Middleware 11g Release 1, versions,
        Oracle Fusion Middleware 11g Release 2, versions,
        Oracle Fusion Middleware 12c Release 2, version 12.1.2
        Oracle Containers for J2EE, version
        Oracle Enterprise Data Quality, versions 8.1, 9.0.8
        Oracle Forms and Reports 11g, Release 2, version
        Oracle GlassFish Server, version 2.1.1, Sun Java Application Server, 
          versions 8.1, 8.2
        Oracle HTTP Server 11g, versions,
        Oracle HTTP Server 12c, version 12.1.2
        Oracle Identity Manager, versions,,, 

        Oracle Internet Directory, versions,
        Oracle iPlanet Web Proxy Server, version 4.0
        Oracle iPlanet Web Server, versions 6.1, 7.0
        Oracle Outside In Technology, versions 8.4.0, 8.4.1
        Oracle Portal, version
        Oracle Reports Developer, versions,,
        Oracle Traffic Director, versions,
        Oracle WebCenter Portal versions,,
        Oracle WebCenter Sites versions,
        Oracle Hyperion Essbase Administration Services, versions, 
        Oracle Hyperion Strategic Finance, versions,
        Oracle E-Business Suite Release 11i, version
        Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 
        Oracle Agile Product Lifecycle Management for Process, versions 6.0, 
          6.1, 6.1.1
        Oracle AutoVue, versions 20.1.1
        Oracle Demantra Demand Management, versions SQL-Server, 7.3.0, 
          7.3.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3
        Oracle Transportation Management, versions 6.0, 6.1, 6.2, 6.3, 6.3.1, 
        Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0
        Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2
        Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53
        Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2
        Oracle Siebel Core, versions 8.1.1, 8.2.2
        Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2
        Oracle iLearning, version 6.0
        Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1,, 
          3.0, 12.0.1, 12.0.2
        Oracle JavaFX, versions 2.2.45 and earlier
        Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 
          7u45 and earlier
        Oracle Java SE Embedded, versions 7u45 and earlier
        Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier
        Oracle Solaris versions 8, 9, 10, 11.1
        Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10
        Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 
        Oracle MySQL Enterprise Monitor, versions 2.3, 3.0
        Oracle MySQL Server, versions 5.1, 5.5, 5.6


        Limited impact details have been published by Oracle in their Text
        Form Risk Matrices. [2]


        Oracle states, "Due to the threat posed by a successful attack, 
        Oracle strongly recommends that customers apply CPU fixes as soon as
        possible." [1]
        Links to the appropriate patches are available at the Oracle site. [1]


        [1] Oracle Critical Patch Update Advisory - January 2014

        [2] Text Form of Oracle Critical Patch Update - January 2014 Risk

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967