Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0005 Oracle have released updates which correct vulnerabilities in numerous products 15 January 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Database Oracle Fusion Middleware Oracle Containers for J2EE Oracle Enterprise Data Quality Oracle Forms and Reports Oracle GlassFish Server Oracle HTTP Server Oracle Identity Manager Oracle Internet Directory Oracle iPlanet Web Proxy Server Oracle iPlanet Web Server Oracle Outside In Technology Oracle Portal Oracle Reports Developer Oracle Traffic Director Oracle WebCenter Portal Oracle WebCenter Sites Oracle Hyperion Essbase Administration Services Oracle Hyperion Strategic Finance Oracle E-Business Suite Release Oracle Agile Product Lifecycle Management for Process Oracle AutoVue Oracle Demantra Demand Management Oracle Transportation Management Oracle PeopleSoft Enterprise HRMS Oracle PeopleSoft Enterprise PeopleTools Oracle PeopleSoft Enterprise SCM Services Procurement Oracle Siebel Core Oracle Siebel Life Sciences Oracle iLearning Oracle FLEXCUBE Private Banking Oracle JavaFX Oracle Java JDK and JRE Oracle Java SE Embedded Oracle JRockit Oracle Solaris Oracle Secure Global Desktop Oracle VM VirtualBox Oracle MySQL Enterprise Monitor Oracle MySQL Server Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Increased Privileges -- Existing Account Delete Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Unauthorised Access -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-0445 CVE-2014-0444 CVE-2014-0443 CVE-2014-0441 CVE-2014-0440 CVE-2014-0439 CVE-2014-0438 CVE-2014-0437 CVE-2014-0435 CVE-2014-0434 CVE-2014-0433 CVE-2014-0431 CVE-2014-0430 CVE-2014-0428 CVE-2014-0427 CVE-2014-0425 CVE-2014-0424 CVE-2014-0423 CVE-2014-0422 CVE-2014-0420 CVE-2014-0419 CVE-2014-0418 CVE-2014-0417 CVE-2014-0416 CVE-2014-0415 CVE-2014-0412 CVE-2014-0411 CVE-2014-0410 CVE-2014-0408 CVE-2014-0407 CVE-2014-0406 CVE-2014-0405 CVE-2014-0404 CVE-2014-0403 CVE-2014-0402 CVE-2014-0401 CVE-2014-0400 CVE-2014-0399 CVE-2014-0398 CVE-2014-0396 CVE-2014-0395 CVE-2014-0394 CVE-2014-0393 CVE-2014-0392 CVE-2014-0391 CVE-2014-0390 CVE-2014-0389 CVE-2014-0388 CVE-2014-0387 CVE-2014-0386 CVE-2014-0385 CVE-2014-0383 CVE-2014-0382 CVE-2014-0381 CVE-2014-0380 CVE-2014-0379 CVE-2014-0378 CVE-2014-0377 CVE-2014-0376 CVE-2014-0375 CVE-2014-0374 CVE-2014-0373 CVE-2014-0372 CVE-2014-0371 CVE-2014-0370 CVE-2014-0369 CVE-2014-0368 CVE-2014-0367 CVE-2014-0366 CVE-2013-5910 CVE-2013-5909 CVE-2013-5908 CVE-2013-5907 CVE-2013-5906 CVE-2013-5905 CVE-2013-5904 CVE-2013-5902 CVE-2013-5901 CVE-2013-5900 CVE-2013-5899 CVE-2013-5898 CVE-2013-5897 CVE-2013-5896 CVE-2013-5895 CVE-2013-5894 CVE-2013-5893 CVE-2013-5892 CVE-2013-5891 CVE-2013-5890 CVE-2013-5889 CVE-2013-5888 CVE-2013-5887 CVE-2013-5886 CVE-2013-5885 CVE-2013-5884 CVE-2013-5883 CVE-2013-5882 CVE-2013-5881 CVE-2013-5880 CVE-2013-5879 CVE-2013-5878 CVE-2013-5877 CVE-2013-5876 CVE-2013-5875 CVE-2013-5874 CVE-2013-5873 CVE-2013-5872 CVE-2013-5871 CVE-2013-5870 CVE-2013-5869 CVE-2013-5868 CVE-2013-5860 CVE-2013-5858 CVE-2013-5853 CVE-2013-5834 CVE-2013-5833 CVE-2013-5821 CVE-2013-5808 CVE-2013-5795 CVE-2013-5785 CVE-2013-5764 CVE-2013-4316 CVE-2013-3830 CVE-2013-2924 CVE-2013-2071 CVE-2013-2067 CVE-2013-1862 CVE-2013-1654 CVE-2013-1620 CVE-2012-4605 CVE-2012-3544 CVE-2012-3499 CVE-2007-1858 CVE-2007-0009 CVE-2003-1067 Member content until: Friday, February 14 2014 Reference: ESB-2013.1808 ESB-2013.1741 ESB-2013.1625 ESB-2013.1530 ESB-2013.1470 ESB-2013.1275 ESB-2013.1166 ESB-2013.0667 ESB-2009.0093 AL-2007.0028 OVERVIEW Oracle has released updates which correct vulnerabilities in numerous products. [1] Oracle states, "This Critical Patch Update contains 144 new security fixes across the product families listed below." [1] Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4 Oracle Database 12c Release 1, version 12.1.0.1 Oracle Fusion Middleware 11g Release 1, versions 11.1.1.6, 11.1.1.7 Oracle Fusion Middleware 11g Release 2, versions 11.1.2.0, 11.1.2.1 Oracle Fusion Middleware 12c Release 2, version 12.1.2 Oracle Containers for J2EE, version 10.1.3.5 Oracle Enterprise Data Quality, versions 8.1, 9.0.8 Oracle Forms and Reports 11g, Release 2, version 11.1.2.1 Oracle GlassFish Server, version 2.1.1, Sun Java Application Server, versions 8.1, 8.2 Oracle HTTP Server 11g, versions 11.1.1.6, 11.1.1.7 Oracle HTTP Server 12c, version 12.1.2 Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1 Oracle Internet Directory, versions 11.1.1.6, 11.1.1.7 Oracle iPlanet Web Proxy Server, version 4.0 Oracle iPlanet Web Server, versions 6.1, 7.0 Oracle Outside In Technology, versions 8.4.0, 8.4.1 Oracle Portal, version 11.1.1.6 Oracle Reports Developer, versions 11.1.1.6, 11.1.1.7, 11.1.2.1 Oracle Traffic Director, versions 11.1.1.6, 11.1.1.7 Oracle WebCenter Portal versions 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0 Oracle WebCenter Sites versions 11.1.1.6.1, 11.1.1.8.0 Oracle Hyperion Essbase Administration Services, versions 11.1.2.1, 11.1.2.2, 11.1.2.3 Oracle Hyperion Strategic Finance, versions 11.1.2.1, 11.1.2.2 Oracle E-Business Suite Release 11i, version 11.5.10.2 Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3 Oracle Agile Product Lifecycle Management for Process, versions 6.0, 6.1, 6.1.1 Oracle AutoVue, versions 20.1.1 Oracle Demantra Demand Management, versions 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3 Oracle Transportation Management, versions 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2 Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0 Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2 Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53 Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2 Oracle Siebel Core, versions 8.1.1, 8.2.2 Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2 Oracle iLearning, version 6.0 Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1, 12.0.2 Oracle JavaFX, versions 2.2.45 and earlier Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier Oracle Java SE Embedded, versions 7u45 and earlier Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier Oracle Solaris versions 8, 9, 10, 11.1 Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10 Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.6 Oracle MySQL Enterprise Monitor, versions 2.3, 3.0 Oracle MySQL Server, versions 5.1, 5.5, 5.6 IMPACT Limited impact details have been published by Oracle in their Text Form Risk Matrices. [2] MITIGATION Oracle states, "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible." [1] Links to the appropriate patches are available at the Oracle site. [1] REFERENCES [1] Oracle Critical Patch Update Advisory - January 2014 http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html [2] Text Form of Oracle Critical Patch Update - January 2014 Risk Matrices http://www.oracle.com/technetwork/topics/security/cpujan2014verbose-1972951.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUtXhHxLndAQH1ShLAQKnsxAAjLHsRHKt0Nae0bYbD1XxtjmRHPNFhdTA L42AFgUVGzOYT2asCTlA71R78y75Q0rKtEfEUnU09hfqqrRuoZbnJ9HHV55+oh5g 2wpyaxxksCA2tjFrFPStZUrGatNZi6tlBmgm6HWx6/V1oUbhYh6m1qFI0vKyLKWh MtdgikO2RcWsmhJn4IZZXPoCh3WIqBaZd4kZvGJ9lCuMoqNT6ETmC326UzCHoZcn +adM7rd3/+ee+DnYsf0lYOu6XiV7snU2yaPKlCJcTQt/n7RhYuz11t12mrp79/4A DEwpEpfysWxgmvX4a4hUaAEQQIp4CDpvdyJ2NKtLwtHHkMiJOw2aINx3U0FGe1BD wYb27xU22RZxgqzaJ2IPxQwXaDPxp+BRuqkePviwXqhNjdcgjbuwvyKxDeocDcap CL7Hb2tT6GF8S2Fn37ZEhpr+6l3kPXD28WuS0ZV5z4O86YuyXi1ar2f3Dx5/7pV/ D1CPrL7Szrw04GHHTO5cZV7bX7lkdabTyUyvQ+wsQed76wSjg0IozVWOQ8Pkpxnd iXDsl4hvc5MpJ0W7ZrM/zDxeNjjMd5LSShpPy9WRNukX8zaBUaQ1U62pT30n4YnH ntXR2aQPZcFIdDc+iayg3xkoVj3ePgNQ/YB/BbE8vuDlGsguiQJPP3E8Bxr0xJuu 5bFVfmJCDT8= =5+PJ -----END PGP SIGNATURE-----