Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0053 Oracle have released updates which correct vulnerabilities in numerous products 16 April 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Database Server Oracle Fusion Middleware Oracle Hyperion Oracle Supply Chain Products Suite Oracle PeopleSoft Products Oracle Siebel CRM Oracle iLearning Oracle Java SE Oracle and Sun Systems Products Suite Oracle Virtualization Oracle MySQL Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Read-only Data Access -- Existing Account Access Confidential Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Delete Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-2471 CVE-2014-2470 CVE-2014-2468 CVE-2014-2467 CVE-2014-2466 CVE-2014-2465 CVE-2014-2464 CVE-2014-2463 CVE-2014-2461 CVE-2014-2460 CVE-2014-2459 CVE-2014-2458 CVE-2014-2457 CVE-2014-2455 CVE-2014-2454 CVE-2014-2453 CVE-2014-2452 CVE-2014-2451 CVE-2014-2450 CVE-2014-2449 CVE-2014-2448 CVE-2014-2447 CVE-2014-2446 CVE-2014-2445 CVE-2014-2444 CVE-2014-2443 CVE-2014-2442 CVE-2014-2441 CVE-2014-2440 CVE-2014-2439 CVE-2014-2438 CVE-2014-2437 CVE-2014-2436 CVE-2014-2435 CVE-2014-2434 CVE-2014-2433 CVE-2014-2432 CVE-2014-2431 CVE-2014-2430 CVE-2014-2429 CVE-2014-2428 CVE-2014-2427 CVE-2014-2426 CVE-2014-2425 CVE-2014-2424 CVE-2014-2423 CVE-2014-2422 CVE-2014-2421 CVE-2014-2420 CVE-2014-2419 CVE-2014-2418 CVE-2014-2417 CVE-2014-2416 CVE-2014-2415 CVE-2014-2414 CVE-2014-2413 CVE-2014-2412 CVE-2014-2411 CVE-2014-2410 CVE-2014-2409 CVE-2014-2408 CVE-2014-2407 CVE-2014-2406 CVE-2014-2404 CVE-2014-2403 CVE-2014-2402 CVE-2014-2401 CVE-2014-2400 CVE-2014-2399 CVE-2014-2398 CVE-2014-2397 CVE-2014-1876 CVE-2014-0983 CVE-2014-0982 CVE-2014-0981 CVE-2014-0465 CVE-2014-0464 CVE-2014-0463 CVE-2014-0461 CVE-2014-0460 CVE-2014-0459 CVE-2014-0458 CVE-2014-0457 CVE-2014-0456 CVE-2014-0455 CVE-2014-0454 CVE-2014-0453 CVE-2014-0452 CVE-2014-0451 CVE-2014-0450 CVE-2014-0449 CVE-2014-0448 CVE-2014-0447 CVE-2014-0446 CVE-2014-0442 CVE-2014-0432 CVE-2014-0429 CVE-2014-0426 CVE-2014-0421 CVE-2014-0414 CVE-2014-0413 CVE-2014-0384 CVE-2013-6954 CVE-2013-6629 CVE-2013-6462 CVE-2013-1620 Member content until: Friday, May 16 2014 Reference: ASB-2014.0005 ASB-2013.0136 ASB-2013.0128 OVERVIEW Oracle has released updates which correct vulnerabilities in numerous products. [1] Oracle states, "This Critical Patch Update contains 104 new security fixes across the product families listed below." [1] Affected Products and Versions Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4 Oracle Database 12c Release 1, version 12.1.0.1 Oracle Fusion Middleware 11g Release 1, versions 11.1.1.7, 11.1.1.8 Oracle Fusion Middleware 12c Release 1, versions 12.1.1.0, 12.1.2.0 Oracle Fusion Applications, versions 11.1.2 through 11.1.8 Oracle Access Manager, versions 10.1.4.3, 11.1.1.3.0, 11.1.1.5.0, 11.1.1.7.0, 11.1.2.0.0, 11.1.2.1.0, 11.1.2.2.0 Oracle Containers for J2EE, version 10.1.3.5 Oracle Data Integrator, version 11.1.1.3.0 Oracle Endeca Server, version 2.2.2 Oracle Event Processing, version 11.1.1.7.0 Oracle Identity Analytics, version 11.1.1.5, Sun Role Manager, version 5.0 Oracle OpenSSO, version 8.0 Update 2 Patch 5 Oracle OpenSSO Policy Agent, version 3.0-03 Oracle WebCenter Portal, versions 11.1.1.7, 11.1.1.8 Oracle WebLogic Server, versions 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0 Oracle Hyperion Common Admin, versions 11.1.2.2, 11.1.2.3 Oracle E-Business Suite Release 11i, 12i Oracle Agile PLM Framework, versions 9.3.1.1, 9.3.3.0 Oracle Agile Product Lifecycle Management for Process, versions 6.0.0.7, 6.1.1.3 Oracle Transportation Management, versions 6.3, 6.3.4 Oracle PeopleSoft Enterprise CS Campus Self Service, version 9.0 Oracle PeopleSoft Enterprise HRMS Talent Acquisition Manager, versions 8.52, 8.53 Oracle PeopleSoft Enterprise PT Tools, versions 8.52, 8.53 Oracle Siebel UI Framework, versions 8.1.1, 8.2.2 Oracle iLearning, versions 6.0, 6.1 Oracle JavaFX, version 2.2.51 Oracle Java SE, versions 5.0u61, 6u71, 7u51, 8 Oracle Java SE Embedded, version 7u51 Oracle JRockit, versions R27.8.1, R28.3.1 Oracle Solaris, versions 9, 10, 11.1 Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1 Oracle VM VirtualBox, versions prior to 3.2.22, 4.0.24, 4.1.32, 4.2.24, 4.3.10 Oracle MySQL Server, versions 5.5, 5.6 IMPACT Limited impact details have been published by Oracle in their Text Form Risk Matrices. [2] MITIGATION Oracle states, "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible." [1] Links to the appropriate patches are available at the Oracle site. [1] REFERENCES [1] Oracle Critical Patch Update Advisory - April 2014 http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html [2] Text Form of Oracle Critical Patch Update - April 2014 Risk Matrices http://www.oracle.com/technetwork/topics/security/cpuapr2014verbose-1972954.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU03ZLhLndAQH1ShLAQIZLxAAnjbCtk0MOFFovq+bWBBiyDhhD1QV9au2 85gLCRRRlaIMlwhg0+50BTSZPHY+4wIIlV4rnGbp2B+H0LGaVsR6IxcLI9F8hbgg 6jLUta8yf4lm/3VcbQ2oRtZDzNxhlSG70PMAwosiO+7w2yPBgMST9g0KA/DUKpUX BI5v7VJAn6DprDBVmo5zScXnuUlr+I4GJNYCIpgn+q6C7I4l7myDtGO8UVSEm3lB qC82ooKrPkFcngjYz0OGbUTR9c2Zr+2hH656DMqvwXlT952FbMczBgPN17V8SwoE e6UbMsywt+bNS8O7uj+H+EjgP6MltINnlr7Czph4AIAHm6ucSzyUSbhCqJBDb0wh ykm1wuzsJZH6ZY/LkU8U5YR+M37tibbWaAaY5LAWztZEyS4/2fIBJnFyze4nvIlk P4fPOXDCNDizME+wOLSci08wEyhw2BnHi16DNWj4J/yhHjAw1vPFZznNCsPtHqQo 2hyKT+mWNDt2U8H4698jdM64qCtI8S9ATBdSVBDgqsjiH5pPKMD6eAV0cH6R/n5T jfn4xqptVJf3g8tvLcLNhRzf3+gR2Zhuyz6ii+q8Cnitnk3SPn+rVpI4Dj6Iv5Yw yFnra3Eud0MbnH+BPW2y7fMzqppmXjOTAoG082GgwmIsvGfgMU/eQrYNXK/RQFYN EPT+lGHetJ8= =pFaU -----END PGP SIGNATURE-----