Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2014.0053
Oracle have released updates which correct vulnerabilities
in numerous products
16 April 2014
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database Server
Oracle Fusion Middleware
Oracle Hyperion
Oracle Supply Chain Products Suite
Oracle PeopleSoft Products
Oracle Siebel CRM
Oracle iLearning
Oracle Java SE
Oracle and Sun Systems Products Suite
Oracle Virtualization
Oracle MySQL
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Read-only Data Access -- Existing Account
Access Confidential Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2014-2471 CVE-2014-2470 CVE-2014-2468
CVE-2014-2467 CVE-2014-2466 CVE-2014-2465
CVE-2014-2464 CVE-2014-2463 CVE-2014-2461
CVE-2014-2460 CVE-2014-2459 CVE-2014-2458
CVE-2014-2457 CVE-2014-2455 CVE-2014-2454
CVE-2014-2453 CVE-2014-2452 CVE-2014-2451
CVE-2014-2450 CVE-2014-2449 CVE-2014-2448
CVE-2014-2447 CVE-2014-2446 CVE-2014-2445
CVE-2014-2444 CVE-2014-2443 CVE-2014-2442
CVE-2014-2441 CVE-2014-2440 CVE-2014-2439
CVE-2014-2438 CVE-2014-2437 CVE-2014-2436
CVE-2014-2435 CVE-2014-2434 CVE-2014-2433
CVE-2014-2432 CVE-2014-2431 CVE-2014-2430
CVE-2014-2429 CVE-2014-2428 CVE-2014-2427
CVE-2014-2426 CVE-2014-2425 CVE-2014-2424
CVE-2014-2423 CVE-2014-2422 CVE-2014-2421
CVE-2014-2420 CVE-2014-2419 CVE-2014-2418
CVE-2014-2417 CVE-2014-2416 CVE-2014-2415
CVE-2014-2414 CVE-2014-2413 CVE-2014-2412
CVE-2014-2411 CVE-2014-2410 CVE-2014-2409
CVE-2014-2408 CVE-2014-2407 CVE-2014-2406
CVE-2014-2404 CVE-2014-2403 CVE-2014-2402
CVE-2014-2401 CVE-2014-2400 CVE-2014-2399
CVE-2014-2398 CVE-2014-2397 CVE-2014-1876
CVE-2014-0983 CVE-2014-0982 CVE-2014-0981
CVE-2014-0465 CVE-2014-0464 CVE-2014-0463
CVE-2014-0461 CVE-2014-0460 CVE-2014-0459
CVE-2014-0458 CVE-2014-0457 CVE-2014-0456
CVE-2014-0455 CVE-2014-0454 CVE-2014-0453
CVE-2014-0452 CVE-2014-0451 CVE-2014-0450
CVE-2014-0449 CVE-2014-0448 CVE-2014-0447
CVE-2014-0446 CVE-2014-0442 CVE-2014-0432
CVE-2014-0429 CVE-2014-0426 CVE-2014-0421
CVE-2014-0414 CVE-2014-0413 CVE-2014-0384
CVE-2013-6954 CVE-2013-6629 CVE-2013-6462
CVE-2013-1620
Member content until: Friday, May 16 2014
Reference: ASB-2014.0005
ASB-2013.0136
ASB-2013.0128
OVERVIEW
Oracle has released updates which correct vulnerabilities in
numerous products. [1]
Oracle states, "This Critical Patch Update contains 104 new security
fixes across the product families listed below." [1]
Affected Products and Versions
Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
Oracle Database 12c Release 1, version 12.1.0.1
Oracle Fusion Middleware 11g Release 1, versions 11.1.1.7, 11.1.1.8
Oracle Fusion Middleware 12c Release 1, versions 12.1.1.0, 12.1.2.0
Oracle Fusion Applications, versions 11.1.2 through 11.1.8
Oracle Access Manager, versions 10.1.4.3, 11.1.1.3.0, 11.1.1.5.0,
11.1.1.7.0, 11.1.2.0.0, 11.1.2.1.0, 11.1.2.2.0
Oracle Containers for J2EE, version 10.1.3.5
Oracle Data Integrator, version 11.1.1.3.0
Oracle Endeca Server, version 2.2.2
Oracle Event Processing, version 11.1.1.7.0
Oracle Identity Analytics, version 11.1.1.5, Sun Role Manager, version
5.0
Oracle OpenSSO, version 8.0 Update 2 Patch 5
Oracle OpenSSO Policy Agent, version 3.0-03
Oracle WebCenter Portal, versions 11.1.1.7, 11.1.1.8
Oracle WebLogic Server, versions 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
Oracle Hyperion Common Admin, versions 11.1.2.2, 11.1.2.3
Oracle E-Business Suite Release 11i, 12i
Oracle Agile PLM Framework, versions 9.3.1.1, 9.3.3.0
Oracle Agile Product Lifecycle Management for Process, versions 6.0.0.7,
6.1.1.3
Oracle Transportation Management, versions 6.3, 6.3.4
Oracle PeopleSoft Enterprise CS Campus Self Service, version 9.0
Oracle PeopleSoft Enterprise HRMS Talent Acquisition Manager, versions
8.52, 8.53
Oracle PeopleSoft Enterprise PT Tools, versions 8.52, 8.53
Oracle Siebel UI Framework, versions 8.1.1, 8.2.2
Oracle iLearning, versions 6.0, 6.1
Oracle JavaFX, version 2.2.51
Oracle Java SE, versions 5.0u61, 6u71, 7u51, 8
Oracle Java SE Embedded, version 7u51
Oracle JRockit, versions R27.8.1, R28.3.1
Oracle Solaris, versions 9, 10, 11.1
Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1
Oracle VM VirtualBox, versions prior to 3.2.22, 4.0.24, 4.1.32, 4.2.24,
4.3.10
Oracle MySQL Server, versions 5.5, 5.6
IMPACT
Limited impact details have been published by Oracle in their Text
Form Risk Matrices. [2]
MITIGATION
Oracle states, "Due to the threat posed by a successful attack,
Oracle strongly recommends that customers apply CPU fixes as soon as
possible." [1]
Links to the appropriate patches are available at the Oracle site. [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2014
http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html
[2] Text Form of Oracle Critical Patch Update - April 2014 Risk
Matrices
http://www.oracle.com/technetwork/topics/security/cpuapr2014verbose-1972954.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBU03ZLhLndAQH1ShLAQIZLxAAnjbCtk0MOFFovq+bWBBiyDhhD1QV9au2
85gLCRRRlaIMlwhg0+50BTSZPHY+4wIIlV4rnGbp2B+H0LGaVsR6IxcLI9F8hbgg
6jLUta8yf4lm/3VcbQ2oRtZDzNxhlSG70PMAwosiO+7w2yPBgMST9g0KA/DUKpUX
BI5v7VJAn6DprDBVmo5zScXnuUlr+I4GJNYCIpgn+q6C7I4l7myDtGO8UVSEm3lB
qC82ooKrPkFcngjYz0OGbUTR9c2Zr+2hH656DMqvwXlT952FbMczBgPN17V8SwoE
e6UbMsywt+bNS8O7uj+H+EjgP6MltINnlr7Czph4AIAHm6ucSzyUSbhCqJBDb0wh
ykm1wuzsJZH6ZY/LkU8U5YR+M37tibbWaAaY5LAWztZEyS4/2fIBJnFyze4nvIlk
P4fPOXDCNDizME+wOLSci08wEyhw2BnHi16DNWj4J/yhHjAw1vPFZznNCsPtHqQo
2hyKT+mWNDt2U8H4698jdM64qCtI8S9ATBdSVBDgqsjiH5pPKMD6eAV0cH6R/n5T
jfn4xqptVJf3g8tvLcLNhRzf3+gR2Zhuyz6ii+q8Cnitnk3SPn+rVpI4Dj6Iv5Yw
yFnra3Eud0MbnH+BPW2y7fMzqppmXjOTAoG082GgwmIsvGfgMU/eQrYNXK/RQFYN
EPT+lGHetJ8=
=pFaU
-----END PGP SIGNATURE-----