-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0053
        Oracle have released updates which correct vulnerabilities
                           in numerous products
                               16 April 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Database Server
                      Oracle Fusion Middleware
                      Oracle Hyperion
                      Oracle Supply Chain Products Suite
                      Oracle PeopleSoft Products
                      Oracle Siebel CRM
                      Oracle iLearning
                      Oracle Java SE
                      Oracle and Sun Systems Products Suite
                      Oracle Virtualization
                      Oracle MySQL
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Read-only Data Access           -- Existing Account      
                      Access Confidential Data        -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Delete Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-2471 CVE-2014-2470 CVE-2014-2468
                      CVE-2014-2467 CVE-2014-2466 CVE-2014-2465
                      CVE-2014-2464 CVE-2014-2463 CVE-2014-2461
                      CVE-2014-2460 CVE-2014-2459 CVE-2014-2458
                      CVE-2014-2457 CVE-2014-2455 CVE-2014-2454
                      CVE-2014-2453 CVE-2014-2452 CVE-2014-2451
                      CVE-2014-2450 CVE-2014-2449 CVE-2014-2448
                      CVE-2014-2447 CVE-2014-2446 CVE-2014-2445
                      CVE-2014-2444 CVE-2014-2443 CVE-2014-2442
                      CVE-2014-2441 CVE-2014-2440 CVE-2014-2439
                      CVE-2014-2438 CVE-2014-2437 CVE-2014-2436
                      CVE-2014-2435 CVE-2014-2434 CVE-2014-2433
                      CVE-2014-2432 CVE-2014-2431 CVE-2014-2430
                      CVE-2014-2429 CVE-2014-2428 CVE-2014-2427
                      CVE-2014-2426 CVE-2014-2425 CVE-2014-2424
                      CVE-2014-2423 CVE-2014-2422 CVE-2014-2421
                      CVE-2014-2420 CVE-2014-2419 CVE-2014-2418
                      CVE-2014-2417 CVE-2014-2416 CVE-2014-2415
                      CVE-2014-2414 CVE-2014-2413 CVE-2014-2412
                      CVE-2014-2411 CVE-2014-2410 CVE-2014-2409
                      CVE-2014-2408 CVE-2014-2407 CVE-2014-2406
                      CVE-2014-2404 CVE-2014-2403 CVE-2014-2402
                      CVE-2014-2401 CVE-2014-2400 CVE-2014-2399
                      CVE-2014-2398 CVE-2014-2397 CVE-2014-1876
                      CVE-2014-0983 CVE-2014-0982 CVE-2014-0981
                      CVE-2014-0465 CVE-2014-0464 CVE-2014-0463
                      CVE-2014-0461 CVE-2014-0460 CVE-2014-0459
                      CVE-2014-0458 CVE-2014-0457 CVE-2014-0456
                      CVE-2014-0455 CVE-2014-0454 CVE-2014-0453
                      CVE-2014-0452 CVE-2014-0451 CVE-2014-0450
                      CVE-2014-0449 CVE-2014-0448 CVE-2014-0447
                      CVE-2014-0446 CVE-2014-0442 CVE-2014-0432
                      CVE-2014-0429 CVE-2014-0426 CVE-2014-0421
                      CVE-2014-0414 CVE-2014-0413 CVE-2014-0384
                      CVE-2013-6954 CVE-2013-6629 CVE-2013-6462
                      CVE-2013-1620  
Member content until: Friday, May 16 2014
Reference:            ASB-2014.0005
                      ASB-2013.0136
                      ASB-2013.0128

OVERVIEW

        Oracle has released updates which correct vulnerabilities in 
        numerous products. [1]
        
        Oracle states, "This Critical Patch Update contains 104 new security 
        fixes across the product families listed below." [1]
        
        Affected Products and Versions
        Oracle Database 11g Release 1, version 11.1.0.7	
        Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
        Oracle Database 12c Release 1, version 12.1.0.1	
        Oracle Fusion Middleware 11g Release 1, versions 11.1.1.7, 11.1.1.8
        Oracle Fusion Middleware 12c Release 1, versions 12.1.1.0, 12.1.2.0
        Oracle Fusion Applications, versions 11.1.2 through 11.1.8
        Oracle Access Manager, versions 10.1.4.3, 11.1.1.3.0, 11.1.1.5.0, 
          11.1.1.7.0, 11.1.2.0.0, 11.1.2.1.0, 11.1.2.2.0
        Oracle Containers for J2EE, version 10.1.3.5
        Oracle Data Integrator, version 11.1.1.3.0
        Oracle Endeca Server, version 2.2.2
        Oracle Event Processing, version 11.1.1.7.0
        Oracle Identity Analytics, version 11.1.1.5, Sun Role Manager, version 
          5.0
        Oracle OpenSSO, version 8.0 Update 2 Patch 5
        Oracle OpenSSO Policy Agent, version 3.0-03
        Oracle WebCenter Portal, versions 11.1.1.7, 11.1.1.8
        Oracle WebLogic Server, versions 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
        Oracle Hyperion Common Admin, versions 11.1.2.2, 11.1.2.3
        Oracle E-Business Suite Release 11i, 12i
        Oracle Agile PLM Framework, versions 9.3.1.1, 9.3.3.0
        Oracle Agile Product Lifecycle Management for Process, versions 6.0.0.7, 
          6.1.1.3
        Oracle Transportation Management, versions 6.3, 6.3.4
        Oracle PeopleSoft Enterprise CS Campus Self Service, version 9.0
        Oracle PeopleSoft Enterprise HRMS Talent Acquisition Manager, versions 
          8.52, 8.53
        Oracle PeopleSoft Enterprise PT Tools, versions 8.52, 8.53
        Oracle Siebel UI Framework, versions 8.1.1, 8.2.2
        Oracle iLearning, versions 6.0, 6.1
        Oracle JavaFX, version 2.2.51
        Oracle Java SE, versions 5.0u61, 6u71, 7u51, 8
        Oracle Java SE Embedded, version 7u51
        Oracle JRockit, versions R27.8.1, R28.3.1
        Oracle Solaris, versions 9, 10, 11.1
        Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1
        Oracle VM VirtualBox, versions prior to 3.2.22, 4.0.24, 4.1.32, 4.2.24, 
          4.3.10
        Oracle MySQL Server, versions 5.5, 5.6


IMPACT

        Limited impact details have been published by Oracle in their Text
        Form Risk Matrices. [2]


MITIGATION

        Oracle states, "Due to the threat posed by a successful attack, 
        Oracle strongly recommends that customers apply CPU fixes as soon as
        possible." [1]
                
        Links to the appropriate patches are available at the Oracle site. [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - April 2014
            http://www.oracle.com/technetwork/topics/security/cpuapr2014-1972952.html

        [2] Text Form of Oracle Critical Patch Update - April 2014 Risk
            Matrices
            http://www.oracle.com/technetwork/topics/security/cpuapr2014verbose-1972954.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU03ZLhLndAQH1ShLAQIZLxAAnjbCtk0MOFFovq+bWBBiyDhhD1QV9au2
85gLCRRRlaIMlwhg0+50BTSZPHY+4wIIlV4rnGbp2B+H0LGaVsR6IxcLI9F8hbgg
6jLUta8yf4lm/3VcbQ2oRtZDzNxhlSG70PMAwosiO+7w2yPBgMST9g0KA/DUKpUX
BI5v7VJAn6DprDBVmo5zScXnuUlr+I4GJNYCIpgn+q6C7I4l7myDtGO8UVSEm3lB
qC82ooKrPkFcngjYz0OGbUTR9c2Zr+2hH656DMqvwXlT952FbMczBgPN17V8SwoE
e6UbMsywt+bNS8O7uj+H+EjgP6MltINnlr7Czph4AIAHm6ucSzyUSbhCqJBDb0wh
ykm1wuzsJZH6ZY/LkU8U5YR+M37tibbWaAaY5LAWztZEyS4/2fIBJnFyze4nvIlk
P4fPOXDCNDizME+wOLSci08wEyhw2BnHi16DNWj4J/yhHjAw1vPFZznNCsPtHqQo
2hyKT+mWNDt2U8H4698jdM64qCtI8S9ATBdSVBDgqsjiH5pPKMD6eAV0cH6R/n5T
jfn4xqptVJf3g8tvLcLNhRzf3+gR2Zhuyz6ii+q8Cnitnk3SPn+rVpI4Dj6Iv5Yw
yFnra3Eud0MbnH+BPW2y7fMzqppmXjOTAoG082GgwmIsvGfgMU/eQrYNXK/RQFYN
EPT+lGHetJ8=
=pFaU
-----END PGP SIGNATURE-----