Hash: SHA1

                         AUSCERT Security Bulletin

        Oracle have released updates which correct vulnerabilities
                           in numerous products
                               16 April 2014


        AusCERT Security Bulletin Summary

Product:              Oracle Database Server
                      Oracle Fusion Middleware
                      Oracle Hyperion
                      Oracle Supply Chain Products Suite
                      Oracle PeopleSoft Products
                      Oracle Siebel CRM
                      Oracle iLearning
                      Oracle Java SE
                      Oracle and Sun Systems Products Suite
                      Oracle Virtualization
                      Oracle MySQL
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Read-only Data Access           -- Existing Account      
                      Access Confidential Data        -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Delete Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-2471 CVE-2014-2470 CVE-2014-2468
                      CVE-2014-2467 CVE-2014-2466 CVE-2014-2465
                      CVE-2014-2464 CVE-2014-2463 CVE-2014-2461
                      CVE-2014-2460 CVE-2014-2459 CVE-2014-2458
                      CVE-2014-2457 CVE-2014-2455 CVE-2014-2454
                      CVE-2014-2453 CVE-2014-2452 CVE-2014-2451
                      CVE-2014-2450 CVE-2014-2449 CVE-2014-2448
                      CVE-2014-2447 CVE-2014-2446 CVE-2014-2445
                      CVE-2014-2444 CVE-2014-2443 CVE-2014-2442
                      CVE-2014-2441 CVE-2014-2440 CVE-2014-2439
                      CVE-2014-2438 CVE-2014-2437 CVE-2014-2436
                      CVE-2014-2435 CVE-2014-2434 CVE-2014-2433
                      CVE-2014-2432 CVE-2014-2431 CVE-2014-2430
                      CVE-2014-2429 CVE-2014-2428 CVE-2014-2427
                      CVE-2014-2426 CVE-2014-2425 CVE-2014-2424
                      CVE-2014-2423 CVE-2014-2422 CVE-2014-2421
                      CVE-2014-2420 CVE-2014-2419 CVE-2014-2418
                      CVE-2014-2417 CVE-2014-2416 CVE-2014-2415
                      CVE-2014-2414 CVE-2014-2413 CVE-2014-2412
                      CVE-2014-2411 CVE-2014-2410 CVE-2014-2409
                      CVE-2014-2408 CVE-2014-2407 CVE-2014-2406
                      CVE-2014-2404 CVE-2014-2403 CVE-2014-2402
                      CVE-2014-2401 CVE-2014-2400 CVE-2014-2399
                      CVE-2014-2398 CVE-2014-2397 CVE-2014-1876
                      CVE-2014-0983 CVE-2014-0982 CVE-2014-0981
                      CVE-2014-0465 CVE-2014-0464 CVE-2014-0463
                      CVE-2014-0461 CVE-2014-0460 CVE-2014-0459
                      CVE-2014-0458 CVE-2014-0457 CVE-2014-0456
                      CVE-2014-0455 CVE-2014-0454 CVE-2014-0453
                      CVE-2014-0452 CVE-2014-0451 CVE-2014-0450
                      CVE-2014-0449 CVE-2014-0448 CVE-2014-0447
                      CVE-2014-0446 CVE-2014-0442 CVE-2014-0432
                      CVE-2014-0429 CVE-2014-0426 CVE-2014-0421
                      CVE-2014-0414 CVE-2014-0413 CVE-2014-0384
                      CVE-2013-6954 CVE-2013-6629 CVE-2013-6462
Member content until: Friday, May 16 2014
Reference:            ASB-2014.0005


        Oracle has released updates which correct vulnerabilities in 
        numerous products. [1]
        Oracle states, "This Critical Patch Update contains 104 new security 
        fixes across the product families listed below." [1]
        Affected Products and Versions
        Oracle Database 11g Release 1, version	
        Oracle Database 11g Release 2, versions,
        Oracle Database 12c Release 1, version	
        Oracle Fusion Middleware 11g Release 1, versions,
        Oracle Fusion Middleware 12c Release 1, versions,
        Oracle Fusion Applications, versions 11.1.2 through 11.1.8
        Oracle Access Manager, versions,,, 
        Oracle Containers for J2EE, version
        Oracle Data Integrator, version
        Oracle Endeca Server, version 2.2.2
        Oracle Event Processing, version
        Oracle Identity Analytics, version, Sun Role Manager, version 
        Oracle OpenSSO, version 8.0 Update 2 Patch 5
        Oracle OpenSSO Policy Agent, version 3.0-03
        Oracle WebCenter Portal, versions,
        Oracle WebLogic Server, versions,,,
        Oracle Hyperion Common Admin, versions,
        Oracle E-Business Suite Release 11i, 12i
        Oracle Agile PLM Framework, versions,
        Oracle Agile Product Lifecycle Management for Process, versions, 

        Oracle Transportation Management, versions 6.3, 6.3.4
        Oracle PeopleSoft Enterprise CS Campus Self Service, version 9.0
        Oracle PeopleSoft Enterprise HRMS Talent Acquisition Manager, versions 
          8.52, 8.53
        Oracle PeopleSoft Enterprise PT Tools, versions 8.52, 8.53
        Oracle Siebel UI Framework, versions 8.1.1, 8.2.2
        Oracle iLearning, versions 6.0, 6.1
        Oracle JavaFX, version 2.2.51
        Oracle Java SE, versions 5.0u61, 6u71, 7u51, 8
        Oracle Java SE Embedded, version 7u51
        Oracle JRockit, versions R27.8.1, R28.3.1
        Oracle Solaris, versions 9, 10, 11.1
        Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1
        Oracle VM VirtualBox, versions prior to 3.2.22, 4.0.24, 4.1.32, 4.2.24, 
        Oracle MySQL Server, versions 5.5, 5.6


        Limited impact details have been published by Oracle in their Text
        Form Risk Matrices. [2]


        Oracle states, "Due to the threat posed by a successful attack, 
        Oracle strongly recommends that customers apply CPU fixes as soon as
        possible." [1]
        Links to the appropriate patches are available at the Oracle site. [1]


        [1] Oracle Critical Patch Update Advisory - April 2014

        [2] Text Form of Oracle Critical Patch Update - April 2014 Risk

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967