-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0077
        Oracle have released updates which correct vulnerabilities
                           in numerous products
                               16 July 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Database
                      Oracle Fusion Middleware
                      Oracle Fusion Applications
                      Oracle Glassfish Server
                      Oracle Traffic Director
                      Oracle iPlanet Web Proxy Server
                      Oracle iPlanet Web Server
                      Oracle WebCenter Portal
                      Oracle WebLogic Server
                      Oracle JDeveloper
                      Oracle BI Publisher
                      Oracle Glassfish Communications Server
                      Oracle HTTP Server
                      Oracle Hyperion Essbase
                      Oracle Hyperion BI+
                      Oracle Hyperion Enterprise Performance Management Architect
                      Oracle Hyperion Common Admin
                      Oracle Hyperion Analytic Provider Services
                      Oracle E-Business Suite
                      Oracle Transportation Management
                      Oracle Agile Product Collaboration
                      Oracle PeopleSoft Enterprise ELS Enterprise Learning Management
                      Oracle PeopleSoft Enterprise PT PeopleTools
                      Oracle PeopleSoft Enterprise FIN Install
                      Oracle PeopleSoft Enterprise SCM Purchasing
                      Oracle Siebel Travel & Transportation
                      Oracle Siebel UI Framework
                      Oracle Siebel Core
                      Oracle Communications Messaging Server
                      Oracle Retail Back Office
                      Oracle Retail Central Office
                      Oracle Retail Returns Management
                      Oracle Java SE
                      Oracle JRockit
                      Oracle Solaris
                      Oracle Secure Global Desktop
                      Oracle VM VirtualBox
                      Oracle Virtual Desktop Infrastructure
                      Sun Ray Software
                      Oracle MySQL Server
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Access Privileged Data          -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Delete Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-4271 CVE-2014-4270 CVE-2014-4269
                      CVE-2014-4268 CVE-2014-4267 CVE-2014-4266
                      CVE-2014-4265 CVE-2014-4264 CVE-2014-4263
                      CVE-2014-4262 CVE-2014-4261 CVE-2014-4260
                      CVE-2014-4258 CVE-2014-4257 CVE-2014-4256
                      CVE-2014-4255 CVE-2014-4254 CVE-2014-4253
                      CVE-2014-4252 CVE-2014-4251 CVE-2014-4250
                      CVE-2014-4249 CVE-2014-4248 CVE-2014-4247
                      CVE-2014-4246 CVE-2014-4245 CVE-2014-4244
                      CVE-2014-4243 CVE-2014-4242 CVE-2014-4241
                      CVE-2014-4240 CVE-2014-4239 CVE-2014-4238
                      CVE-2014-4237 CVE-2014-4236 CVE-2014-4235
                      CVE-2014-4234 CVE-2014-4233 CVE-2014-4232
                      CVE-2014-4231 CVE-2014-4230 CVE-2014-4229
                      CVE-2014-4228 CVE-2014-4227 CVE-2014-4226
                      CVE-2014-4225 CVE-2014-4224 CVE-2014-4223
                      CVE-2014-4222 CVE-2014-4221 CVE-2014-4220
                      CVE-2014-4219 CVE-2014-4218 CVE-2014-4217
                      CVE-2014-4216 CVE-2014-4215 CVE-2014-4214
                      CVE-2014-4213 CVE-2014-4212 CVE-2014-4211
                      CVE-2014-4210 CVE-2014-4209 CVE-2014-4208
                      CVE-2014-4207 CVE-2014-4206 CVE-2014-4205
                      CVE-2014-4204 CVE-2014-4203 CVE-2014-4202
                      CVE-2014-4201 CVE-2014-3470 CVE-2014-2496
                      CVE-2014-2495 CVE-2014-2494 CVE-2014-2493
                      CVE-2014-2492 CVE-2014-2491 CVE-2014-2490
                      CVE-2014-2489 CVE-2014-2488 CVE-2014-2487
                      CVE-2014-2486 CVE-2014-2485 CVE-2014-2484
                      CVE-2014-2483 CVE-2014-2482 CVE-2014-2481
                      CVE-2014-2480 CVE-2014-2479 CVE-2014-2477
                      CVE-2014-2456 CVE-2014-1492 CVE-2014-1491
                      CVE-2014-1490 CVE-2014-0436 CVE-2014-0224
                      CVE-2014-0221 CVE-2014-0211 CVE-2014-0210
                      CVE-2014-0209 CVE-2014-0198 CVE-2014-0195
                      CVE-2014-0119 CVE-2014-0114 CVE-2014-0099
                      CVE-2014-0098 CVE-2014-0096 CVE-2014-0075
                      CVE-2014-0050 CVE-2014-0033 CVE-2013-6450
                      CVE-2013-6449 CVE-2013-6438 CVE-2013-5855
                      CVE-2013-5606 CVE-2013-5605 CVE-2013-4322
                      CVE-2013-4286 CVE-2013-3774 CVE-2013-3751
                      CVE-2013-2461 CVE-2013-2172 CVE-2013-1741
                      CVE-2013-1740 CVE-2013-1739 CVE-2013-1620
                      CVE-2012-3544 CVE-2010-5298 
Member content until: Friday, August 15 2014
Reference:            ESB-2014.0887
                      ESB-2014.0726
                      ESB-2014.0584
                      ESB-2014.0563
                      ESB-2014.0540
                      ESB-2014.0489
                      ESB-2014.0362
                      ESB-2014.0171
                      ESB-2014.0082
                      ESB-2014.0025
                      ESB-2013.1790
                      ESB-2013.1741
                      ESB-2013.1694
                      ESB-2013.1566
                      ESB-2013.1218
                      ESB-2013.0924
                      ESB-2013.0923
                      ESB-2013.0874
                      ESB-2013.0873
                      ESB-2013.0854
                      ESB-2013.0667
                      ESB-2013.0397

OVERVIEW

        Oracle has released updates which correct vulnerabilities in 
        numerous products. [1]
        
        Oracle states: "This Critical Patch Update contains 113 new security
        fixes across the product families listed below." [1]
        
        Oracle Database 11g Release 1, version 11.1.0.7
        Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
        Oracle Database 12c Release 1, version 12.1.0.1
        Oracle Fusion Middleware 11g Release 1, version 11.1.1.7
        Oracle Fusion Middleware 12c Release 1, version 12.1.2.0
        Oracle Fusion Applications, versions 11.1.2 through 11.1.8
        Oracle Glassfish Server, versions 2.1.1, 3.0.1, 3.1.2
        Oracle Traffic Director, version 11.1.1.7.0
        Oracle iPlanet Web Proxy Server, version 4.0.24
        Oracle iPlanet Web Server, versions 6.1, 7.0
        Oracle WebCenter Portal, versions 11.1.1.7.0, 11.1.1.8.0
        Oracle WebLogic Server, versions 10.0.2.0, 10.3.6.0, 12.1.1.0, 
          12.1.2.0
        Oracle JDeveloper, versions 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0
        Oracle BI Publisher, version 11.1.1.7
        Oracle Glassfish Communications Server, version 2.0
        Oracle HTTP Server, versions 11.1.1.7.0, 12.1.2.0
        Oracle Hyperion Essbase, versions 11.1.2.2, 11.1.2.3
        Oracle Hyperion BI+, versions 11.1.2.2, 11.1.2.3
        Oracle Hyperion Enterprise Performance Management Architect, versions 
          11.1.2.2, 11.1.2.3
        Oracle Hyperion Common Admin, versions 11.1.2.2, 11.1.2.3
        Oracle Hyperion Analytic Provider Services, versions 11.1.2.2, 11.1.2.3
        Oracle E-Business Suite Release 11i, version 11.5.10.2
        Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.3, 12.2.2, 
          12.2.3
        Oracle Transportation Management, versions 6.1, 6.2, 6.3, 6.3.1, 
          6.3.2, 6.3.3, 6.3.4
        Oracle Agile Product Collaboration, version 9.3.3
        Oracle PeopleSoft Enterprise ELS Enterprise Learning Management, 
          versions 9.1, 9.2
        Oracle PeopleSoft Enterprise PT PeopleTools, versions 8.52, 8.53
        Oracle PeopleSoft Enterprise FIN Install, versions 9.1, 9.2
        Oracle PeopleSoft Enterprise SCM Purchasing, versions 9.1, 9.2
        Oracle Siebel Travel & Transportation, versions 8.1.1, 8.2.2
        Oracle Siebel UI Framework, versions 8.1.1, 8.2.2
        Oracle Siebel Core - Server OM Frwks, versions 8.1.1, 8.2.2
        Oracle Siebel Core - EAI, versions 8.1.1, 8.2.2
        Oracle Communications Messaging Server, version 7.0.5.30.0
        Oracle Retail Back Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 
          13.2, 13.3, 13.4, 14.0
        Oracle Retail Central Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 
          13.1, 13.2, 13.3, 13.4, 14.0
        Oracle Retail Returns Management, versions 2.0, 13.1, 13.2, 13.3, 
          13.4, 14.0
        Oracle Java SE, versions 5.0u65, 6u75, 7u60, 8u5
        Oracle JRockit, versions R27.8.2, R28.3.2
        Oracle Solaris, versions 8, 9, 10, 11.1
        Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1
        Oracle VM VirtualBox, versions prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 
          4.3.14
        Oracle Virtual Desktop Infrastructure (VDI), versions prior to 3.5.1
        Sun Ray Software, versions prior to 5.4.3
        Oracle MySQL Server, versions 5.5, 5.6


IMPACT

        Limited impact details have been published by Oracle in their Text
        Form Risk Matrices. [2]


MITIGATION

        Oracle states: "Due to the threat posed by a successful attack, 
        Oracle strongly recommends that customers apply CPU fixes as soon as
        possible." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - July 2014
            http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html

        [2] Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices
            http://www.oracle.com/technetwork/topics/security/cpujul2014verbose-1972958.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBU8YL5hLndAQH1ShLAQKHZg//V0D9bJ7qiS494CEUSaVHhJAIjFGnI00d
P0gvqFQxnJgM5U3h6SS68HyIzcNjRGmusWe8gioSjLLGATSnvRx6OpyqxK1y3tS3
nZ+2lijI0Uv/OLVHeJywKpt7Bf4Ceb7ngZpnM1FhzwM65SSsULWfegfgZZJb29Av
GiUc7ERWQGMU3wiYK7GwUdNIWs/g+59/Sh6cEQGEfGpRjrmqEa2BvwkcEo3dAR7X
r6TjKyqwSQOkKaMizyLrSQVDW+pHqpswgKNPlJUwQ3IwKWu1LfpKr4KNtr5Bn0DP
4UNGCxJjbp5D71ObHT/9iIaHcEP9X4sK7o/k64oz48yUV5hnLZZwjAY8iTMIZeKv
7PzKyUdgtAFo04xDbX+oEOq51Gsw5YVITxNx9Fz65SHPKjwUURnHnLSecZA9cgt+
ny2WciBNWpJPTDTmG8Q6khUNichnvIerLOJWyXr/0HMD0QWExFLdSXMsVHXU6nr9
pNvrCfNi2AEBZBU3Eoncq3P65aoM7bKVbRg7hlqI5BUk96I01IiblYPytl/8iASA
GOo5xBceyLAWjBuWlUiek1U7YMfxDhyRXTUwydrPyGXeeVHlyYqTXvxp6eb966Mh
m2FYPbGm0wvdEHduH6PFjgLBkVeFcxwWvUgoy7qSM5hNp6skB/2TR726wIg285Z8
AkpeMcsKXHw=
=dKjC
-----END PGP SIGNATURE-----