Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0077 Oracle have released updates which correct vulnerabilities in numerous products 16 July 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Database Oracle Fusion Middleware Oracle Fusion Applications Oracle Glassfish Server Oracle Traffic Director Oracle iPlanet Web Proxy Server Oracle iPlanet Web Server Oracle WebCenter Portal Oracle WebLogic Server Oracle JDeveloper Oracle BI Publisher Oracle Glassfish Communications Server Oracle HTTP Server Oracle Hyperion Essbase Oracle Hyperion BI+ Oracle Hyperion Enterprise Performance Management Architect Oracle Hyperion Common Admin Oracle Hyperion Analytic Provider Services Oracle E-Business Suite Oracle Transportation Management Oracle Agile Product Collaboration Oracle PeopleSoft Enterprise ELS Enterprise Learning Management Oracle PeopleSoft Enterprise PT PeopleTools Oracle PeopleSoft Enterprise FIN Install Oracle PeopleSoft Enterprise SCM Purchasing Oracle Siebel Travel & Transportation Oracle Siebel UI Framework Oracle Siebel Core Oracle Communications Messaging Server Oracle Retail Back Office Oracle Retail Central Office Oracle Retail Returns Management Oracle Java SE Oracle JRockit Oracle Solaris Oracle Secure Global Desktop Oracle VM VirtualBox Oracle Virtual Desktop Infrastructure Sun Ray Software Oracle MySQL Server Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Delete Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-4271 CVE-2014-4270 CVE-2014-4269 CVE-2014-4268 CVE-2014-4267 CVE-2014-4266 CVE-2014-4265 CVE-2014-4264 CVE-2014-4263 CVE-2014-4262 CVE-2014-4261 CVE-2014-4260 CVE-2014-4258 CVE-2014-4257 CVE-2014-4256 CVE-2014-4255 CVE-2014-4254 CVE-2014-4253 CVE-2014-4252 CVE-2014-4251 CVE-2014-4250 CVE-2014-4249 CVE-2014-4248 CVE-2014-4247 CVE-2014-4246 CVE-2014-4245 CVE-2014-4244 CVE-2014-4243 CVE-2014-4242 CVE-2014-4241 CVE-2014-4240 CVE-2014-4239 CVE-2014-4238 CVE-2014-4237 CVE-2014-4236 CVE-2014-4235 CVE-2014-4234 CVE-2014-4233 CVE-2014-4232 CVE-2014-4231 CVE-2014-4230 CVE-2014-4229 CVE-2014-4228 CVE-2014-4227 CVE-2014-4226 CVE-2014-4225 CVE-2014-4224 CVE-2014-4223 CVE-2014-4222 CVE-2014-4221 CVE-2014-4220 CVE-2014-4219 CVE-2014-4218 CVE-2014-4217 CVE-2014-4216 CVE-2014-4215 CVE-2014-4214 CVE-2014-4213 CVE-2014-4212 CVE-2014-4211 CVE-2014-4210 CVE-2014-4209 CVE-2014-4208 CVE-2014-4207 CVE-2014-4206 CVE-2014-4205 CVE-2014-4204 CVE-2014-4203 CVE-2014-4202 CVE-2014-4201 CVE-2014-3470 CVE-2014-2496 CVE-2014-2495 CVE-2014-2494 CVE-2014-2493 CVE-2014-2492 CVE-2014-2491 CVE-2014-2490 CVE-2014-2489 CVE-2014-2488 CVE-2014-2487 CVE-2014-2486 CVE-2014-2485 CVE-2014-2484 CVE-2014-2483 CVE-2014-2482 CVE-2014-2481 CVE-2014-2480 CVE-2014-2479 CVE-2014-2477 CVE-2014-2456 CVE-2014-1492 CVE-2014-1491 CVE-2014-1490 CVE-2014-0436 CVE-2014-0224 CVE-2014-0221 CVE-2014-0211 CVE-2014-0210 CVE-2014-0209 CVE-2014-0198 CVE-2014-0195 CVE-2014-0119 CVE-2014-0114 CVE-2014-0099 CVE-2014-0098 CVE-2014-0096 CVE-2014-0075 CVE-2014-0050 CVE-2014-0033 CVE-2013-6450 CVE-2013-6449 CVE-2013-6438 CVE-2013-5855 CVE-2013-5606 CVE-2013-5605 CVE-2013-4322 CVE-2013-4286 CVE-2013-3774 CVE-2013-3751 CVE-2013-2461 CVE-2013-2172 CVE-2013-1741 CVE-2013-1740 CVE-2013-1739 CVE-2013-1620 CVE-2012-3544 CVE-2010-5298 Member content until: Friday, August 15 2014 Reference: ESB-2014.0887 ESB-2014.0726 ESB-2014.0584 ESB-2014.0563 ESB-2014.0540 ESB-2014.0489 ESB-2014.0362 ESB-2014.0171 ESB-2014.0082 ESB-2014.0025 ESB-2013.1790 ESB-2013.1741 ESB-2013.1694 ESB-2013.1566 ESB-2013.1218 ESB-2013.0924 ESB-2013.0923 ESB-2013.0874 ESB-2013.0873 ESB-2013.0854 ESB-2013.0667 ESB-2013.0397 OVERVIEW Oracle has released updates which correct vulnerabilities in numerous products. [1] Oracle states: "This Critical Patch Update contains 113 new security fixes across the product families listed below." [1] Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4 Oracle Database 12c Release 1, version 12.1.0.1 Oracle Fusion Middleware 11g Release 1, version 11.1.1.7 Oracle Fusion Middleware 12c Release 1, version 12.1.2.0 Oracle Fusion Applications, versions 11.1.2 through 11.1.8 Oracle Glassfish Server, versions 2.1.1, 3.0.1, 3.1.2 Oracle Traffic Director, version 11.1.1.7.0 Oracle iPlanet Web Proxy Server, version 4.0.24 Oracle iPlanet Web Server, versions 6.1, 7.0 Oracle WebCenter Portal, versions 11.1.1.7.0, 11.1.1.8.0 Oracle WebLogic Server, versions 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0 Oracle JDeveloper, versions 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0 Oracle BI Publisher, version 11.1.1.7 Oracle Glassfish Communications Server, version 2.0 Oracle HTTP Server, versions 11.1.1.7.0, 12.1.2.0 Oracle Hyperion Essbase, versions 11.1.2.2, 11.1.2.3 Oracle Hyperion BI+, versions 11.1.2.2, 11.1.2.3 Oracle Hyperion Enterprise Performance Management Architect, versions 11.1.2.2, 11.1.2.3 Oracle Hyperion Common Admin, versions 11.1.2.2, 11.1.2.3 Oracle Hyperion Analytic Provider Services, versions 11.1.2.2, 11.1.2.3 Oracle E-Business Suite Release 11i, version 11.5.10.2 Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.3, 12.2.2, 12.2.3 Oracle Transportation Management, versions 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4 Oracle Agile Product Collaboration, version 9.3.3 Oracle PeopleSoft Enterprise ELS Enterprise Learning Management, versions 9.1, 9.2 Oracle PeopleSoft Enterprise PT PeopleTools, versions 8.52, 8.53 Oracle PeopleSoft Enterprise FIN Install, versions 9.1, 9.2 Oracle PeopleSoft Enterprise SCM Purchasing, versions 9.1, 9.2 Oracle Siebel Travel & Transportation, versions 8.1.1, 8.2.2 Oracle Siebel UI Framework, versions 8.1.1, 8.2.2 Oracle Siebel Core - Server OM Frwks, versions 8.1.1, 8.2.2 Oracle Siebel Core - EAI, versions 8.1.1, 8.2.2 Oracle Communications Messaging Server, version 7.0.5.30.0 Oracle Retail Back Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0 Oracle Retail Central Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0 Oracle Retail Returns Management, versions 2.0, 13.1, 13.2, 13.3, 13.4, 14.0 Oracle Java SE, versions 5.0u65, 6u75, 7u60, 8u5 Oracle JRockit, versions R27.8.2, R28.3.2 Oracle Solaris, versions 8, 9, 10, 11.1 Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1 Oracle VM VirtualBox, versions prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.14 Oracle Virtual Desktop Infrastructure (VDI), versions prior to 3.5.1 Sun Ray Software, versions prior to 5.4.3 Oracle MySQL Server, versions 5.5, 5.6 IMPACT Limited impact details have been published by Oracle in their Text Form Risk Matrices. [2] MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - July 2014 http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html [2] Text Form of Oracle Critical Patch Update - July 2014 Risk Matrices http://www.oracle.com/technetwork/topics/security/cpujul2014verbose-1972958.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBU8YL5hLndAQH1ShLAQKHZg//V0D9bJ7qiS494CEUSaVHhJAIjFGnI00d P0gvqFQxnJgM5U3h6SS68HyIzcNjRGmusWe8gioSjLLGATSnvRx6OpyqxK1y3tS3 nZ+2lijI0Uv/OLVHeJywKpt7Bf4Ceb7ngZpnM1FhzwM65SSsULWfegfgZZJb29Av GiUc7ERWQGMU3wiYK7GwUdNIWs/g+59/Sh6cEQGEfGpRjrmqEa2BvwkcEo3dAR7X r6TjKyqwSQOkKaMizyLrSQVDW+pHqpswgKNPlJUwQ3IwKWu1LfpKr4KNtr5Bn0DP 4UNGCxJjbp5D71ObHT/9iIaHcEP9X4sK7o/k64oz48yUV5hnLZZwjAY8iTMIZeKv 7PzKyUdgtAFo04xDbX+oEOq51Gsw5YVITxNx9Fz65SHPKjwUURnHnLSecZA9cgt+ ny2WciBNWpJPTDTmG8Q6khUNichnvIerLOJWyXr/0HMD0QWExFLdSXMsVHXU6nr9 pNvrCfNi2AEBZBU3Eoncq3P65aoM7bKVbRg7hlqI5BUk96I01IiblYPytl/8iASA GOo5xBceyLAWjBuWlUiek1U7YMfxDhyRXTUwydrPyGXeeVHlyYqTXvxp6eb966Mh m2FYPbGm0wvdEHduH6PFjgLBkVeFcxwWvUgoy7qSM5hNp6skB/2TR726wIg285Z8 AkpeMcsKXHw= =dKjC -----END PGP SIGNATURE-----