Hash: SHA1

                         AUSCERT Security Bulletin

              Oracle have released updates which correct bash
                   vulnerabilities in numerous products
                              3 October 2014


        AusCERT Security Bulletin Summary

Product:              Oracle products
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-7187 CVE-2014-7186 CVE-2014-7169
                      CVE-2014-6278 CVE-2014-6277 CVE-2014-6271
Member content until: Sunday, November  2 2014
Reference:            ASB-2014.0111


        Oracle has released updates addressing GNU Bash vulnerabilities in 
        numerous products. [1]
        Product								Patch 
        ======= 							=====
        Big Data Appliance [Product ID 9734]                     	MOS note 1930758.1 
        Oracle Audit Vault and Database Firewall [Product ID 9749] 	MOS note 1931021.1 
        Oracle Database Appliance 12.1.2, 2.X [Product ID 9435]  	MOS note 8888888.1 
        Oracle Database Firewall 5.1 [Product ID 8958]          	MOS note 1931004.1 
        Oracle Exadata Storage Server Software [Product ID 2546] 	MOS note 1405320.1 
        Oracle Exalogic [Product ID 9415] 				MOS note 1929881.1 
        Oracle Exalytics [Product ID 9736] 				MOS note 1930588.1 
        Oracle Key Vault [Product ID 10221] 				MOS note 1931880.1 
        Oracle Linux 4, 5, 6, 7 [Product ID 1309] 			MOS note 1930120.1 
        Oracle Solaris Operating System 8, 9, 10,11 [Product ID 10006] 	MOS note 1930090.1 
        Oracle SuperCluster [Product ID 10011] 				MOS note 1930608.1 
        Oracle Virtual Compute Appliance Software [Product ID 10635] 	MOS note 1930502.1 
        Oracle VM 2.2, 3.0, 3.1, 3.2, 3.3 [Product ID 4455] 		MOS note 1929782.1
        Oracle also states "Global Product Security has determined that the
        following 49 products are using Bash in at least one version of the
        product and thus are likely subject to CVE-2014-7169 and that do not
        have fixes available". [1]
        Brocade (McData) Fiber Channel Switches and Management Software [Product ID 9864]
        Cisco MDS Fiber Channel Switches and Management Software [Product ID 9865]
        Linear Tape File System Library Edition (LTFSLE) [Product ID 10259]
        Live Help on Demand [Product ID 9360]
        Oracle CloudNet Gateway [Product ID 11158]
        Oracle Communications Application Orchestrator - Server Perpetual (version 74M1) 
          [Product ID 11189]
        Oracle Communications Application Session Controller [Product ID 10769]
        Oracle Communications Diameter Intelligence Hub [Product ID 11126]
        Oracle Communications Diameter Signaling Router - Full Address Resolution 
          [Product ID 11127]
        Oracle Communications Diameter Signaling Router [Product ID 10899]
        Oracle Communications EAGLE Application Processor [Product ID 11122]
        Oracle Communications EAGLE Collector Application Processor [Product ID 11120]
        Oracle Communications EAGLE LNP Application Processor [Product ID 11118]
        Oracle Communications Enterprise Trunk Manager [Product ID 10760]
        Oracle Communications Interactive Session Recorder [Product ID 10765]
        Oracle Communications Local Service Management System [Product ID 11114]
        Oracle Communications Performance Intelligence center [Product ID 11044]
        Oracle Communications Policy Controller [Product ID 10595]
        Oracle Communications Policy Management [Product ID 10900]
        Oracle Communications Service Broker Engineered System Edition 6.0 
          [Product ID 9065]
        Oracle Communications Session Element Manager [Product ID 11052]
        Oracle Communications Session Monitor [Product ID 10761]
        Oracle Communications Session Report Manager [Product ID 10770]
        Oracle Communications Session Route Manager [Product ID 10771]
        Oracle Communications Subscriber Data Management [Product ID 10901]
        Oracle Communications User Data Repository [Product ID 11108]
        Oracle Communications WebRTC Session Controller [Product ID 10811]
        Oracle Fabric Interconnect [Product ID 10529]
        Oracle Fusion Applications Lifecycle Management Tools - Provisioning 
          [Product ID 5643]
        Oracle Integrated Lights Out Manager [Product ID 9849]
        Oracle StorageTek Linear Tape File System (LTFS) [Product ID 10564]
        Oracle Sun Data Center InfiniBand Switch 36 (NM2-36P) [Product ID 9886]
        Oracle Sun Network QDR InfiniBand Gateway Switch (NM2-GW) [Product ID 9885]
        Oracle Switch ES1-24 [Product ID 9889]
        PeopleSoft PeopleTools [Product ID 5085]
        Pillar Axiom 600 Storage System 4, 5 [Product ID 9504]
        Recommendations On-Demand [Product ID 9366]
        SPARC - OPL Service Processor (XCP) (SP software for SPARC M10-1/M10-4/M10-4S 
          servers) [Product ID 10656]
        SPARC - OPL Service Processor (XCP) (SP software for SPARC M3000/M4000/
          M5000/M8000/M9000 servers) [Product ID 9845]
        Sun Blade 6000 Ethernet Switched NEM 24P 10GE [Product ID 9889]
        Sun Network 10GE Switch 72p [Product ID 9889]
        Sun ZFS Storage Appliance Kit (AK) [Product ID 10026]
        Tape General LTFS LE - Linear Tape File System Library Edition [Product ID 10084]
        Tape Virtual VLE - Virtual Library Extension [Product ID 10116]
        Tape Virtual VSM - Virtual Tape SubSystem [Product ID 10117]
        Tekelec HLR Router [Product ID 11047]
        Tekelec Platform Distribution [Product ID 11107]
        Tekelec Platform Management & Configuration [Product ID 11106]
        Tekelec Virtual Operating Environment [Product ID 11105]


        Limited impact details have been published by Oracle in their Oracle
        Sun Systems Products Suite and Oracle Linux Risk Matrices. [2]


        Oracle states "Due to the severity, public disclosure, and reports 
        of active exploitation of CVE-2014-7169 and the related 
        vulnerabilities, Oracle strongly recommends that customers apply the
        fixes provided by this Security Alert as soon as they are released 
        by Oracle." [2]


        [1] Bash Vulnerabilities - CVE-2014-7169

        [2] Oracle Security Alert for CVE-2014-7169

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967