Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2014.0121 Oracle have released updates which correct vulnerabilities in numerous products 15 October 2014 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle products Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Overwrite Arbitrary Files -- Remote/Unauthenticated Delete Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Access Confidential Data -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2014-6564 CVE-2014-6563 CVE-2014-6562 CVE-2014-6561 CVE-2014-6560 CVE-2014-6559 CVE-2014-6558 CVE-2014-6557 CVE-2014-6555 CVE-2014-6554 CVE-2014-6553 CVE-2014-6552 CVE-2014-6551 CVE-2014-6550 CVE-2014-6547 CVE-2014-6546 CVE-2014-6545 CVE-2014-6544 CVE-2014-6543 CVE-2014-6542 CVE-2014-6540 CVE-2014-6539 CVE-2014-6538 CVE-2014-6537 CVE-2014-6536 CVE-2014-6535 CVE-2014-6534 CVE-2014-6533 CVE-2014-6532 CVE-2014-6531 CVE-2014-6530 CVE-2014-6529 CVE-2014-6527 CVE-2014-6523 CVE-2014-6522 CVE-2014-6520 CVE-2014-6519 CVE-2014-6517 CVE-2014-6516 CVE-2014-6515 CVE-2014-6513 CVE-2014-6512 CVE-2014-6511 CVE-2014-6508 CVE-2014-6507 CVE-2014-6506 CVE-2014-6505 CVE-2014-6504 CVE-2014-6503 CVE-2014-6502 CVE-2014-6501 CVE-2014-6500 CVE-2014-6499 CVE-2014-6498 CVE-2014-6497 CVE-2014-6496 CVE-2014-6495 CVE-2014-6494 CVE-2014-6493 CVE-2014-6492 CVE-2014-6491 CVE-2014-6490 CVE-2014-6489 CVE-2014-6488 CVE-2014-6487 CVE-2014-6486 CVE-2014-6485 CVE-2014-6484 CVE-2014-6483 CVE-2014-6482 CVE-2014-6479 CVE-2014-6478 CVE-2014-6476 CVE-2014-6475 CVE-2014-6474 CVE-2014-6473 CVE-2014-6472 CVE-2014-6471 CVE-2014-6470 CVE-2014-6469 CVE-2014-6468 CVE-2014-6467 CVE-2014-6466 CVE-2014-6465 CVE-2014-6464 CVE-2014-6463 CVE-2014-6462 CVE-2014-6461 CVE-2014-6460 CVE-2014-6459 CVE-2014-6458 CVE-2014-6457 CVE-2014-6456 CVE-2014-6455 CVE-2014-6454 CVE-2014-6453 CVE-2014-6452 CVE-2014-4310 CVE-2014-4301 CVE-2014-4300 CVE-2014-4299 CVE-2014-4298 CVE-2014-4297 CVE-2014-4296 CVE-2014-4295 CVE-2014-4294 CVE-2014-4293 CVE-2014-4292 CVE-2014-4291 CVE-2014-4290 CVE-2014-4289 CVE-2014-4288 CVE-2014-4287 CVE-2014-4285 CVE-2014-4284 CVE-2014-4283 CVE-2014-4282 CVE-2014-4281 CVE-2014-4280 CVE-2014-4278 CVE-2014-4277 CVE-2014-4276 CVE-2014-4275 CVE-2014-4274 CVE-2014-3470 CVE-2014-2880 CVE-2014-2478 CVE-2014-2476 CVE-2014-2475 CVE-2014-2474 CVE-2014-2473 CVE-2014-2472 CVE-2014-1492 CVE-2014-1491 CVE-2014-1490 CVE-2014-0224 CVE-2014-0221 CVE-2014-0198 CVE-2014-0195 CVE-2014-0119 CVE-2014-0114 CVE-2014-0096 CVE-2014-0095 CVE-2014-0075 CVE-2014-0050 CVE-2014-0033 CVE-2013-5606 CVE-2013-5605 CVE-2013-4590 CVE-2013-4322 CVE-2013-4286 CVE-2013-1741 CVE-2013-1740 CVE-2013-1739 CVE-2012-5615 CVE-2010-5298 Member content until: Friday, November 14 2014 Reference: ASB-2014.0077 ESB-2014.0887 ESB-2014.0828 ESB-2014.0827 ESB-2014.0804 ESB-2014.0420 ESB-2014.0177 ESB-2014.0167 ESB-2013.1741 ESB-2013.1694 ESB-2013.1566 OVERVIEW Oracle has released updates addressing vulnerabilities in numerous products. [1] Oracle states: "This Critical Patch Update contains 154 new security fixes across the product families listed below." [1] Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4 Oracle Database 12c Release 1, versions 12.1.0.1, 12.1.0.2 Oracle Application Express, versions prior to 4.2.6 Oracle Fusion Middleware 11g Release 1, versions 11.1.1.5, 11.1.1.7 Oracle Fusion Middleware 11g Release 2, versions 11.1.2.1, 11.1.2.2, 11.1.2.4 Oracle Fusion Middleware 12c, versions 12.1.1.0, 12.1.2.0, 12.1.3.0 Oracle Fusion Applications, versions 11.1.2 through 11.1.8 Oracle Access Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2 Oracle Adaptive Access Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2 Oracle Endeca Information Discovery Studio versions 2.2.2, 2.3, 2.4, 3.0, 3.1 Oracle Enterprise Data Quality versions 8.1.2, 9.0.11 Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2 Oracle JDeveloper, versions 10.1.3.5, 11.1.1.7, 11.1.2.4, 12.1.2.0, 12.1.3.0 Oracle OpenSSO version 3.0-04 Oracle WebLogic Server, versions 10.0.2, 10.3.6, 12.1.1, 12.1.2, 12.1.3 Application Performance Management, versions prior to 12.1.0.6.2 Enterprise Manager for Oracle Database Releases 10g, 11g, 12c Oracle E-Business Suite Release 11i version 11.5.10.2 Oracle E-Business Suite Release 12 versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, 12.2.4 Oracle Agile PLM, versions 9.3.1.2, 9.3.3 Oracle Transportation Management, versions 6.1, 6.2, 6.3.0 through 6.3.5 Oracle PeopleSoft Enterprise HRMS, version 9.2 Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53, 8.54 Oracle JD Edwards EnterpriseOne Tools, version 8.98 Oracle Communications MetaSolv Solution, versions MetaSolv Solution: 6.2.1.0.0, LSR: 9.4.0, 10.1.0, ASR: 49.0.0 Oracle Communications Session Border Controller, version SCX640m5 Oracle Retail Allocation, versions 10.0, 11.0, 12.0, 13.0, 13.1, 13.2 Oracle Retail Clearance Optimization Engine, versions 13.3, 13.4, 14.0 Oracle Retail Invoice Matching, versions 11.0, 12.0, 12.0 IN, 12.1, 13.0, 13.1, 13.2, 14.0 Oracle Retail Markdown Optimization, versions 12.0, 13.0, 13.1, 13.2, 13.4 Oracle Health Sciences Empirica Inspections, versions 1.0.1.0 and prior Oracle Health Sciences Empirica Signal, versions 7.3.3.3 and prior Oracle Health Sciences Empirica Study, versions 3.1.2.0 and prior Oracle Primavera Contract Management, versions 13.1, 14.0 Oracle Primavera P6 Enterprise Project Portfolio Management, versions 7.0, 8.1, 8.2, 8.3 Oracle JavaFX, version 2.2.65 Oracle Java SE, versions 5.0u71, 6u81, 7u67, 8u20 Oracle Java SE Embedded, version 7u60 Oracle JRockit, versions R27.8.3, R28.3.3 Oracle Fujitsu server, versions M10-1, M10-4, M10-4S Oracle Solaris, versions 10, 11 Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1 Oracle VM VirtualBox, versions prior to 4.1.34, 4.2.26, 4.3.14 Oracle MySQL Server, versions 5.5.39 and earlier, 5.6.20 and earlier IMPACT Limited impact details have been published by Oracle in their Text Form Risk Matrices. [2] MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - October 2014 http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html [2] Text Form of Oracle Critical Patch Update - October 2014 Risk Matrices http://www.oracle.com/technetwork/topics/security/cpuoct2014verbose-1972962.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVD4T6RLndAQH1ShLAQJIhw//Sfcw1aCXtJ6u78Jz7Oohx4WX1avqhaoX 8zYnyg9ZZ/bHCSjv4NQjaqjFgCeL1MGDvbarA8svV6CLPGlr2VoaYTtKGYN4lOp/ NdQBtw8LNQV1Ot3qCkihF+FkpZcsMKu9Tntb/ngprZaFDIfbFv95uLL0pWjMUydg uTaxz6ei+xdOKS9ZOIqOE2WB5iABHb28HQhCM+Jnb9a7NdFJaUG3AUb5BgsBNWkE oDbBTVOPqN2PvgOUG5x/L0lb72opXDcIFpD5s8qQnAoz9RJx86Nja+15TAqE+q+T B3jg5OuLK0/lYR0mR5zuOUrCVfb2ny+4NleyN9ONlYRjP/B8iYBA5j1jXO6daNN4 VnRNQnKbDgT0btMKRn+0dLuMBDd3wpBinQ1XCTybJ/gB5xgAsY5YehunJFRYFzBp JRyIEoEXQDLSCVjsZtjUctEqq79fLYTip4GkmS8EDj4COcHyrcXDtygufYfXLnCs 9Ew7Qa+kitg4D87F2pCOZwgr6tnTdMo6zusPLA20j9FRZXRNpfEQ1qSF1E62cTcF 2JAtf9ehgsATNsfjH8gNmE8iH+OMbi7OZ1N8pStMa7OeftmxNRv+x1EtcBl4mnDa hFBJRo03ddNdZ9VCEiDEd4Stey2FnTeMsNSoAPc5Ne1qQOV5uoliOyijMLkpKDgR lDaM0QsrqLE= =2u+R -----END PGP SIGNATURE-----