-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2014.0121
        Oracle have released updates which correct vulnerabilities
                           in numerous products
                              15 October 2014

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle products
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Access Privileged Data          -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Overwrite Arbitrary Files       -- Remote/Unauthenticated
                      Delete Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
                      Access Confidential Data        -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2014-6564 CVE-2014-6563 CVE-2014-6562
                      CVE-2014-6561 CVE-2014-6560 CVE-2014-6559
                      CVE-2014-6558 CVE-2014-6557 CVE-2014-6555
                      CVE-2014-6554 CVE-2014-6553 CVE-2014-6552
                      CVE-2014-6551 CVE-2014-6550 CVE-2014-6547
                      CVE-2014-6546 CVE-2014-6545 CVE-2014-6544
                      CVE-2014-6543 CVE-2014-6542 CVE-2014-6540
                      CVE-2014-6539 CVE-2014-6538 CVE-2014-6537
                      CVE-2014-6536 CVE-2014-6535 CVE-2014-6534
                      CVE-2014-6533 CVE-2014-6532 CVE-2014-6531
                      CVE-2014-6530 CVE-2014-6529 CVE-2014-6527
                      CVE-2014-6523 CVE-2014-6522 CVE-2014-6520
                      CVE-2014-6519 CVE-2014-6517 CVE-2014-6516
                      CVE-2014-6515 CVE-2014-6513 CVE-2014-6512
                      CVE-2014-6511 CVE-2014-6508 CVE-2014-6507
                      CVE-2014-6506 CVE-2014-6505 CVE-2014-6504
                      CVE-2014-6503 CVE-2014-6502 CVE-2014-6501
                      CVE-2014-6500 CVE-2014-6499 CVE-2014-6498
                      CVE-2014-6497 CVE-2014-6496 CVE-2014-6495
                      CVE-2014-6494 CVE-2014-6493 CVE-2014-6492
                      CVE-2014-6491 CVE-2014-6490 CVE-2014-6489
                      CVE-2014-6488 CVE-2014-6487 CVE-2014-6486
                      CVE-2014-6485 CVE-2014-6484 CVE-2014-6483
                      CVE-2014-6482 CVE-2014-6479 CVE-2014-6478
                      CVE-2014-6476 CVE-2014-6475 CVE-2014-6474
                      CVE-2014-6473 CVE-2014-6472 CVE-2014-6471
                      CVE-2014-6470 CVE-2014-6469 CVE-2014-6468
                      CVE-2014-6467 CVE-2014-6466 CVE-2014-6465
                      CVE-2014-6464 CVE-2014-6463 CVE-2014-6462
                      CVE-2014-6461 CVE-2014-6460 CVE-2014-6459
                      CVE-2014-6458 CVE-2014-6457 CVE-2014-6456
                      CVE-2014-6455 CVE-2014-6454 CVE-2014-6453
                      CVE-2014-6452 CVE-2014-4310 CVE-2014-4301
                      CVE-2014-4300 CVE-2014-4299 CVE-2014-4298
                      CVE-2014-4297 CVE-2014-4296 CVE-2014-4295
                      CVE-2014-4294 CVE-2014-4293 CVE-2014-4292
                      CVE-2014-4291 CVE-2014-4290 CVE-2014-4289
                      CVE-2014-4288 CVE-2014-4287 CVE-2014-4285
                      CVE-2014-4284 CVE-2014-4283 CVE-2014-4282
                      CVE-2014-4281 CVE-2014-4280 CVE-2014-4278
                      CVE-2014-4277 CVE-2014-4276 CVE-2014-4275
                      CVE-2014-4274 CVE-2014-3470 CVE-2014-2880
                      CVE-2014-2478 CVE-2014-2476 CVE-2014-2475
                      CVE-2014-2474 CVE-2014-2473 CVE-2014-2472
                      CVE-2014-1492 CVE-2014-1491 CVE-2014-1490
                      CVE-2014-0224 CVE-2014-0221 CVE-2014-0198
                      CVE-2014-0195 CVE-2014-0119 CVE-2014-0114
                      CVE-2014-0096 CVE-2014-0095 CVE-2014-0075
                      CVE-2014-0050 CVE-2014-0033 CVE-2013-5606
                      CVE-2013-5605 CVE-2013-4590 CVE-2013-4322
                      CVE-2013-4286 CVE-2013-1741 CVE-2013-1740
                      CVE-2013-1739 CVE-2012-5615 CVE-2010-5298
Member content until: Friday, November 14 2014
Reference:            ASB-2014.0077
                      ESB-2014.0887
                      ESB-2014.0828
                      ESB-2014.0827
                      ESB-2014.0804
                      ESB-2014.0420
                      ESB-2014.0177
                      ESB-2014.0167
                      ESB-2013.1741
                      ESB-2013.1694
                      ESB-2013.1566

OVERVIEW

        Oracle has released updates addressing vulnerabilities in numerous 
        products. [1]
        
        Oracle states: "This Critical Patch Update contains 154 new security
        fixes across the product families listed below." [1]
        
        Oracle Database 11g Release 1, version 11.1.0.7
        Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
        Oracle Database 12c Release 1, versions 12.1.0.1, 12.1.0.2
        Oracle Application Express, versions prior to 4.2.6
        Oracle Fusion Middleware 11g Release 1, versions 11.1.1.5, 11.1.1.7
        Oracle Fusion Middleware 11g Release 2, versions 11.1.2.1, 11.1.2.2, 11.1.2.4
        Oracle Fusion Middleware 12c, versions 12.1.1.0, 12.1.2.0, 12.1.3.0
        Oracle Fusion Applications, versions 11.1.2 through 11.1.8
        Oracle Access Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
        Oracle Adaptive Access Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
        Oracle Endeca Information Discovery Studio versions 2.2.2, 2.3, 2.4, 3.0, 3.1
        Oracle Enterprise Data Quality versions 8.1.2, 9.0.11
        Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
        Oracle JDeveloper, versions 10.1.3.5, 11.1.1.7, 11.1.2.4, 12.1.2.0, 12.1.3.0
        Oracle OpenSSO version 3.0-04
        Oracle WebLogic Server, versions 10.0.2, 10.3.6, 12.1.1, 12.1.2, 12.1.3
        Application Performance Management, versions prior to 12.1.0.6.2
        Enterprise Manager for Oracle Database Releases 10g, 11g, 12c
        Oracle E-Business Suite Release 11i version 11.5.10.2
        Oracle E-Business Suite Release 12 versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, 12.2.4
        Oracle Agile PLM, versions 9.3.1.2, 9.3.3
        Oracle Transportation Management, versions 6.1, 6.2, 6.3.0 through 6.3.5
        Oracle PeopleSoft Enterprise HRMS, version 9.2
        Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53, 8.54
        Oracle JD Edwards EnterpriseOne Tools, version 8.98
        Oracle Communications MetaSolv Solution, versions MetaSolv Solution: 6.2.1.0.0, LSR: 9.4.0, 10.1.0, ASR: 49.0.0
        Oracle Communications Session Border Controller, version SCX640m5
        Oracle Retail Allocation, versions 10.0, 11.0, 12.0, 13.0, 13.1, 13.2
        Oracle Retail Clearance Optimization Engine, versions 13.3, 13.4, 14.0
        Oracle Retail Invoice Matching, versions 11.0, 12.0, 12.0 IN, 12.1, 13.0, 13.1, 13.2, 14.0
        Oracle Retail Markdown Optimization, versions 12.0, 13.0, 13.1, 13.2, 13.4
        Oracle Health Sciences Empirica Inspections, versions 1.0.1.0 and prior
        Oracle Health Sciences Empirica Signal, versions 7.3.3.3 and prior
        Oracle Health Sciences Empirica Study, versions 3.1.2.0 and prior
        Oracle Primavera Contract Management, versions 13.1, 14.0
        Oracle Primavera P6 Enterprise Project Portfolio Management, versions 7.0, 8.1, 8.2, 8.3
        Oracle JavaFX, version 2.2.65
        Oracle Java SE, versions 5.0u71, 6u81, 7u67, 8u20
        Oracle Java SE Embedded, version 7u60
        Oracle JRockit, versions R27.8.3, R28.3.3
        Oracle Fujitsu server, versions M10-1, M10-4, M10-4S
        Oracle Solaris, versions 10, 11
        Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1
        Oracle VM VirtualBox, versions prior to 4.1.34, 4.2.26, 4.3.14
        Oracle MySQL Server, versions 5.5.39 and earlier, 5.6.20 and earlier


IMPACT

        Limited impact details have been published by Oracle in their Text
        Form Risk Matrices. [2]


MITIGATION

        Oracle states: "Due to the threat posed by a successful attack, 
        Oracle strongly recommends that customers apply CPU fixes as soon as
        possible." [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - October 2014
            http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

        [2] Text Form of Oracle Critical Patch Update - October 2014 Risk
            Matrices
            http://www.oracle.com/technetwork/topics/security/cpuoct2014verbose-1972962.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBVD4T6RLndAQH1ShLAQJIhw//Sfcw1aCXtJ6u78Jz7Oohx4WX1avqhaoX
8zYnyg9ZZ/bHCSjv4NQjaqjFgCeL1MGDvbarA8svV6CLPGlr2VoaYTtKGYN4lOp/
NdQBtw8LNQV1Ot3qCkihF+FkpZcsMKu9Tntb/ngprZaFDIfbFv95uLL0pWjMUydg
uTaxz6ei+xdOKS9ZOIqOE2WB5iABHb28HQhCM+Jnb9a7NdFJaUG3AUb5BgsBNWkE
oDbBTVOPqN2PvgOUG5x/L0lb72opXDcIFpD5s8qQnAoz9RJx86Nja+15TAqE+q+T
B3jg5OuLK0/lYR0mR5zuOUrCVfb2ny+4NleyN9ONlYRjP/B8iYBA5j1jXO6daNN4
VnRNQnKbDgT0btMKRn+0dLuMBDd3wpBinQ1XCTybJ/gB5xgAsY5YehunJFRYFzBp
JRyIEoEXQDLSCVjsZtjUctEqq79fLYTip4GkmS8EDj4COcHyrcXDtygufYfXLnCs
9Ew7Qa+kitg4D87F2pCOZwgr6tnTdMo6zusPLA20j9FRZXRNpfEQ1qSF1E62cTcF
2JAtf9ehgsATNsfjH8gNmE8iH+OMbi7OZ1N8pStMa7OeftmxNRv+x1EtcBl4mnDa
hFBJRo03ddNdZ9VCEiDEd4Stey2FnTeMsNSoAPc5Ne1qQOV5uoliOyijMLkpKDgR
lDaM0QsrqLE=
=2u+R
-----END PGP SIGNATURE-----