Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2015.0070
Oracle have released updates which correct vulnerabilities
in numerous products
15 July 2015
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle products
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Delete Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2015-4790 CVE-2015-4789 CVE-2015-4788
CVE-2015-4787 CVE-2015-4786 CVE-2015-4785
CVE-2015-4784 CVE-2015-4783 CVE-2015-4782
CVE-2015-4781 CVE-2015-4780 CVE-2015-4779
CVE-2015-4778 CVE-2015-4777 CVE-2015-4776
CVE-2015-4775 CVE-2015-4774 CVE-2015-4773
CVE-2015-4772 CVE-2015-4771 CVE-2015-4770
CVE-2015-4769 CVE-2015-4768 CVE-2015-4767
CVE-2015-4765 CVE-2015-4764 CVE-2015-4763
CVE-2015-4761 CVE-2015-4760 CVE-2015-4759
CVE-2015-4758 CVE-2015-4757 CVE-2015-4756
CVE-2015-4755 CVE-2015-4754 CVE-2015-4753
CVE-2015-4752 CVE-2015-4751 CVE-2015-4750
CVE-2015-4749 CVE-2015-4748 CVE-2015-4747
CVE-2015-4746 CVE-2015-4745 CVE-2015-4744
CVE-2015-4743 CVE-2015-4742 CVE-2015-4741
CVE-2015-4740 CVE-2015-4739 CVE-2015-4738
CVE-2015-4737 CVE-2015-4736 CVE-2015-4735
CVE-2015-4733 CVE-2015-4732 CVE-2015-4731
CVE-2015-4729 CVE-2015-4728 CVE-2015-4727
CVE-2015-4000 CVE-2015-3456 CVE-2015-3244
CVE-2015-2808 CVE-2015-2664 CVE-2015-2663
CVE-2015-2662 CVE-2015-2661 CVE-2015-2660
CVE-2015-2659 CVE-2015-2658 CVE-2015-2657
CVE-2015-2656 CVE-2015-2655 CVE-2015-2654
CVE-2015-2653 CVE-2015-2652 CVE-2015-2651
CVE-2015-2650 CVE-2015-2649 CVE-2015-2648
CVE-2015-2647 CVE-2015-2646 CVE-2015-2645
CVE-2015-2644 CVE-2015-2643 CVE-2015-2641
CVE-2015-2640 CVE-2015-2639 CVE-2015-2638
CVE-2015-2637 CVE-2015-2636 CVE-2015-2635
CVE-2015-2634 CVE-2015-2632 CVE-2015-2631
CVE-2015-2630 CVE-2015-2629 CVE-2015-2628
CVE-2015-2627 CVE-2015-2626 CVE-2015-2625
CVE-2015-2624 CVE-2015-2623 CVE-2015-2622
CVE-2015-2621 CVE-2015-2620 CVE-2015-2619
CVE-2015-2618 CVE-2015-2617 CVE-2015-2616
CVE-2015-2615 CVE-2015-2614 CVE-2015-2613
CVE-2015-2612 CVE-2015-2611 CVE-2015-2610
CVE-2015-2609 CVE-2015-2607 CVE-2015-2606
CVE-2015-2605 CVE-2015-2604 CVE-2015-2603
CVE-2015-2602 CVE-2015-2601 CVE-2015-2600
CVE-2015-2599 CVE-2015-2598 CVE-2015-2597
CVE-2015-2596 CVE-2015-2595 CVE-2015-2594
CVE-2015-2593 CVE-2015-2592 CVE-2015-2591
CVE-2015-2590 CVE-2015-2589 CVE-2015-2588
CVE-2015-2587 CVE-2015-2586 CVE-2015-2585
CVE-2015-2584 CVE-2015-2583 CVE-2015-2582
CVE-2015-2581 CVE-2015-2580 CVE-2015-1926
CVE-2015-1804 CVE-2015-1803 CVE-2015-1802
CVE-2015-1787 CVE-2015-0468 CVE-2015-0467
CVE-2015-0446 CVE-2015-0445 CVE-2015-0444
CVE-2015-0443 CVE-2015-0293 CVE-2015-0292
CVE-2015-0291 CVE-2015-0290 CVE-2015-0289
CVE-2015-0288 CVE-2015-0287 CVE-2015-0286
CVE-2015-0285 CVE-2015-0255 CVE-2015-0235
CVE-2015-0209 CVE-2015-0208 CVE-2015-0207
CVE-2015-0206 CVE-2015-0205 CVE-2015-0204
CVE-2014-8275 CVE-2014-8102 CVE-2014-8101
CVE-2014-8100 CVE-2014-8098 CVE-2014-8097
CVE-2014-8096 CVE-2014-8095 CVE-2014-8093
CVE-2014-8092 CVE-2014-8091 CVE-2014-7809
CVE-2014-3707 CVE-2014-3613 CVE-2014-3572
CVE-2014-3571 CVE-2014-3570 CVE-2014-3569
CVE-2014-3567 CVE-2014-3566 CVE-2014-1569
CVE-2014-1568 CVE-2014-0230 CVE-2014-0227
CVE-2014-0139 CVE-2014-0138 CVE-2014-0015
CVE-2013-6422 CVE-2013-5704 CVE-2013-4545
CVE-2013-2251 CVE-2013-2186 CVE-2013-2174
CVE-2013-0249 CVE-2012-0036 CVE-2011-3389
CVE-2010-4020 CVE-2010-1324 CVE-2010-1323
Member content until: Friday, August 14 2015
OVERVIEW
Oracle has released updates addressing vulnerabilities in numerous
products. [1]
Oracle states: "This Critical Patch Update contains 193 new security
fixes across the product families listed below." [1]
Application Express, version(s) prior to 5.0
Oracle Database Server, version(s) 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
Oracle Fusion Middleware, version(s) 10.3.6.0, 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 12.1.1, 12.1.2, 12.1.3
Oracle Access Manager, version(s) 11.1.1.7, 11.1.2.2
Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7, 11.1.1.9
Oracle Business Intelligence Enterprise Edition, Mobile App version(s) prior to 11.1.1.7.0 (11.6.39)
Oracle Data Integrator, version(s) 11.1.1.3.0
Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7
Oracle Endeca Information Discovery Studio, version(s) 2.2.2, 2.3, 2.4, 3.0, 3.1
Oracle Event Processing, version(s) 11.1.1.7, 12.1.3.0
Oracle Exalogic Infrastructure, version(s) 2.0.6.2
Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2
Oracle iPlanet Web Proxy Server, version(s) 4.0
Oracle iPlanet Web Server, version(s) 6.1, 7.0
Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0, 12.1.3.0.0
Oracle OpenSSO, version(s) 3.0-05
Oracle Traffic Director, version(s) 11.1.1.7.0
Oracle Tuxedo, version(s) SALT 10.3, SALT 11.1.1.2.2, Tuxedo 12.1.1.0
Oracle Web Cache, version(s) 11.1.1.7.0
Oracle WebCenter Portal, version(s) 11.1.1.8.0, 11.1.1.9.0
Oracle WebCenter Sites, version(s) 11.1.1.6.1 Community, 11.1.1.8.0 Community, 12.2.1.0
Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0
Hyperion Common Security, version(s) 11.1.2.2, 11.1.2.3, 11.1.2.4
Hyperion Enterprise Performance Management Architect, version(s) 11.1.2.2, 11.1.2.3
Hyperion Essbase, version(s) 11.1.2.2, 11.1.2.3
Enterprise Manager Base Platform, version(s) 11.1.0.1
Enterprise Manager for Oracle Database, version(s) 11.1.0.7, 11.2.0.3, 11.2.0.4
Enterprise Manager Plugin for Oracle Database, version(s) 12.1.0.5, 12.1.0.6, 12.1.0.7
Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
Oracle Agile PLM, version(s) 9.3.4
Oracle Agile PLM Framework, version(s) 9.3.3
Oracle Agile Product Lifecycle Management for Process, version(s) 6.0.0.7, 6.1.0.3, 6.1.1.5, 6.2.0.0
Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
PeopleSoft Enterprise HCM Candidate Gateway, version(s) 9.1, 9.2
PeopleSoft Enterprise HCM Talent Acquisition Manager, version(s) 9.1, 9.2
PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54
PeopleSoft Enteprise Portal - Interaction Hub, version(s) 9.1.00
Siebel Apps - E-Billing, version(s) 6.1, 6.1.1, 6.2
Siebel Core - Server OM Svcs, version(s) 8.1.1, 8.2.2, 15.0
Siebel UI Framework, version(s) 8.1.1, 8.2.2, 15.0
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.0.2, 3.1.1, 3.1.2, 11.0, 11.1
Oracle Communications Messaging Server, version(s) 7.0
Oracle Communications Session Border Controller, version(s) prior to 7.2.0m4
Oracle Java FX, version(s) 2.2.80
Oracle Java SE, version(s) 6u95, 7u80, 8u45
Oracle Java SE Embedded, version(s) 7u75, 8u33
Oracle JRockit, version(s) R28.3.6
Fujitsu M10-1, M10-4, M10-4S Servers, version(s) XCP prior to XCP 2260
Integrated Lights Out Manager (ILOM), version(s) prior to 3.2.6
Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64, version(s) prior to 1.9.1.2
Oracle Switch ES1-24, version(s) prior to 1.3.1
Oracle VM Server for SPARC, version(s) 3.2
SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) XCP prior to XCP 1120
Solaris, version(s) 10, 11.2
Solaris Cluster, version(s) 3.3, 4.2
Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) prior to 1.2.2
Sun Network 10GE Switch 72p, version(s) prior to 1.2.2
Secure Global Desktop, version(s) 4.63, 4.71, 5.1, 5.2
Sun Ray Software, version(s) prior to 5.4.4
Oracle VM VirtualBox, version(s) prior to 4.0.32, 4.1.40, 4.2.32, 4.3.30
MySQL Server, version(s) 5.5.43 and earlier, 5.6.24 and earlier
Oracle Berkeley DB, version(s) 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35
IMPACT
Limited impact details have been published by Oracle in their Text
Form Risk Matrices. [2]
MITIGATION
Oracle states: "Due to the threat posed by a successful attack,
Oracle strongly recommends that customers apply CPU fixes as soon as
possible. Until you apply the CPU fixes, it may be possible to
reduce the risk of successful attack by blocking network protocols
required by an attack. For attacks that require certain privileges
or access to certain packages, removing the privileges or the
ability to access the packages from users that do not need the
privileges may help reduce the risk of successful attack. Both
approaches may break application functionality, so Oracle strongly
recommends that customers test changes on non-production systems.
Neither approach should be considered a long-term solution as
neither corrects the underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - July 2015
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html
[2] Text Form of Oracle Critical Patch Update - July 2015 Risk Matrices
http://www.oracle.com/technetwork/topics/security/cpujul2015verbose-2367947.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVaXnA36ZAP0PgtI9AQIx9w/+Mgaxs+/sX8iZeYVSjCr9wTEy/hvohQ/q
O/J2wOALk4pijRrI8jpGe0I92D+H+QsJjgVKhx4xBZCjP6KVuBVkyaQyczphz8ZU
PMtlTcVqjurBE0f0Ud1vMC+9ShKMCmK+dRHoDSPkLS35WjXvehqEm3M/CAwsT3ba
+2zOv3HndWlVmsN88o5mvwbGoCA7Aw4Hh++biByvEjTBJf6qDXWWOvFe6D9Ixq3j
KnpFauRyqnqWHTkS/80N1+PHGaFHBHJsI+59XDHxLjYQoCTLGwPlRT3+fyEnZviO
B/Z3ow7V6EEbKNvV3JWL3uW5k6YN4WPgOG1p9ssU2jmP0di9RtBeTzgqqY+kTeAp
PQLzvYYXi4Lzc7TBtWy1Mq/L0rYAYHqvQA4k2ylfFLe8HgO3hxwcqGj/chCslCBm
0+rOSVQTXqTeUM5/eZPOjBx2HDCMSofAO4WgYQmLPg5C8pAhCVO1x6JLY55tlrUZ
/wU+7CoVG0jqHG9ciyejYdVA+WyopJ0mCGARZwvRVTVzZgnIRMKuiW4J5j5hPo2p
Y2IVg5Y3ITJ2h1AOiaOQddU6ssH2ntBhI+/Ss24g27paqI5CvlIP+VZn2X0G/PVj
tkyd7ySn/frvFcYg0QxlYCcsn2c2ujDwVrl3So1OmEtUV0VZPrwcJPYC++fOFBgn
ID5syoaprLo=
=XBs7
-----END PGP SIGNATURE-----