Hash: SHA1

                         AUSCERT Security Bulletin

        Oracle have released updates which correct vulnerabilities
                           in numerous products
                               15 July 2015


        AusCERT Security Bulletin Summary

Product:              Oracle products
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Access Privileged Data          -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Delete Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2015-4790 CVE-2015-4789 CVE-2015-4788
                      CVE-2015-4787 CVE-2015-4786 CVE-2015-4785
                      CVE-2015-4784 CVE-2015-4783 CVE-2015-4782
                      CVE-2015-4781 CVE-2015-4780 CVE-2015-4779
                      CVE-2015-4778 CVE-2015-4777 CVE-2015-4776
                      CVE-2015-4775 CVE-2015-4774 CVE-2015-4773
                      CVE-2015-4772 CVE-2015-4771 CVE-2015-4770
                      CVE-2015-4769 CVE-2015-4768 CVE-2015-4767
                      CVE-2015-4765 CVE-2015-4764 CVE-2015-4763
                      CVE-2015-4761 CVE-2015-4760 CVE-2015-4759
                      CVE-2015-4758 CVE-2015-4757 CVE-2015-4756
                      CVE-2015-4755 CVE-2015-4754 CVE-2015-4753
                      CVE-2015-4752 CVE-2015-4751 CVE-2015-4750
                      CVE-2015-4749 CVE-2015-4748 CVE-2015-4747
                      CVE-2015-4746 CVE-2015-4745 CVE-2015-4744
                      CVE-2015-4743 CVE-2015-4742 CVE-2015-4741
                      CVE-2015-4740 CVE-2015-4739 CVE-2015-4738
                      CVE-2015-4737 CVE-2015-4736 CVE-2015-4735
                      CVE-2015-4733 CVE-2015-4732 CVE-2015-4731
                      CVE-2015-4729 CVE-2015-4728 CVE-2015-4727
                      CVE-2015-4000 CVE-2015-3456 CVE-2015-3244
                      CVE-2015-2808 CVE-2015-2664 CVE-2015-2663
                      CVE-2015-2662 CVE-2015-2661 CVE-2015-2660
                      CVE-2015-2659 CVE-2015-2658 CVE-2015-2657
                      CVE-2015-2656 CVE-2015-2655 CVE-2015-2654
                      CVE-2015-2653 CVE-2015-2652 CVE-2015-2651
                      CVE-2015-2650 CVE-2015-2649 CVE-2015-2648
                      CVE-2015-2647 CVE-2015-2646 CVE-2015-2645
                      CVE-2015-2644 CVE-2015-2643 CVE-2015-2641
                      CVE-2015-2640 CVE-2015-2639 CVE-2015-2638
                      CVE-2015-2637 CVE-2015-2636 CVE-2015-2635
                      CVE-2015-2634 CVE-2015-2632 CVE-2015-2631
                      CVE-2015-2630 CVE-2015-2629 CVE-2015-2628
                      CVE-2015-2627 CVE-2015-2626 CVE-2015-2625
                      CVE-2015-2624 CVE-2015-2623 CVE-2015-2622
                      CVE-2015-2621 CVE-2015-2620 CVE-2015-2619
                      CVE-2015-2618 CVE-2015-2617 CVE-2015-2616
                      CVE-2015-2615 CVE-2015-2614 CVE-2015-2613
                      CVE-2015-2612 CVE-2015-2611 CVE-2015-2610
                      CVE-2015-2609 CVE-2015-2607 CVE-2015-2606
                      CVE-2015-2605 CVE-2015-2604 CVE-2015-2603
                      CVE-2015-2602 CVE-2015-2601 CVE-2015-2600
                      CVE-2015-2599 CVE-2015-2598 CVE-2015-2597
                      CVE-2015-2596 CVE-2015-2595 CVE-2015-2594
                      CVE-2015-2593 CVE-2015-2592 CVE-2015-2591
                      CVE-2015-2590 CVE-2015-2589 CVE-2015-2588
                      CVE-2015-2587 CVE-2015-2586 CVE-2015-2585
                      CVE-2015-2584 CVE-2015-2583 CVE-2015-2582
                      CVE-2015-2581 CVE-2015-2580 CVE-2015-1926
                      CVE-2015-1804 CVE-2015-1803 CVE-2015-1802
                      CVE-2015-1787 CVE-2015-0468 CVE-2015-0467
                      CVE-2015-0446 CVE-2015-0445 CVE-2015-0444
                      CVE-2015-0443 CVE-2015-0293 CVE-2015-0292
                      CVE-2015-0291 CVE-2015-0290 CVE-2015-0289
                      CVE-2015-0288 CVE-2015-0287 CVE-2015-0286
                      CVE-2015-0285 CVE-2015-0255 CVE-2015-0235
                      CVE-2015-0209 CVE-2015-0208 CVE-2015-0207
                      CVE-2015-0206 CVE-2015-0205 CVE-2015-0204
                      CVE-2014-8275 CVE-2014-8102 CVE-2014-8101
                      CVE-2014-8100 CVE-2014-8098 CVE-2014-8097
                      CVE-2014-8096 CVE-2014-8095 CVE-2014-8093
                      CVE-2014-8092 CVE-2014-8091 CVE-2014-7809
                      CVE-2014-3707 CVE-2014-3613 CVE-2014-3572
                      CVE-2014-3571 CVE-2014-3570 CVE-2014-3569
                      CVE-2014-3567 CVE-2014-3566 CVE-2014-1569
                      CVE-2014-1568 CVE-2014-0230 CVE-2014-0227
                      CVE-2014-0139 CVE-2014-0138 CVE-2014-0015
                      CVE-2013-6422 CVE-2013-5704 CVE-2013-4545
                      CVE-2013-2251 CVE-2013-2186 CVE-2013-2174
                      CVE-2013-0249 CVE-2012-0036 CVE-2011-3389
                      CVE-2010-4020 CVE-2010-1324 CVE-2010-1323
Member content until: Friday, August 14 2015


        Oracle has released updates addressing vulnerabilities in numerous 
        products. [1]
        Oracle states: "This Critical Patch Update contains 193 new security
        fixes across the product families listed below." [1]
        Application Express, version(s) prior to 5.0
        Oracle Database Server, version(s),,,,
        Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
        Oracle Fusion Middleware, version(s),,,,, 12.1.1, 12.1.2, 12.1.3
        Oracle Access Manager, version(s),
        Oracle Business Intelligence Enterprise Edition, version(s),
        Oracle Business Intelligence Enterprise Edition, Mobile App version(s) prior to (11.6.39)
        Oracle Data Integrator, version(s)
        Oracle Directory Server Enterprise Edition, version(s) 7.0,
        Oracle Endeca Information Discovery Studio, version(s) 2.2.2, 2.3, 2.4, 3.0, 3.1
        Oracle Event Processing, version(s),
        Oracle Exalogic Infrastructure, version(s)
        Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2
        Oracle iPlanet Web Proxy Server, version(s) 4.0
        Oracle iPlanet Web Server, version(s) 6.1, 7.0
        Oracle JDeveloper, version(s),,,
        Oracle OpenSSO, version(s) 3.0-05
        Oracle Traffic Director, version(s)
        Oracle Tuxedo, version(s) SALT 10.3, SALT, Tuxedo
        Oracle Web Cache, version(s)
        Oracle WebCenter Portal, version(s),
        Oracle WebCenter Sites, version(s) Community, Community,
        Oracle WebLogic Server, version(s),,,
        Hyperion Common Security, version(s),,
        Hyperion Enterprise Performance Management Architect, version(s),
        Hyperion Essbase, version(s),
        Enterprise Manager Base Platform, version(s)
        Enterprise Manager for Oracle Database, version(s),,
        Enterprise Manager Plugin for Oracle Database, version(s),,
        Oracle E-Business Suite, version(s), 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4
        Oracle Agile PLM, version(s) 9.3.4
        Oracle Agile PLM Framework, version(s) 9.3.3
        Oracle Agile Product Lifecycle Management for Process, version(s),,,
        Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
        PeopleSoft Enterprise HCM Candidate Gateway, version(s) 9.1, 9.2
        PeopleSoft Enterprise HCM Talent Acquisition Manager, version(s) 9.1, 9.2
        PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54
        PeopleSoft Enteprise Portal - Interaction Hub, version(s) 9.1.00
        Siebel Apps - E-Billing, version(s) 6.1, 6.1.1, 6.2
        Siebel Core - Server OM Svcs, version(s) 8.1.1, 8.2.2, 15.0
        Siebel UI Framework, version(s) 8.1.1, 8.2.2, 15.0
        Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.0.2, 3.1.1, 3.1.2, 11.0, 11.1
        Oracle Communications Messaging Server, version(s) 7.0
        Oracle Communications Session Border Controller, version(s) prior to 7.2.0m4
        Oracle Java FX, version(s) 2.2.80
        Oracle Java SE, version(s) 6u95, 7u80, 8u45
        Oracle Java SE Embedded, version(s) 7u75, 8u33
        Oracle JRockit, version(s) R28.3.6
        Fujitsu M10-1, M10-4, M10-4S Servers, version(s) XCP prior to XCP 2260
        Integrated Lights Out Manager (ILOM), version(s) prior to 3.2.6
        Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64, version(s) prior to
        Oracle Switch ES1-24, version(s) prior to 1.3.1
        Oracle VM Server for SPARC, version(s) 3.2
        SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) XCP prior to XCP 1120
        Solaris, version(s) 10, 11.2
        Solaris Cluster, version(s) 3.3, 4.2
        Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) prior to 1.2.2
        Sun Network 10GE Switch 72p, version(s) prior to 1.2.2
        Secure Global Desktop, version(s) 4.63, 4.71, 5.1, 5.2
        Sun Ray Software, version(s) prior to 5.4.4
        Oracle VM VirtualBox, version(s) prior to 4.0.32, 4.1.40, 4.2.32, 4.3.30
        MySQL Server, version(s) 5.5.43 and earlier, 5.6.24 and earlier
        Oracle Berkeley DB, version(s),,,


        Limited impact details have been published by Oracle in their Text 
        Form Risk Matrices. [2]


        Oracle states: "Due to the threat posed by a successful attack, 
        Oracle strongly recommends that customers apply CPU fixes as soon as
        possible. Until you apply the CPU fixes, it may be possible to 
        reduce the risk of successful attack by blocking network protocols 
        required by an attack. For attacks that require certain privileges 
        or access to certain packages, removing the privileges or the 
        ability to access the packages from users that do not need the 
        privileges may help reduce the risk of successful attack. Both 
        approaches may break application functionality, so Oracle strongly 
        recommends that customers test changes on non-production systems. 
        Neither approach should be considered a long-term solution as 
        neither corrects the underlying problem." [1]


        [1] Oracle Critical Patch Update Advisory - July 2015

        [2] Text Form of Oracle Critical Patch Update - July 2015 Risk Matrices

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967