Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2015.0070 Oracle have released updates which correct vulnerabilities in numerous products 15 July 2015 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle products Operating System: UNIX variants (UNIX, Linux, OSX) Windows Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Delete Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2015-4790 CVE-2015-4789 CVE-2015-4788 CVE-2015-4787 CVE-2015-4786 CVE-2015-4785 CVE-2015-4784 CVE-2015-4783 CVE-2015-4782 CVE-2015-4781 CVE-2015-4780 CVE-2015-4779 CVE-2015-4778 CVE-2015-4777 CVE-2015-4776 CVE-2015-4775 CVE-2015-4774 CVE-2015-4773 CVE-2015-4772 CVE-2015-4771 CVE-2015-4770 CVE-2015-4769 CVE-2015-4768 CVE-2015-4767 CVE-2015-4765 CVE-2015-4764 CVE-2015-4763 CVE-2015-4761 CVE-2015-4760 CVE-2015-4759 CVE-2015-4758 CVE-2015-4757 CVE-2015-4756 CVE-2015-4755 CVE-2015-4754 CVE-2015-4753 CVE-2015-4752 CVE-2015-4751 CVE-2015-4750 CVE-2015-4749 CVE-2015-4748 CVE-2015-4747 CVE-2015-4746 CVE-2015-4745 CVE-2015-4744 CVE-2015-4743 CVE-2015-4742 CVE-2015-4741 CVE-2015-4740 CVE-2015-4739 CVE-2015-4738 CVE-2015-4737 CVE-2015-4736 CVE-2015-4735 CVE-2015-4733 CVE-2015-4732 CVE-2015-4731 CVE-2015-4729 CVE-2015-4728 CVE-2015-4727 CVE-2015-4000 CVE-2015-3456 CVE-2015-3244 CVE-2015-2808 CVE-2015-2664 CVE-2015-2663 CVE-2015-2662 CVE-2015-2661 CVE-2015-2660 CVE-2015-2659 CVE-2015-2658 CVE-2015-2657 CVE-2015-2656 CVE-2015-2655 CVE-2015-2654 CVE-2015-2653 CVE-2015-2652 CVE-2015-2651 CVE-2015-2650 CVE-2015-2649 CVE-2015-2648 CVE-2015-2647 CVE-2015-2646 CVE-2015-2645 CVE-2015-2644 CVE-2015-2643 CVE-2015-2641 CVE-2015-2640 CVE-2015-2639 CVE-2015-2638 CVE-2015-2637 CVE-2015-2636 CVE-2015-2635 CVE-2015-2634 CVE-2015-2632 CVE-2015-2631 CVE-2015-2630 CVE-2015-2629 CVE-2015-2628 CVE-2015-2627 CVE-2015-2626 CVE-2015-2625 CVE-2015-2624 CVE-2015-2623 CVE-2015-2622 CVE-2015-2621 CVE-2015-2620 CVE-2015-2619 CVE-2015-2618 CVE-2015-2617 CVE-2015-2616 CVE-2015-2615 CVE-2015-2614 CVE-2015-2613 CVE-2015-2612 CVE-2015-2611 CVE-2015-2610 CVE-2015-2609 CVE-2015-2607 CVE-2015-2606 CVE-2015-2605 CVE-2015-2604 CVE-2015-2603 CVE-2015-2602 CVE-2015-2601 CVE-2015-2600 CVE-2015-2599 CVE-2015-2598 CVE-2015-2597 CVE-2015-2596 CVE-2015-2595 CVE-2015-2594 CVE-2015-2593 CVE-2015-2592 CVE-2015-2591 CVE-2015-2590 CVE-2015-2589 CVE-2015-2588 CVE-2015-2587 CVE-2015-2586 CVE-2015-2585 CVE-2015-2584 CVE-2015-2583 CVE-2015-2582 CVE-2015-2581 CVE-2015-2580 CVE-2015-1926 CVE-2015-1804 CVE-2015-1803 CVE-2015-1802 CVE-2015-1787 CVE-2015-0468 CVE-2015-0467 CVE-2015-0446 CVE-2015-0445 CVE-2015-0444 CVE-2015-0443 CVE-2015-0293 CVE-2015-0292 CVE-2015-0291 CVE-2015-0290 CVE-2015-0289 CVE-2015-0288 CVE-2015-0287 CVE-2015-0286 CVE-2015-0285 CVE-2015-0255 CVE-2015-0235 CVE-2015-0209 CVE-2015-0208 CVE-2015-0207 CVE-2015-0206 CVE-2015-0205 CVE-2015-0204 CVE-2014-8275 CVE-2014-8102 CVE-2014-8101 CVE-2014-8100 CVE-2014-8098 CVE-2014-8097 CVE-2014-8096 CVE-2014-8095 CVE-2014-8093 CVE-2014-8092 CVE-2014-8091 CVE-2014-7809 CVE-2014-3707 CVE-2014-3613 CVE-2014-3572 CVE-2014-3571 CVE-2014-3570 CVE-2014-3569 CVE-2014-3567 CVE-2014-3566 CVE-2014-1569 CVE-2014-1568 CVE-2014-0230 CVE-2014-0227 CVE-2014-0139 CVE-2014-0138 CVE-2014-0015 CVE-2013-6422 CVE-2013-5704 CVE-2013-4545 CVE-2013-2251 CVE-2013-2186 CVE-2013-2174 CVE-2013-0249 CVE-2012-0036 CVE-2011-3389 CVE-2010-4020 CVE-2010-1324 CVE-2010-1323 Member content until: Friday, August 14 2015 OVERVIEW Oracle has released updates addressing vulnerabilities in numerous products. [1] Oracle states: "This Critical Patch Update contains 193 new security fixes across the product families listed below." [1] Application Express, version(s) prior to 5.0 Oracle Database Server, version(s) 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2 Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9 Oracle Fusion Middleware, version(s) 10.3.6.0, 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 12.1.1, 12.1.2, 12.1.3 Oracle Access Manager, version(s) 11.1.1.7, 11.1.2.2 Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7, 11.1.1.9 Oracle Business Intelligence Enterprise Edition, Mobile App version(s) prior to 11.1.1.7.0 (11.6.39) Oracle Data Integrator, version(s) 11.1.1.3.0 Oracle Directory Server Enterprise Edition, version(s) 7.0, 11.1.1.7 Oracle Endeca Information Discovery Studio, version(s) 2.2.2, 2.3, 2.4, 3.0, 3.1 Oracle Event Processing, version(s) 11.1.1.7, 12.1.3.0 Oracle Exalogic Infrastructure, version(s) 2.0.6.2 Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2 Oracle iPlanet Web Proxy Server, version(s) 4.0 Oracle iPlanet Web Server, version(s) 6.1, 7.0 Oracle JDeveloper, version(s) 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0, 12.1.3.0.0 Oracle OpenSSO, version(s) 3.0-05 Oracle Traffic Director, version(s) 11.1.1.7.0 Oracle Tuxedo, version(s) SALT 10.3, SALT 11.1.1.2.2, Tuxedo 12.1.1.0 Oracle Web Cache, version(s) 11.1.1.7.0 Oracle WebCenter Portal, version(s) 11.1.1.8.0, 11.1.1.9.0 Oracle WebCenter Sites, version(s) 11.1.1.6.1 Community, 11.1.1.8.0 Community, 12.2.1.0 Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.1.0, 12.1.2.0, 12.1.3.0 Hyperion Common Security, version(s) 11.1.2.2, 11.1.2.3, 11.1.2.4 Hyperion Enterprise Performance Management Architect, version(s) 11.1.2.2, 11.1.2.3 Hyperion Essbase, version(s) 11.1.2.2, 11.1.2.3 Enterprise Manager Base Platform, version(s) 11.1.0.1 Enterprise Manager for Oracle Database, version(s) 11.1.0.7, 11.2.0.3, 11.2.0.4 Enterprise Manager Plugin for Oracle Database, version(s) 12.1.0.5, 12.1.0.6, 12.1.0.7 Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4 Oracle Agile PLM, version(s) 9.3.4 Oracle Agile PLM Framework, version(s) 9.3.3 Oracle Agile Product Lifecycle Management for Process, version(s) 6.0.0.7, 6.1.0.3, 6.1.1.5, 6.2.0.0 Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7 PeopleSoft Enterprise HCM Candidate Gateway, version(s) 9.1, 9.2 PeopleSoft Enterprise HCM Talent Acquisition Manager, version(s) 9.1, 9.2 PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54 PeopleSoft Enteprise Portal - Interaction Hub, version(s) 9.1.00 Siebel Apps - E-Billing, version(s) 6.1, 6.1.1, 6.2 Siebel Core - Server OM Svcs, version(s) 8.1.1, 8.2.2, 15.0 Siebel UI Framework, version(s) 8.1.1, 8.2.2, 15.0 Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.0.2, 3.1.1, 3.1.2, 11.0, 11.1 Oracle Communications Messaging Server, version(s) 7.0 Oracle Communications Session Border Controller, version(s) prior to 7.2.0m4 Oracle Java FX, version(s) 2.2.80 Oracle Java SE, version(s) 6u95, 7u80, 8u45 Oracle Java SE Embedded, version(s) 7u75, 8u33 Oracle JRockit, version(s) R28.3.6 Fujitsu M10-1, M10-4, M10-4S Servers, version(s) XCP prior to XCP 2260 Integrated Lights Out Manager (ILOM), version(s) prior to 3.2.6 Oracle Ethernet Switch ES2-72, Oracle Ethernet Switch ES2-64, version(s) prior to 1.9.1.2 Oracle Switch ES1-24, version(s) prior to 1.3.1 Oracle VM Server for SPARC, version(s) 3.2 SPARC Enterprise M3000, M4000, M5000, M8000, M9000 Servers, version(s) XCP prior to XCP 1120 Solaris, version(s) 10, 11.2 Solaris Cluster, version(s) 3.3, 4.2 Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) prior to 1.2.2 Sun Network 10GE Switch 72p, version(s) prior to 1.2.2 Secure Global Desktop, version(s) 4.63, 4.71, 5.1, 5.2 Sun Ray Software, version(s) prior to 5.4.4 Oracle VM VirtualBox, version(s) prior to 4.0.32, 4.1.40, 4.2.32, 4.3.30 MySQL Server, version(s) 5.5.43 and earlier, 5.6.24 and earlier Oracle Berkeley DB, version(s) 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35 IMPACT Limited impact details have been published by Oracle in their Text Form Risk Matrices. [2] MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - July 2015 http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html [2] Text Form of Oracle Critical Patch Update - July 2015 Risk Matrices http://www.oracle.com/technetwork/topics/security/cpujul2015verbose-2367947.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBVaXnA36ZAP0PgtI9AQIx9w/+Mgaxs+/sX8iZeYVSjCr9wTEy/hvohQ/q O/J2wOALk4pijRrI8jpGe0I92D+H+QsJjgVKhx4xBZCjP6KVuBVkyaQyczphz8ZU PMtlTcVqjurBE0f0Ud1vMC+9ShKMCmK+dRHoDSPkLS35WjXvehqEm3M/CAwsT3ba +2zOv3HndWlVmsN88o5mvwbGoCA7Aw4Hh++biByvEjTBJf6qDXWWOvFe6D9Ixq3j KnpFauRyqnqWHTkS/80N1+PHGaFHBHJsI+59XDHxLjYQoCTLGwPlRT3+fyEnZviO B/Z3ow7V6EEbKNvV3JWL3uW5k6YN4WPgOG1p9ssU2jmP0di9RtBeTzgqqY+kTeAp PQLzvYYXi4Lzc7TBtWy1Mq/L0rYAYHqvQA4k2ylfFLe8HgO3hxwcqGj/chCslCBm 0+rOSVQTXqTeUM5/eZPOjBx2HDCMSofAO4WgYQmLPg5C8pAhCVO1x6JLY55tlrUZ /wU+7CoVG0jqHG9ciyejYdVA+WyopJ0mCGARZwvRVTVzZgnIRMKuiW4J5j5hPo2p Y2IVg5Y3ITJ2h1AOiaOQddU6ssH2ntBhI+/Ss24g27paqI5CvlIP+VZn2X0G/PVj tkyd7ySn/frvFcYg0QxlYCcsn2c2ujDwVrl3So1OmEtUV0VZPrwcJPYC++fOFBgn ID5syoaprLo= =XBs7 -----END PGP SIGNATURE-----