Hash: SHA1

                         AUSCERT Security Bulletin

        Oracle have released updates which correct vulnerabilities
                           in numerous products
                              20 January 2016


        AusCERT Security Bulletin Summary

Product:              Oracle products
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Access Privileged Data          -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Increased Privileges            -- Existing Account      
                      Denial of Service               -- Remote/Unauthenticated
                      Provide Misleading Information  -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-0618 CVE-2016-0616 CVE-2016-0614
                      CVE-2016-0611 CVE-2016-0610 CVE-2016-0609
                      CVE-2016-0608 CVE-2016-0607 CVE-2016-0606
                      CVE-2016-0605 CVE-2016-0602 CVE-2016-0601
                      CVE-2016-0600 CVE-2016-0599 CVE-2016-0598
                      CVE-2016-0597 CVE-2016-0596 CVE-2016-0595
                      CVE-2016-0594 CVE-2016-0592 CVE-2016-0591
                      CVE-2016-0590 CVE-2016-0589 CVE-2016-0588
                      CVE-2016-0587 CVE-2016-0586 CVE-2016-0585
                      CVE-2016-0584 CVE-2016-0583 CVE-2016-0582
                      CVE-2016-0581 CVE-2016-0580 CVE-2016-0579
                      CVE-2016-0578 CVE-2016-0577 CVE-2016-0576
                      CVE-2016-0575 CVE-2016-0574 CVE-2016-0573
                      CVE-2016-0572 CVE-2016-0571 CVE-2016-0570
                      CVE-2016-0569 CVE-2016-0568 CVE-2016-0567
                      CVE-2016-0566 CVE-2016-0565 CVE-2016-0564
                      CVE-2016-0563 CVE-2016-0562 CVE-2016-0561
                      CVE-2016-0560 CVE-2016-0559 CVE-2016-0558
                      CVE-2016-0557 CVE-2016-0556 CVE-2016-0555
                      CVE-2016-0554 CVE-2016-0553 CVE-2016-0552
                      CVE-2016-0551 CVE-2016-0550 CVE-2016-0549
                      CVE-2016-0548 CVE-2016-0547 CVE-2016-0546
                      CVE-2016-0545 CVE-2016-0544 CVE-2016-0543
                      CVE-2016-0542 CVE-2016-0541 CVE-2016-0540
                      CVE-2016-0539 CVE-2016-0538 CVE-2016-0537
                      CVE-2016-0536 CVE-2016-0535 CVE-2016-0534
                      CVE-2016-0533 CVE-2016-0532 CVE-2016-0531
                      CVE-2016-0530 CVE-2016-0529 CVE-2016-0528
                      CVE-2016-0527 CVE-2016-0526 CVE-2016-0525
                      CVE-2016-0524 CVE-2016-0523 CVE-2016-0522
                      CVE-2016-0521 CVE-2016-0520 CVE-2016-0519
                      CVE-2016-0518 CVE-2016-0517 CVE-2016-0516
                      CVE-2016-0515 CVE-2016-0514 CVE-2016-0513
                      CVE-2016-0512 CVE-2016-0511 CVE-2016-0510
                      CVE-2016-0509 CVE-2016-0508 CVE-2016-0507
                      CVE-2016-0506 CVE-2016-0505 CVE-2016-0504
                      CVE-2016-0503 CVE-2016-0502 CVE-2016-0501
                      CVE-2016-0500 CVE-2016-0499 CVE-2016-0498
                      CVE-2016-0497 CVE-2016-0496 CVE-2016-0495
                      CVE-2016-0494 CVE-2016-0493 CVE-2016-0492
                      CVE-2016-0491 CVE-2016-0490 CVE-2016-0489
                      CVE-2016-0488 CVE-2016-0487 CVE-2016-0486
                      CVE-2016-0485 CVE-2016-0484 CVE-2016-0483
                      CVE-2016-0482 CVE-2016-0481 CVE-2016-0480
                      CVE-2016-0478 CVE-2016-0477 CVE-2016-0476
                      CVE-2016-0475 CVE-2016-0474 CVE-2016-0473
                      CVE-2016-0472 CVE-2016-0471 CVE-2016-0470
                      CVE-2016-0467 CVE-2016-0466 CVE-2016-0465
                      CVE-2016-0464 CVE-2016-0463 CVE-2016-0462
                      CVE-2016-0461 CVE-2016-0460 CVE-2016-0459
                      CVE-2016-0458 CVE-2016-0457 CVE-2016-0456
                      CVE-2016-0455 CVE-2016-0454 CVE-2016-0453
                      CVE-2016-0452 CVE-2016-0451 CVE-2016-0450
                      CVE-2016-0449 CVE-2016-0448 CVE-2016-0447
                      CVE-2016-0446 CVE-2016-0445 CVE-2016-0444
                      CVE-2016-0443 CVE-2016-0442 CVE-2016-0441
                      CVE-2016-0440 CVE-2016-0439 CVE-2016-0438
                      CVE-2016-0437 CVE-2016-0436 CVE-2016-0435
                      CVE-2016-0434 CVE-2016-0433 CVE-2016-0432
                      CVE-2016-0431 CVE-2016-0430 CVE-2016-0429
                      CVE-2016-0428 CVE-2016-0427 CVE-2016-0426
                      CVE-2016-0425 CVE-2016-0424 CVE-2016-0423
                      CVE-2016-0422 CVE-2016-0421 CVE-2016-0420
                      CVE-2016-0419 CVE-2016-0418 CVE-2016-0417
                      CVE-2016-0416 CVE-2016-0415 CVE-2016-0414
                      CVE-2016-0413 CVE-2016-0412 CVE-2016-0411
                      CVE-2016-0409 CVE-2016-0406 CVE-2016-0405
                      CVE-2016-0404 CVE-2016-0403 CVE-2016-0402
                      CVE-2016-0401 CVE-2015-8370 CVE-2015-8126
                      CVE-2015-8104 CVE-2015-7744 CVE-2015-7575
                      CVE-2015-7183 CVE-2015-6015 CVE-2015-6014
                      CVE-2015-6013 CVE-2015-5307 CVE-2015-4926
                      CVE-2015-4925 CVE-2015-4924 CVE-2015-4923
                      CVE-2015-4922 CVE-2015-4921 CVE-2015-4920
                      CVE-2015-4919 CVE-2015-4885 CVE-2015-4808
                      CVE-2015-4000 CVE-2015-3195 CVE-2015-3183
                      CVE-2015-3153 CVE-2015-1793 CVE-2015-0286
                      CVE-2015-0235 CVE-2014-3583 CVE-2014-0107
                      CVE-2014-0050 CVE-2013-2186 CVE-2013-1741
Member content until: Friday, February 19 2016
Reference:            ASB-2015.0070


        Oracle has released updates which correct vulnerabilities in 
        numerous products. [1]
        Oracle states: "This Critical Patch Update contains 248 new security
        fixes across the product families listed below." [1]
        Oracle Database Server, version(s),, 
        Oracle GoldenGate, version(s) 11.2, 12.1.2 
        Oracle BI Publisher, version(s),, 
        Oracle Business Intelligence Enterprise Edition, version(s), 
        Oracle Endeca Server, version(s),,, 
        Oracle Fusion Middleware, version(s),,,,,,,, 12.2.1 
        Oracle GlassFish Server, version(s) 3.1.2 
        Oracle Identity Federation, version(s), 
        Oracle Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2 
        Oracle Tuxedo, version(s) 
        Oracle Web Cache, version(s), 
        Oracle WebCenter Sites, version(s) 7.6.2, 
        Oracle WebLogic Portal, version(s) 10.3.6 
        Oracle WebLogic Server, version(s) 10.3.6, 12.1.2, 12.1.3, 12.2.1 
        Enterprise Manager Base Platform, version(s),,, 
        Enterprise Manager Ops Center, version(s) prior to 12.1.4, 12.2.0, 12.2.1, 12.3.0 
        Oracle Application Testing Suite, version(s), 
        Application Mgmt Pack for E-Business Suite, version(s) 12.1, 12.2 
        Oracle E-Business Suite, version(s), 12.1, 12.1.1, 12.1.2, 12.1.3, 12.2, 12.2.3, 12.2.4, 12.2.5 
        Oracle Agile Engineering Data Management, version(s),, 
        Oracle Agile PLM, version(s),, 9.3.2, 9.3.3 
        Oracle Configurator, version(s), 12.1, 12.2 
        PeopleSoft Enterprise HCM Global Payroll Switzerland, version(s) 9.1, 9.2 
        PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54, 8.55 
        PeopleSoft Enterprise SCM eProcurement, version(s) 9.1, 9.2 
        PeopleSoft Enterprise SCM Order Management, version(s) 9.1, 9.2 
        PeopleSoft Enterprise SCM Purchasing, version(s) 9.1, 9.2 
        JD Edwards EnterpriseOne Tools, version(s) 9.1, 9.2 
        Oracle iLearning, version(s) 6.0, 6.1 
        Oracle Fusion Applications, version(s) 11.1.2 through 11.1.10 
        Oracle Communications Converged Application Server - Service Controller, version(s) 6.1 
        Oracle Communications EAGLE LNP Application Processor, version(s) 10.0 
        Oracle Communications Online Mediation Controller, version(s) 6.1 
        Oracle Communications Service Broker, version(s) 6.0, 6.1 
        Oracle Communications Service Broker Engineered System Edition, version(s) 6.0 
        MICROS CWDirect, version(s) 12.5, 13.0, 14.0, 15.0, 16.0, 17.0 18.0 
        Oracle Retail Open Commerce Platform Cloud Service, version(s) 3.5, 4.5, 4.7, 5.0 
        Oracle Retail Order Broker Cloud Service, version(s) 4.0, 4.1. 
        Oracle Retail Order Management System Cloud Service, version(s) 3.5, 4.5, 4.7, 5.0, 15.0 
        Oracle Retail Point-of-Service, version(s) 13.4, 14.0, 14.1 
        Oracle Java SE, version(s) 6u105, 7u91, 8u66 
        Oracle Java SE Embedded, version(s) 8u65 
        Oracle JRockit, version(s) R28.3.8 
        Oracle Switch ES1-24, version(s) prior to 
        Solaris, version(s) 10, 11 
        Solaris Cluster, version(s) 3.3, 4, 4.2 
        Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) prior to 
        Sun Network 10GE Switch 72p, version(s) prior to 
        Oracle Secure Global Desktop, version(s) 4.63, 4.71, 5.2 
        Oracle VM VirtualBox, version(s) prior to 4.0.36, prior to 4.1.44, prior to 4.2.36, prior to 4.3.36, prior to 5.0.14 
        MySQL Server, version(s) 5.5.46 and prior, 5.6.27 and prior, 5.7.9


        Limited impact details have been published by Oracle in their Text 
        Form Risk Matrices. [2]


        Oracle states: "Oracle continues to periodically receive reports of
        attempts to maliciously exploit vulnerabilities for which Oracle has
        already released fixes. In some instances, it has been reported that
        attackers have been successful because targeted customers had failed
        to apply available Oracle patches. Oracle therefore strongly 
        recommends that customers remain on actively-supported versions and
        apply Critical Patch Update fixes without delay." [1]


        [1] Oracle Critical Patch Update Advisory - January 2016

        [2] Text Form of Oracle Critical Patch Update - January 2016 Risk

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967