Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0004
Oracle have released updates which correct vulnerabilities
in numerous products
20 January 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle products
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Provide Misleading Information -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-0618 CVE-2016-0616 CVE-2016-0614
CVE-2016-0611 CVE-2016-0610 CVE-2016-0609
CVE-2016-0608 CVE-2016-0607 CVE-2016-0606
CVE-2016-0605 CVE-2016-0602 CVE-2016-0601
CVE-2016-0600 CVE-2016-0599 CVE-2016-0598
CVE-2016-0597 CVE-2016-0596 CVE-2016-0595
CVE-2016-0594 CVE-2016-0592 CVE-2016-0591
CVE-2016-0590 CVE-2016-0589 CVE-2016-0588
CVE-2016-0587 CVE-2016-0586 CVE-2016-0585
CVE-2016-0584 CVE-2016-0583 CVE-2016-0582
CVE-2016-0581 CVE-2016-0580 CVE-2016-0579
CVE-2016-0578 CVE-2016-0577 CVE-2016-0576
CVE-2016-0575 CVE-2016-0574 CVE-2016-0573
CVE-2016-0572 CVE-2016-0571 CVE-2016-0570
CVE-2016-0569 CVE-2016-0568 CVE-2016-0567
CVE-2016-0566 CVE-2016-0565 CVE-2016-0564
CVE-2016-0563 CVE-2016-0562 CVE-2016-0561
CVE-2016-0560 CVE-2016-0559 CVE-2016-0558
CVE-2016-0557 CVE-2016-0556 CVE-2016-0555
CVE-2016-0554 CVE-2016-0553 CVE-2016-0552
CVE-2016-0551 CVE-2016-0550 CVE-2016-0549
CVE-2016-0548 CVE-2016-0547 CVE-2016-0546
CVE-2016-0545 CVE-2016-0544 CVE-2016-0543
CVE-2016-0542 CVE-2016-0541 CVE-2016-0540
CVE-2016-0539 CVE-2016-0538 CVE-2016-0537
CVE-2016-0536 CVE-2016-0535 CVE-2016-0534
CVE-2016-0533 CVE-2016-0532 CVE-2016-0531
CVE-2016-0530 CVE-2016-0529 CVE-2016-0528
CVE-2016-0527 CVE-2016-0526 CVE-2016-0525
CVE-2016-0524 CVE-2016-0523 CVE-2016-0522
CVE-2016-0521 CVE-2016-0520 CVE-2016-0519
CVE-2016-0518 CVE-2016-0517 CVE-2016-0516
CVE-2016-0515 CVE-2016-0514 CVE-2016-0513
CVE-2016-0512 CVE-2016-0511 CVE-2016-0510
CVE-2016-0509 CVE-2016-0508 CVE-2016-0507
CVE-2016-0506 CVE-2016-0505 CVE-2016-0504
CVE-2016-0503 CVE-2016-0502 CVE-2016-0501
CVE-2016-0500 CVE-2016-0499 CVE-2016-0498
CVE-2016-0497 CVE-2016-0496 CVE-2016-0495
CVE-2016-0494 CVE-2016-0493 CVE-2016-0492
CVE-2016-0491 CVE-2016-0490 CVE-2016-0489
CVE-2016-0488 CVE-2016-0487 CVE-2016-0486
CVE-2016-0485 CVE-2016-0484 CVE-2016-0483
CVE-2016-0482 CVE-2016-0481 CVE-2016-0480
CVE-2016-0478 CVE-2016-0477 CVE-2016-0476
CVE-2016-0475 CVE-2016-0474 CVE-2016-0473
CVE-2016-0472 CVE-2016-0471 CVE-2016-0470
CVE-2016-0467 CVE-2016-0466 CVE-2016-0465
CVE-2016-0464 CVE-2016-0463 CVE-2016-0462
CVE-2016-0461 CVE-2016-0460 CVE-2016-0459
CVE-2016-0458 CVE-2016-0457 CVE-2016-0456
CVE-2016-0455 CVE-2016-0454 CVE-2016-0453
CVE-2016-0452 CVE-2016-0451 CVE-2016-0450
CVE-2016-0449 CVE-2016-0448 CVE-2016-0447
CVE-2016-0446 CVE-2016-0445 CVE-2016-0444
CVE-2016-0443 CVE-2016-0442 CVE-2016-0441
CVE-2016-0440 CVE-2016-0439 CVE-2016-0438
CVE-2016-0437 CVE-2016-0436 CVE-2016-0435
CVE-2016-0434 CVE-2016-0433 CVE-2016-0432
CVE-2016-0431 CVE-2016-0430 CVE-2016-0429
CVE-2016-0428 CVE-2016-0427 CVE-2016-0426
CVE-2016-0425 CVE-2016-0424 CVE-2016-0423
CVE-2016-0422 CVE-2016-0421 CVE-2016-0420
CVE-2016-0419 CVE-2016-0418 CVE-2016-0417
CVE-2016-0416 CVE-2016-0415 CVE-2016-0414
CVE-2016-0413 CVE-2016-0412 CVE-2016-0411
CVE-2016-0409 CVE-2016-0406 CVE-2016-0405
CVE-2016-0404 CVE-2016-0403 CVE-2016-0402
CVE-2016-0401 CVE-2015-8370 CVE-2015-8126
CVE-2015-8104 CVE-2015-7744 CVE-2015-7575
CVE-2015-7183 CVE-2015-6015 CVE-2015-6014
CVE-2015-6013 CVE-2015-5307 CVE-2015-4926
CVE-2015-4925 CVE-2015-4924 CVE-2015-4923
CVE-2015-4922 CVE-2015-4921 CVE-2015-4920
CVE-2015-4919 CVE-2015-4885 CVE-2015-4808
CVE-2015-4000 CVE-2015-3195 CVE-2015-3183
CVE-2015-3153 CVE-2015-1793 CVE-2015-0286
CVE-2015-0235 CVE-2014-3583 CVE-2014-0107
CVE-2014-0050 CVE-2013-2186 CVE-2013-1741
Member content until: Friday, February 19 2016
Reference: ASB-2015.0070
ASB-2015.0035
ASB-2015.0009
ASB-2014.0121
ASB-2014.0077
OVERVIEW
Oracle has released updates which correct vulnerabilities in
numerous products. [1]
Oracle states: "This Critical Patch Update contains 248 new security
fixes across the product families listed below." [1]
Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2
Oracle GoldenGate, version(s) 11.2, 12.1.2
Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0
Oracle Endeca Server, version(s) 7.3.0.0, 7.4.0.0, 7.5.0.0, 7.6.0.0
Oracle Fusion Middleware, version(s) 10.1.3.5, 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.2, 11.1.2.3, 12.1.2.0, 12.1.3.0, 12.2.1
Oracle GlassFish Server, version(s) 3.1.2
Oracle Identity Federation, version(s) 11.1.1.7, 11.1.2.2
Oracle Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2
Oracle Tuxedo, version(s) 12.1.1.0
Oracle Web Cache, version(s) 11.1.1.7.0, 11.1.1.9.0
Oracle WebCenter Sites, version(s) 7.6.2, 11.1.1.8.0
Oracle WebLogic Portal, version(s) 10.3.6
Oracle WebLogic Server, version(s) 10.3.6, 12.1.2, 12.1.3, 12.2.1
Enterprise Manager Base Platform, version(s) 11.1.0.1, 11.2.0.4, 12.1.0.4, 12.1.0.5
Enterprise Manager Ops Center, version(s) prior to 12.1.4, 12.2.0, 12.2.1, 12.3.0
Oracle Application Testing Suite, version(s) 12.4.0.2, 12.5.0.2
Application Mgmt Pack for E-Business Suite, version(s) 12.1, 12.2
Oracle E-Business Suite, version(s) 11.5.10.2, 12.1, 12.1.1, 12.1.2, 12.1.3, 12.2, 12.2.3, 12.2.4, 12.2.5
Oracle Agile Engineering Data Management, version(s) 6.1.2.2, 6.1.3.0, 6.2.0.0
Oracle Agile PLM, version(s) 9.3.1.1, 9.3.1.2, 9.3.2, 9.3.3
Oracle Configurator, version(s) 11.5.10.2, 12.1, 12.2
PeopleSoft Enterprise HCM Global Payroll Switzerland, version(s) 9.1, 9.2
PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54, 8.55
PeopleSoft Enterprise SCM eProcurement, version(s) 9.1, 9.2
PeopleSoft Enterprise SCM Order Management, version(s) 9.1, 9.2
PeopleSoft Enterprise SCM Purchasing, version(s) 9.1, 9.2
JD Edwards EnterpriseOne Tools, version(s) 9.1, 9.2
Oracle iLearning, version(s) 6.0, 6.1
Oracle Fusion Applications, version(s) 11.1.2 through 11.1.10
Oracle Communications Converged Application Server - Service Controller, version(s) 6.1
Oracle Communications EAGLE LNP Application Processor, version(s) 10.0
Oracle Communications Online Mediation Controller, version(s) 6.1
Oracle Communications Service Broker, version(s) 6.0, 6.1
Oracle Communications Service Broker Engineered System Edition, version(s) 6.0
MICROS CWDirect, version(s) 12.5, 13.0, 14.0, 15.0, 16.0, 17.0 18.0
Oracle Retail Open Commerce Platform Cloud Service, version(s) 3.5, 4.5, 4.7, 5.0
Oracle Retail Order Broker Cloud Service, version(s) 4.0, 4.1.
Oracle Retail Order Management System Cloud Service, version(s) 3.5, 4.5, 4.7, 5.0, 15.0
Oracle Retail Point-of-Service, version(s) 13.4, 14.0, 14.1
Oracle Java SE, version(s) 6u105, 7u91, 8u66
Oracle Java SE Embedded, version(s) 8u65
Oracle JRockit, version(s) R28.3.8
Oracle Switch ES1-24, version(s) prior to 1.3.1.13
Solaris, version(s) 10, 11
Solaris Cluster, version(s) 3.3, 4, 4.2
Sun Blade 6000 Ethernet Switched NEM 24P 10GE, version(s) prior to 1.2.2.13
Sun Network 10GE Switch 72p, version(s) prior to 1.2.2.15
Oracle Secure Global Desktop, version(s) 4.63, 4.71, 5.2
Oracle VM VirtualBox, version(s) prior to 4.0.36, prior to 4.1.44, prior to 4.2.36, prior to 4.3.36, prior to 5.0.14
MySQL Server, version(s) 5.5.46 and prior, 5.6.27 and prior, 5.7.9
IMPACT
Limited impact details have been published by Oracle in their Text
Form Risk Matrices. [2]
MITIGATION
Oracle states: "Oracle continues to periodically receive reports of
attempts to maliciously exploit vulnerabilities for which Oracle has
already released fixes. In some instances, it has been reported that
attackers have been successful because targeted customers had failed
to apply available Oracle patches. Oracle therefore strongly
recommends that customers remain on actively-supported versions and
apply Critical Patch Update fixes without delay." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - January 2016
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html
[2] Text Form of Oracle Critical Patch Update - January 2016 Risk
Matrices
http://www.oracle.com/technetwork/topics/security/cpujan2016verbose-2367956.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBVp7wO36ZAP0PgtI9AQKevhAAy2OJtHVvt/j56gYGzPp+2UcwXetXRIMR
X35zTXM4mw4NY8bAcL6Rvz5a8npMGQsmSVwtF3Z/uXEXIRHfJDlM1NOiyF2GJCZY
cTZm6Ni5z66ySDzn+NPdP8jHhXUnATfOtR4kL951ozm0nvheF7LUzuGActORavLD
GqtSKc5A/4GtG0mJLu1mhd+v5YHZQwrXadkor30XdkPwJ1MAXZGeeJxIQ1Vb+RZd
G4NDwKJrSxjcV5jsd8lA6Uop4JTfTwnhxW6g0f229FBIWcBANYEq3MGpFynovrzO
Yz0r+l6t8qbputMBYUYPvbRi+TwylMB8cKyditKAFUVYsveBG/3SYmMfWlShNhRZ
syJWt7s7SWl9XzMEgVFRoc6UYwrZkPy3i1ELU5y2F3wmYyijzga+gIf1gozqanjt
//866ExDgolBj0bFzug9e4U1sz3msBdRbsP0cM4nYoLkQ/85cBYDieMHlcQeB/B6
Wl57ebsykltGKIxUzfcTQMP6DLSFErg8TIg3+b9hHdkMARdEMk17xXmt67LmSQxn
U4kdvphvlJemVNBavqAJm2xKQ9qTIs8EeoxZdQOAo7/jux2/4mWpGZE/ThdYqFpx
1E41w9099blc6SVyp6P1TcbRciN5qpz9OFdMHJsyBfnhuyeXvj8KOpFdtbbJK2UX
PA8xg7SeRAM=
=VMiR
-----END PGP SIGNATURE-----