Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
===========================================================================
AUSCERT Security Bulletin
ASB-2016.0095
Oracle have released updates which correct vulnerabilities
in numerous products
19 October 2016
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Products
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2016-8296 CVE-2016-8295 CVE-2016-8294
CVE-2016-8293 CVE-2016-8292 CVE-2016-8291
CVE-2016-8290 CVE-2016-8289 CVE-2016-8288
CVE-2016-8287 CVE-2016-8286 CVE-2016-8285
CVE-2016-8284 CVE-2016-8283 CVE-2016-8281
CVE-2016-7440 CVE-2016-7052 CVE-2016-6662
CVE-2016-6309 CVE-2016-6308 CVE-2016-6307
CVE-2016-6306 CVE-2016-6305 CVE-2016-6304
CVE-2016-6303 CVE-2016-6302 CVE-2016-5635
CVE-2016-5634 CVE-2016-5633 CVE-2016-5632
CVE-2016-5631 CVE-2016-5630 CVE-2016-5629
CVE-2016-5628 CVE-2016-5627 CVE-2016-5626
CVE-2016-5625 CVE-2016-5624 CVE-2016-5622
CVE-2016-5621 CVE-2016-5620 CVE-2016-5619
CVE-2016-5618 CVE-2016-5617 CVE-2016-5616
CVE-2016-5615 CVE-2016-5613 CVE-2016-5612
CVE-2016-5611 CVE-2016-5610 CVE-2016-5609
CVE-2016-5608 CVE-2016-5607 CVE-2016-5606
CVE-2016-5605 CVE-2016-5604 CVE-2016-5603
CVE-2016-5602 CVE-2016-5601 CVE-2016-5600
CVE-2016-5599 CVE-2016-5598 CVE-2016-5597
CVE-2016-5596 CVE-2016-5595 CVE-2016-5594
CVE-2016-5593 CVE-2016-5592 CVE-2016-5591
CVE-2016-5589 CVE-2016-5588 CVE-2016-5587
CVE-2016-5586 CVE-2016-5585 CVE-2016-5584
CVE-2016-5583 CVE-2016-5582 CVE-2016-5581
CVE-2016-5580 CVE-2016-5579 CVE-2016-5578
CVE-2016-5577 CVE-2016-5576 CVE-2016-5575
CVE-2016-5574 CVE-2016-5573 CVE-2016-5572
CVE-2016-5571 CVE-2016-5570 CVE-2016-5569
CVE-2016-5568 CVE-2016-5567 CVE-2016-5566
CVE-2016-5565 CVE-2016-5564 CVE-2016-5563
CVE-2016-5562 CVE-2016-5561 CVE-2016-5560
CVE-2016-5559 CVE-2016-5558 CVE-2016-5557
CVE-2016-5556 CVE-2016-5555 CVE-2016-5554
CVE-2016-5553 CVE-2016-5544 CVE-2016-5543
CVE-2016-5542 CVE-2016-5540 CVE-2016-5539
CVE-2016-5538 CVE-2016-5537 CVE-2016-5536
CVE-2016-5535 CVE-2016-5534 CVE-2016-5533
CVE-2016-5532 CVE-2016-5531 CVE-2016-5530
CVE-2016-5529 CVE-2016-5527 CVE-2016-5526
CVE-2016-5525 CVE-2016-5524 CVE-2016-5523
CVE-2016-5522 CVE-2016-5521 CVE-2016-5519
CVE-2016-5518 CVE-2016-5517 CVE-2016-5516
CVE-2016-5515 CVE-2016-5514 CVE-2016-5513
CVE-2016-5512 CVE-2016-5511 CVE-2016-5510
CVE-2016-5508 CVE-2016-5507 CVE-2016-5506
CVE-2016-5505 CVE-2016-5504 CVE-2016-5503
CVE-2016-5502 CVE-2016-5501 CVE-2016-5500
CVE-2016-5499 CVE-2016-5498 CVE-2016-5497
CVE-2016-5495 CVE-2016-5493 CVE-2016-5492
CVE-2016-5491 CVE-2016-5490 CVE-2016-5489
CVE-2016-5488 CVE-2016-5487 CVE-2016-5486
CVE-2016-5482 CVE-2016-5481 CVE-2016-5480
CVE-2016-5479 CVE-2016-4979 CVE-2016-3562
CVE-2016-3551 CVE-2016-3505 CVE-2016-3495
CVE-2016-3492 CVE-2016-3473 CVE-2016-3081
CVE-2016-2183 CVE-2016-2182 CVE-2016-2181
CVE-2016-2180 CVE-2016-2179 CVE-2016-2178
CVE-2016-2177 CVE-2016-2176 CVE-2016-2109
CVE-2016-2107 CVE-2016-2106 CVE-2016-2105
CVE-2016-1950 CVE-2016-1881 CVE-2016-1546
CVE-2016-1182 CVE-2016-1181 CVE-2016-0763
CVE-2016-0714 CVE-2016-0706 CVE-2016-0635
CVE-2015-7940 CVE-2015-7501 CVE-2015-5351
CVE-2015-4852 CVE-2015-3253 CVE-2015-3197
CVE-2015-3195 CVE-2015-2568 CVE-2015-1793
CVE-2015-1792 CVE-2015-1791 CVE-2015-1790
CVE-2015-1789 CVE-2015-1788 CVE-2015-1351
CVE-2015-0500 CVE-2015-0433 CVE-2015-0423
CVE-2015-0411 CVE-2015-0409 CVE-2015-0382
CVE-2015-0381 CVE-2015-0286 CVE-2015-0235
CVE-2014-9296 CVE-2014-9295 CVE-2014-9294
CVE-2014-9293 CVE-2014-7809 CVE-2014-3571
CVE-2014-2532 CVE-2014-0227 CVE-2014-0224
CVE-2014-0119 CVE-2014-0114 CVE-2014-0099
CVE-2014-0096 CVE-2014-0075 CVE-2014-0050
CVE-2013-4590 CVE-2013-4444 CVE-2013-4322
CVE-2013-4286 CVE-2013-2566 CVE-2013-2067
CVE-2012-1007 CVE-2010-5312
Member content until: Friday, November 18 2016
Reference: ASB-2016.0087
ASB-2016.0080
ASB-2016.0074
ESB-2013.0875
ESB-2013.0667
ESB-2013.0562
OVERVIEW
Oracle has released updates which correct vulnerabilities in
numerous products. [1]
Oracle states: "This Critical Patch Update contains 253 new
security fixes across the product families listed below." [1]
Application Express, version(s) prior to 5.0.4.0.7
Oracle Database Server, version(s) 11.2.0.4, 12.1.0.2
Oracle Secure Backup, version(s) prior to 10.4.0.4.0, prior to 12.1.0.2.0
Big Data Graph, version(s) prior to 1.2
NetBeans, version(s) 8.1
Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0
Oracle Big Data Discovery, version(s) 1.1.1, 1.1.3, 1.2.0
Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.1.0.0, 12.2.1.1.0
Oracle Data Integrator, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.2.0.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
Oracle Discoverer, version(s) 11.1.1.7.0
Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9, 11.1.2.3, 11.1.2.4, 12.1.3.0, 12.2.1.0, 12.2.1.1
Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2
Oracle Identity Manager, version(s)
Oracle iPlanet Web Proxy Server, version(s) 4.0
Oracle iPlanet Web Server, version(s) 7.0
Oracle Outside In Technology, version(s) 8.4.0, 8.5.1, 8.5.2, 8.5.3
Oracle Platform Security for Java, version(s) 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0
Oracle Web Services, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0
Oracle WebCenter Sites, version(s) 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0
Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1
Enterprise Manager, version(s) 12.1.4, 12.2.2, 12.3.2
Enterprise Manager Base Platform, version(s) 12.1.0.5
Oracle Application Testing Suite, version(s) 12.5.0.1, 12.5.0.2, 12.5.0.3
Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6
Oracle Advanced Supply Chain Planning, version(s) 12.2.3, 12.2.4, 12.2.5
Oracle Agile Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0
Oracle Agile PLM, version(s) 9.3.4, 9.3.5
Oracle Agile Product Lifecycle Management for Process, version(s) 6.1.0.4, 6.1.1.6, 6.2.0.0
Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
PeopleSoft Enterprise HCM, version(s) 9.2
PeopleSoft Enterprise PeopleTools, version(s) 8.54, 8.55
PeopleSoft Enterprise SCM Services Procurement, version(s) 9.1, 9.2
JD Edwards EnterpriseOne Tools, version(s) 9.1
JD Edwards World Security, version(s) A9.4
Siebel Applications, version(s) 7.1, 16.1
Oracle Commerce Guided Search, version(s) 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2
Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.1.1, 3.1.2, 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2, 11.0, 11.1, 11.2
Oracle Commerce Platform, version(s) 10.0.3.5, 10.2.0.5, 11.2.0.1
Oracle Commerce Service Center, version(s) 10.0.3.5, 10.2.0.5
Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
Oracle Communications Policy Management, version(s) 9.7.3, 9.9.1, 10.4.1, 12.1.1 and prior
Oracle Enterprise Communications Broker, version(s) Pcz2.0.0m4p5 and earlier
Oracle Enterprise Session Border Controller, version(s) Ecz7.3m2p2 and earlier
Oracle Banking Digital Experience, version(s) 15.1
Oracle Financial Services Analytical Applications Infrastructure, version(s) 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3
Oracle Financial Services Lending and Leasing, version(s) 14.1.0, 14.2.0
Oracle FLEXCUBE Core Banking, version(s) 11.5.0.0.0, 11.6.0.0.0
Oracle FLEXCUBE Enterprise Limits and Collateral Management, version(s) 12.0.0, 12.1.0
Oracle FLEXCUBE Investor Servicing, version(s) 12.0.1
Oracle FLEXCUBE Private Banking, version(s) 2.0.0, 2.0.1, 2.2.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0
Oracle FLEXCUBE Universal Banking, version(s) 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.87.1, 12.87.2
Oracle Life Sciences Data Hub, version(s) 2.x
Oracle Hospitality OPERA 5 Property Services, version(s) 5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0, 5.5.1.0
Oracle Insurance IStream, version(s) 4.3.2
MICROS XBR, version(s) 7.0.2, 7.0.4
Oracle Retail Back Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
Oracle Retail Central Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
Oracle Retail Clearance Optimization Engine, version(s) 13.2, 13.3, 13.4, 14.0
Oracle Retail Customer Insights, version(s) 15.0
Oracle Retail Merchandising Insights, version(s) 15.0
Oracle Retail Returns Management, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
Oracle Retail Xstore Payment, version(s) 1.x
Oracle Retail Xstore Point of Service, version(s) 5.0, 5.5, 6.0, 6.5, 7.0, 7.1
Primavera P6 Enterprise Project Portfolio Management, version(s) 8.4, 15.x, 16.x
Primavera P6 Professional Project Management, version(s) 8.3, 8.4, 15.x, 16.x
Oracle Java SE, version(s) 6u121, 7u111, 8u102
Oracle Java SE Embedded, version(s) 8u101
Solaris, version(s) 10, 11.3
Solaris Cluster, version(s) 3.3, 4.3
Sun ZFS Storage Appliance Kit (AK), version(s) AK 2013
Oracle VM VirtualBox, version(s) prior to 5.0.28, prior to 5.1.8
Secure Global Desktop, version(s) 4.7, 5.2
Sun Ray Operating Software, version(s) prior to 11.1.7
Virtual Desktop Infrastructure, version(s) prior to 3.5.3
MySQL Connector, version(s) 2.0.4 and prior, 2.1.3 and prior
MySQL Server, version(s) 5.5.52 and prior, 5.6.33 and prior, 5.7.15 and prior
Oracle also notes the following:
"Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware
may affect Oracle Fusion Applications, so Oracle customers should refer
to Oracle Fusion Applications Critical Patch Update Knowledge Document,
My Oracle Support Note 1967316.1 for information on patches to be
applied to Fusion Application environments.
Users running Java SE with a browser can download the latest release
from http://java.com. Users on the Windows and Mac OS X platforms can
also use automatic updates to get the latest release.
Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so
Oracle customers should refer to the Oracle and Sun Systems Product
Suite Critical Patch Update Knowledge Document, My Oracle Support Note
2160904.1 for information on minimum revisions of security fixes
required to resolve ZFSSA issues published in Critical Patch Updates
(CPUs) and Solaris Third Party bulletins.
Users can download the latest release of Netbeans from
http://netbeans.org. Users running earlier versions of Netbeans can use
automatic updates to get the latest patches." [1]
IMPACT
Limited impact details have been published by Oracle in their Text
Form Risk Matrices. [2]
MITIGATION
Oracle states:
"Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply CPU fixes as soon as possible. Until
you apply the CPU fixes, it may be possible to reduce the risk of
successful attack by blocking network protocols required by an
attack. For attacks that require certain privileges or access to
certain packages, removing the privileges or the ability to access
the packages from users that do not need the privileges may help
reduce the risk of successful attack. Both approaches may break
application functionality, so Oracle strongly recommends that
customers test changes on non-production systems. Neither approach
should be considered a long-term solution as neither corrects the
underlying problem." [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - October 2016
http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
[2] Text Form of Oracle Critical Patch Update - October 2016 Risk
Matrices
http://www.oracle.com/technetwork/topics/security/cpuoct2016verbose-2881725.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBWAbgQIx+lLeg9Ub1AQjerA/+J/8cvCjGOGnVm+YDNW6OwV0lkoNKpHmt
I+bvuinsNUlFfPoVhVr9G5zNDN66TlyB5LYnVNYwREaKr4ciM6LB48HPefWnISnF
AwpSV8o56jK89i1syIV6FFyrtLZMVxpzXt/U6jiATUaiDJm5RxgukE2+K1qtEBRS
5y5I9rcZ5Z8VAU60Z/0nKOmZ+n3aWKev9ZXYbM/pZicncYBbOSNgNIMMgx8dIR84
lHMJT+tARq3mR7vzFmIl2v6moeaMbYpuaFjPEVhG7guEKXNKLlRnmAMzJe0AkwPN
EfPPYdsgwRi0cbr0nEn0beXeYewN98Wm1JIgrbfFoJeHMT2/XWDa2R/E5T5uvuPl
u1LDOqja9C4sNqf1eSwuwCuYqkQkb1d4tjK8brIPw3lMu6WCi9b2CwkqnwqXcaYs
faNdk8C+sDuXmi2ejI00ZG97mk6EUh9zkkyg0RFQYzTWzvRCELX43SVtcq6ck0NG
bEfvXSoCldW1LrWPcuZJI9kMOvpgyI/tFVUVpUir90x3FwYShVxiT19sOzOQ5e0B
FVxpiozWlR7NRNMp78qZIqjPW82yxd0qsAwwUztDnvVSJrPiBJ8TCxREutrlsJDM
XdVTDHhyrN3tXsBDuVs/B8sEWvEhN2yBkHqeWOv2UjTssExp18V9h5mnBm61OT7l
OnOioIlOuPo=
=wCw/
-----END PGP SIGNATURE-----