Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT Security Bulletin ASB-2016.0095 Oracle have released updates which correct vulnerabilities in numerous products 19 October 2016 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Products Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated Access Privileged Data -- Remote/Unauthenticated Modify Arbitrary Files -- Remote/Unauthenticated Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2016-8296 CVE-2016-8295 CVE-2016-8294 CVE-2016-8293 CVE-2016-8292 CVE-2016-8291 CVE-2016-8290 CVE-2016-8289 CVE-2016-8288 CVE-2016-8287 CVE-2016-8286 CVE-2016-8285 CVE-2016-8284 CVE-2016-8283 CVE-2016-8281 CVE-2016-7440 CVE-2016-7052 CVE-2016-6662 CVE-2016-6309 CVE-2016-6308 CVE-2016-6307 CVE-2016-6306 CVE-2016-6305 CVE-2016-6304 CVE-2016-6303 CVE-2016-6302 CVE-2016-5635 CVE-2016-5634 CVE-2016-5633 CVE-2016-5632 CVE-2016-5631 CVE-2016-5630 CVE-2016-5629 CVE-2016-5628 CVE-2016-5627 CVE-2016-5626 CVE-2016-5625 CVE-2016-5624 CVE-2016-5622 CVE-2016-5621 CVE-2016-5620 CVE-2016-5619 CVE-2016-5618 CVE-2016-5617 CVE-2016-5616 CVE-2016-5615 CVE-2016-5613 CVE-2016-5612 CVE-2016-5611 CVE-2016-5610 CVE-2016-5609 CVE-2016-5608 CVE-2016-5607 CVE-2016-5606 CVE-2016-5605 CVE-2016-5604 CVE-2016-5603 CVE-2016-5602 CVE-2016-5601 CVE-2016-5600 CVE-2016-5599 CVE-2016-5598 CVE-2016-5597 CVE-2016-5596 CVE-2016-5595 CVE-2016-5594 CVE-2016-5593 CVE-2016-5592 CVE-2016-5591 CVE-2016-5589 CVE-2016-5588 CVE-2016-5587 CVE-2016-5586 CVE-2016-5585 CVE-2016-5584 CVE-2016-5583 CVE-2016-5582 CVE-2016-5581 CVE-2016-5580 CVE-2016-5579 CVE-2016-5578 CVE-2016-5577 CVE-2016-5576 CVE-2016-5575 CVE-2016-5574 CVE-2016-5573 CVE-2016-5572 CVE-2016-5571 CVE-2016-5570 CVE-2016-5569 CVE-2016-5568 CVE-2016-5567 CVE-2016-5566 CVE-2016-5565 CVE-2016-5564 CVE-2016-5563 CVE-2016-5562 CVE-2016-5561 CVE-2016-5560 CVE-2016-5559 CVE-2016-5558 CVE-2016-5557 CVE-2016-5556 CVE-2016-5555 CVE-2016-5554 CVE-2016-5553 CVE-2016-5544 CVE-2016-5543 CVE-2016-5542 CVE-2016-5540 CVE-2016-5539 CVE-2016-5538 CVE-2016-5537 CVE-2016-5536 CVE-2016-5535 CVE-2016-5534 CVE-2016-5533 CVE-2016-5532 CVE-2016-5531 CVE-2016-5530 CVE-2016-5529 CVE-2016-5527 CVE-2016-5526 CVE-2016-5525 CVE-2016-5524 CVE-2016-5523 CVE-2016-5522 CVE-2016-5521 CVE-2016-5519 CVE-2016-5518 CVE-2016-5517 CVE-2016-5516 CVE-2016-5515 CVE-2016-5514 CVE-2016-5513 CVE-2016-5512 CVE-2016-5511 CVE-2016-5510 CVE-2016-5508 CVE-2016-5507 CVE-2016-5506 CVE-2016-5505 CVE-2016-5504 CVE-2016-5503 CVE-2016-5502 CVE-2016-5501 CVE-2016-5500 CVE-2016-5499 CVE-2016-5498 CVE-2016-5497 CVE-2016-5495 CVE-2016-5493 CVE-2016-5492 CVE-2016-5491 CVE-2016-5490 CVE-2016-5489 CVE-2016-5488 CVE-2016-5487 CVE-2016-5486 CVE-2016-5482 CVE-2016-5481 CVE-2016-5480 CVE-2016-5479 CVE-2016-4979 CVE-2016-3562 CVE-2016-3551 CVE-2016-3505 CVE-2016-3495 CVE-2016-3492 CVE-2016-3473 CVE-2016-3081 CVE-2016-2183 CVE-2016-2182 CVE-2016-2181 CVE-2016-2180 CVE-2016-2179 CVE-2016-2178 CVE-2016-2177 CVE-2016-2176 CVE-2016-2109 CVE-2016-2107 CVE-2016-2106 CVE-2016-2105 CVE-2016-1950 CVE-2016-1881 CVE-2016-1546 CVE-2016-1182 CVE-2016-1181 CVE-2016-0763 CVE-2016-0714 CVE-2016-0706 CVE-2016-0635 CVE-2015-7940 CVE-2015-7501 CVE-2015-5351 CVE-2015-4852 CVE-2015-3253 CVE-2015-3197 CVE-2015-3195 CVE-2015-2568 CVE-2015-1793 CVE-2015-1792 CVE-2015-1791 CVE-2015-1790 CVE-2015-1789 CVE-2015-1788 CVE-2015-1351 CVE-2015-0500 CVE-2015-0433 CVE-2015-0423 CVE-2015-0411 CVE-2015-0409 CVE-2015-0382 CVE-2015-0381 CVE-2015-0286 CVE-2015-0235 CVE-2014-9296 CVE-2014-9295 CVE-2014-9294 CVE-2014-9293 CVE-2014-7809 CVE-2014-3571 CVE-2014-2532 CVE-2014-0227 CVE-2014-0224 CVE-2014-0119 CVE-2014-0114 CVE-2014-0099 CVE-2014-0096 CVE-2014-0075 CVE-2014-0050 CVE-2013-4590 CVE-2013-4444 CVE-2013-4322 CVE-2013-4286 CVE-2013-2566 CVE-2013-2067 CVE-2012-1007 CVE-2010-5312 Member content until: Friday, November 18 2016 Reference: ASB-2016.0087 ASB-2016.0080 ASB-2016.0074 ESB-2013.0875 ESB-2013.0667 ESB-2013.0562 OVERVIEW Oracle has released updates which correct vulnerabilities in numerous products. [1] Oracle states: "This Critical Patch Update contains 253 new security fixes across the product families listed below." [1] Application Express, version(s) prior to 5.0.4.0.7 Oracle Database Server, version(s) 11.2.0.4, 12.1.0.2 Oracle Secure Backup, version(s) prior to 10.4.0.4.0, prior to 12.1.0.2.0 Big Data Graph, version(s) prior to 1.2 NetBeans, version(s) 8.1 Oracle BI Publisher, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.2.1.0.0 Oracle Big Data Discovery, version(s) 1.1.1, 1.1.3, 1.2.0 Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.1.0.0, 12.2.1.1.0 Oracle Data Integrator, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.2.0.0, 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0 Oracle Discoverer, version(s) 11.1.1.7.0 Oracle Fusion Middleware, version(s) 11.1.1.7, 11.1.1.9, 11.1.2.3, 11.1.2.4, 12.1.3.0, 12.2.1.0, 12.2.1.1 Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2 Oracle Identity Manager, version(s) Oracle iPlanet Web Proxy Server, version(s) 4.0 Oracle iPlanet Web Server, version(s) 7.0 Oracle Outside In Technology, version(s) 8.4.0, 8.5.1, 8.5.2, 8.5.3 Oracle Platform Security for Java, version(s) 12.1.3.0.0, 12.2.1.0.0, 12.2.1.1.0 Oracle Web Services, version(s) 11.1.1.7.0, 11.1.1.9.0, 12.1.3.0.0, 12.2.1.0.0 Oracle WebCenter Sites, version(s) 12.2.1.0.0, 12.2.1.1.0, 12.2.1.2.0 Oracle WebLogic Server, version(s) 10.3.6.0, 12.1.3.0, 12.2.1.0, 12.2.1.1 Enterprise Manager, version(s) 12.1.4, 12.2.2, 12.3.2 Enterprise Manager Base Platform, version(s) 12.1.0.5 Oracle Application Testing Suite, version(s) 12.5.0.1, 12.5.0.2, 12.5.0.3 Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 Oracle Advanced Supply Chain Planning, version(s) 12.2.3, 12.2.4, 12.2.5 Oracle Agile Engineering Data Management, version(s) 6.1.3.0, 6.2.0.0 Oracle Agile PLM, version(s) 9.3.4, 9.3.5 Oracle Agile Product Lifecycle Management for Process, version(s) 6.1.0.4, 6.1.1.6, 6.2.0.0 Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7 PeopleSoft Enterprise HCM, version(s) 9.2 PeopleSoft Enterprise PeopleTools, version(s) 8.54, 8.55 PeopleSoft Enterprise SCM Services Procurement, version(s) 9.1, 9.2 JD Edwards EnterpriseOne Tools, version(s) 9.1 JD Edwards World Security, version(s) A9.4 Siebel Applications, version(s) 7.1, 16.1 Oracle Commerce Guided Search, version(s) 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2 Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.1.1, 3.1.2, 6.2.2, 6.3.0, 6.4.1.2, 6.5.0, 6.5.1, 6.5.2, 11.0, 11.1, 11.2 Oracle Commerce Platform, version(s) 10.0.3.5, 10.2.0.5, 11.2.0.1 Oracle Commerce Service Center, version(s) 10.0.3.5, 10.2.0.5 Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9 Oracle Communications Policy Management, version(s) 9.7.3, 9.9.1, 10.4.1, 12.1.1 and prior Oracle Enterprise Communications Broker, version(s) Pcz2.0.0m4p5 and earlier Oracle Enterprise Session Border Controller, version(s) Ecz7.3m2p2 and earlier Oracle Banking Digital Experience, version(s) 15.1 Oracle Financial Services Analytical Applications Infrastructure, version(s) 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3 Oracle Financial Services Lending and Leasing, version(s) 14.1.0, 14.2.0 Oracle FLEXCUBE Core Banking, version(s) 11.5.0.0.0, 11.6.0.0.0 Oracle FLEXCUBE Enterprise Limits and Collateral Management, version(s) 12.0.0, 12.1.0 Oracle FLEXCUBE Investor Servicing, version(s) 12.0.1 Oracle FLEXCUBE Private Banking, version(s) 2.0.0, 2.0.1, 2.2.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0 Oracle FLEXCUBE Universal Banking, version(s) 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.87.1, 12.87.2 Oracle Life Sciences Data Hub, version(s) 2.x Oracle Hospitality OPERA 5 Property Services, version(s) 5.4.0.0, 5.4.1.0, 5.4.2.0, 5.4.3.0, 5.5.0.0, 5.5.1.0 Oracle Insurance IStream, version(s) 4.3.2 MICROS XBR, version(s) 7.0.2, 7.0.4 Oracle Retail Back Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1 Oracle Retail Central Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1 Oracle Retail Clearance Optimization Engine, version(s) 13.2, 13.3, 13.4, 14.0 Oracle Retail Customer Insights, version(s) 15.0 Oracle Retail Merchandising Insights, version(s) 15.0 Oracle Retail Returns Management, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1 Oracle Retail Xstore Payment, version(s) 1.x Oracle Retail Xstore Point of Service, version(s) 5.0, 5.5, 6.0, 6.5, 7.0, 7.1 Primavera P6 Enterprise Project Portfolio Management, version(s) 8.4, 15.x, 16.x Primavera P6 Professional Project Management, version(s) 8.3, 8.4, 15.x, 16.x Oracle Java SE, version(s) 6u121, 7u111, 8u102 Oracle Java SE Embedded, version(s) 8u101 Solaris, version(s) 10, 11.3 Solaris Cluster, version(s) 3.3, 4.3 Sun ZFS Storage Appliance Kit (AK), version(s) AK 2013 Oracle VM VirtualBox, version(s) prior to 5.0.28, prior to 5.1.8 Secure Global Desktop, version(s) 4.7, 5.2 Sun Ray Operating Software, version(s) prior to 11.1.7 Virtual Desktop Infrastructure, version(s) prior to 3.5.3 MySQL Connector, version(s) 2.0.4 and prior, 2.1.3 and prior MySQL Server, version(s) 5.5.52 and prior, 5.6.33 and prior, 5.7.15 and prior Oracle also notes the following: "Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware may affect Oracle Fusion Applications, so Oracle customers should refer to Oracle Fusion Applications Critical Patch Update Knowledge Document, My Oracle Support Note 1967316.1 for information on patches to be applied to Fusion Application environments. Users running Java SE with a browser can download the latest release from http://java.com. Users on the Windows and Mac OS X platforms can also use automatic updates to get the latest release. Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so Oracle customers should refer to the Oracle and Sun Systems Product Suite Critical Patch Update Knowledge Document, My Oracle Support Note 2160904.1 for information on minimum revisions of security fixes required to resolve ZFSSA issues published in Critical Patch Updates (CPUs) and Solaris Third Party bulletins. Users can download the latest release of Netbeans from http://netbeans.org. Users running earlier versions of Netbeans can use automatic updates to get the latest patches." [1] IMPACT Limited impact details have been published by Oracle in their Text Form Risk Matrices. [2] MITIGATION Oracle states: "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by blocking network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from users that do not need the privileges may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem." [1] REFERENCES [1] Oracle Critical Patch Update Advisory - October 2016 http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html [2] Text Form of Oracle Critical Patch Update - October 2016 Risk Matrices http://www.oracle.com/technetwork/topics/security/cpuoct2016verbose-2881725.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWAbgQIx+lLeg9Ub1AQjerA/+J/8cvCjGOGnVm+YDNW6OwV0lkoNKpHmt I+bvuinsNUlFfPoVhVr9G5zNDN66TlyB5LYnVNYwREaKr4ciM6LB48HPefWnISnF AwpSV8o56jK89i1syIV6FFyrtLZMVxpzXt/U6jiATUaiDJm5RxgukE2+K1qtEBRS 5y5I9rcZ5Z8VAU60Z/0nKOmZ+n3aWKev9ZXYbM/pZicncYBbOSNgNIMMgx8dIR84 lHMJT+tARq3mR7vzFmIl2v6moeaMbYpuaFjPEVhG7guEKXNKLlRnmAMzJe0AkwPN EfPPYdsgwRi0cbr0nEn0beXeYewN98Wm1JIgrbfFoJeHMT2/XWDa2R/E5T5uvuPl u1LDOqja9C4sNqf1eSwuwCuYqkQkb1d4tjK8brIPw3lMu6WCi9b2CwkqnwqXcaYs faNdk8C+sDuXmi2ejI00ZG97mk6EUh9zkkyg0RFQYzTWzvRCELX43SVtcq6ck0NG bEfvXSoCldW1LrWPcuZJI9kMOvpgyI/tFVUVpUir90x3FwYShVxiT19sOzOQ5e0B FVxpiozWlR7NRNMp78qZIqjPW82yxd0qsAwwUztDnvVSJrPiBJ8TCxREutrlsJDM XdVTDHhyrN3tXsBDuVs/B8sEWvEhN2yBkHqeWOv2UjTssExp18V9h5mnBm61OT7l OnOioIlOuPo= =wCw/ -----END PGP SIGNATURE-----