Date: 18 July 2012
References: ASB-2011.0076.2 ASB-2011.0080 ASB-2011.0091 ASB-2012.0009 ESB-2012.0702 ESB-2012.0803 ESB-2012.0833.2 ESB-2012.0899 ESB-2012.0966 ESB-2012.0973
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0103
Oracle has released 87 updates which correct vulnerabilities
in their products
18 July 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
Oracle Secure Backup, version 10.3.0.3, 10.4.0.1
Oracle Fusion Middleware 11g Release 2, version 11.1.2.0
Oracle Fusion Middleware 11g Release 1, versions 11.1.1.5, 11.1.1.6
Oracle Application Server 10g Release 3, version 10.1.3.5
Oracle Identity Management 10g, version 10.1.4.3
Hyperion BI+, version 11.1.1.x
Oracle JRockit versions, R28.2.3 and earlier, R27.7.2 and earlier
Oracle Map Viewer, versions 10.1.3.1, 11.1.1.5, 11.1.1.6
Oracle Outside In Technology, versions 8.3.5, 8.3.7
Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.1, 12.1.0.2
Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2
Oracle AutoVue, versions 20.0.2, 20.1
Oracle PeopleSoft Enterprise HRMS, versions 9.0, 9.1
Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52
Oracle Siebel CRM, versions 8.1.1, 8.2.2
Oracle Clinical Remote Data Capture Option, versions 4.6, 4.6.2, 4.6.3
Oracle Sun Product Suite
Oracle MySQL Server, versions 5.1, 5.5
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Impact/Access: Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2012-3135 CVE-2012-3134 CVE-2012-3131
CVE-2012-3130 CVE-2012-3129 CVE-2012-3128
CVE-2012-3127 CVE-2012-3126 CVE-2012-3125
CVE-2012-3124 CVE-2012-3123 CVE-2012-3122
CVE-2012-3121 CVE-2012-3120 CVE-2012-3119
CVE-2012-3118 CVE-2012-3117 CVE-2012-3116
CVE-2012-3115 CVE-2012-3114 CVE-2012-3113
CVE-2012-3112 CVE-2012-3111 CVE-2012-3110
CVE-2012-3109 CVE-2012-3108 CVE-2012-3107
CVE-2012-3106 CVE-2012-1773 CVE-2012-1772
CVE-2012-1771 CVE-2012-1770 CVE-2012-1769
CVE-2012-1768 CVE-2012-1767 CVE-2012-1766
CVE-2012-1765 CVE-2012-1764 CVE-2012-1762
CVE-2012-1761 CVE-2012-1760 CVE-2012-1759
CVE-2012-1758 CVE-2012-1757 CVE-2012-1756
CVE-2012-1754 CVE-2012-1753 CVE-2012-1752
CVE-2012-1750 CVE-2012-1749 CVE-2012-1748
CVE-2012-1747 CVE-2012-1746 CVE-2012-1745
CVE-2012-1744 CVE-2012-1743 CVE-2012-1742
CVE-2012-1741 CVE-2012-1740 CVE-2012-1739
CVE-2012-1738 CVE-2012-1737 CVE-2012-1736
CVE-2012-1735 CVE-2012-1734 CVE-2012-1733
CVE-2012-1732 CVE-2012-1731 CVE-2012-1730
CVE-2012-1729 CVE-2012-1728 CVE-2012-1727
CVE-2012-1715 CVE-2012-1689 CVE-2012-1687
CVE-2012-0563 CVE-2012-0540 CVE-2011-4885
CVE-2011-4358 CVE-2011-4317 CVE-2011-3562
CVE-2011-3368 CVE-2011-3192 CVE-2011-2699
CVE-2011-0419 CVE-2008-4609 CVE-2001-0323
Member content until: Friday, August 17 2012
Reference: ASB-2012.0009
ASB-2011.0091
ASB-2011.0080
ASB-2011.0076.2
OVERVIEW
Oracle have released updates which correct vulnerabilities in
numerous products. [1]
IMPACT
Specific impacts have not been published by Oracle at this time
however the following information regarding CVSS 2.0 scoring and
affected products is available from the Oracle site. [1]
Oracle states, "Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon as possible.
This Critical Patch Update contains 87 new security fixes across the
product families listed below." [1]
Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
Oracle Secure Backup, version 10.3.0.3, 10.4.0.1
Oracle Fusion Middleware 11g Release 2, version 11.1.2.0
Oracle Fusion Middleware 11g Release 1, versions 11.1.1.5, 11.1.1.6
Oracle Application Server 10g Release 3, version 10.1.3.5
Oracle Identity Management 10g, version 10.1.4.3
Hyperion BI+, version 11.1.1.x
Oracle JRockit versions, R28.2.3 and earlier, R27.7.2 and earlier
Oracle Map Viewer, versions 10.1.3.1, 11.1.1.5, 11.1.1.6
Oracle Outside In Technology, versions 8.3.5, 8.3.7
Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.1, 12.1.0.2
Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle Transportation Management, versions 5.5.06, 6.0, 6.1, 6.2
Oracle AutoVue, versions 20.0.2, 20.1
Oracle PeopleSoft Enterprise HRMS, versions 9.0, 9.1
Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52
Oracle Siebel CRM, versions 8.1.1, 8.2.2
Oracle Clinical Remote Data Capture Option, versions 4.6, 4.6.2, 4.6.3
Oracle Sun Product Suite
Oracle MySQL Server, versions 5.1, 5.5
In respect to CVE-2012-1675 Oracle states, "This Security Alert provides
mitigation instructions against the publicly disclosed "TNS Listener
Poison Attack." Because of the nature of this issue (amount of code
change required, potential for significant regression issues, and
inability to automate the application of a fix), Oracle does not plan
to backport a permanent fix for this vulnerability in any upcoming
Critical Patch Update. Customers are therefore strongly advised to
implement the recommendations set forth in the Security Alert." [2]
MITIGATION
Oracle states, "Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon as possible."
Links to the appropriate patches are available at the Oracle site. [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - July 2012
http://www.oracle.com/technetwork/topics/security/cpujul2012-392727.html
[2] Oracle Security Alert for CVE-2012-1675
http://www.oracle.com/technetwork/topics/security/alert-cve-2012-1675-1608180.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUAYWJ+4yVqjM2NGpAQJ24g//YEFKYaVSekyGa2jyiBsRegGw4lkGYcgn
OPNcN7vLYvtqg/N+fRuclgvBdlsKXR4geIHsy10n8HIMVB3gifknNOMsM/rVtlKf
zLqEfsOaPaZl0w3V4QC6CwC0lCioFBb59zxp+yl/dqkJ3NgUvzwM0XH1JimZ/S1I
d7eQ/iTU5wffL1oAWfqDuIvDrsJWF+Qstq2GqEel31HzfiLNKl99EK3rFSiqXUJF
qL5Nexyio12JtIPLNO5hEXFW5Bmxp90dqTDUzt2FETJ8ntTiU4uzyYCFCUdBa6/d
F/BQBY7xO3Q4ydRtIeHno1PlghugGx8+e9zBAyM9TMheGFp2bcxbzWcCVQ8UkDNZ
TWILkuOHxBxhE7cqr3WF77F3K0UFJbH7yT8tPys7u3OOiONdpYcbKnuTBt3iJUyp
6ZBkz93AsvXlaIgtzUYhPFhinxYu0yzpkjbe2y+DIqVIHWWYpoTip8+WtIr+c3Lc
ZAUeVtn/pMtMI7UofUiItn9dXg0d4mvg9L1g4h4vnpf6g3hQ9R5JVSMLgvycr1hc
B/vadWW6VTg31a3FES6AS+4B2dIo5E7tsJJ8OtHUnds8ZNm0vkpEsvmiq/aJsDj2
NKhfNm2bXPQkoQwGxq8H4EP92KkMYZgKgVenMetb10lBrL5ZBOj4a+pT+aISUWrL
bXe7BnmD8+A=
=TTcG
-----END PGP SIGNATURE-----
|