Date: 16 January 2013
References: ASB-2012.0009 ASB-2012.0023.2 ASB-2012.0024.2 ESB-2012.0289.4 ESB-2012.0321 ASB-2012.0060 ESB-2012.0682 ESB-2012.0937 ESB-2013.0101 ESB-2013.0138
ESB-2013.0495
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2013.0007
Oracle have released 86 updates which correct vulnerabilities
16 January 2013
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
Oracle Database Mobile Server, version 11.1.0.0
Oracle Database Lite Server, version 10.3.0.3
Oracle Access Manager/Webgate, versions 10.1.4.3.0, 11.1.1.5.0, 11.1.2.0.0
Oracle GoldenGate Veridata, version 3.0.0.11.0
Management Pack for Oracle GoldenGate, version 11.1.1.1.0
Oracle Outside In Technology, versions 8.3.7, 8.4
Oracle WebLogic Server, versions 9.2.4, 10.0.2, 10.3.5, 10.3.6, 12.1.1
Application Performance Management versions 6.5, 11.1, 12.1.0.2
Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.1, 12.1.0.2
Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle Agile PLM Framework, version 9.3.1.1
Oracle PeopleSoft HRMS, versions 9.0, 9.1
Oracle PeopleSoft PeopleTools, versions 8.51, 8.52
Oracle JD Edwards EnterpriseOne Tools, versions 8.9, 9.1, SP24
Oracle Siebel CRM, versions 8.1.1, 8.2.2
Oracle Sun Product Suite
Oracle VM VirtualBox, versions 4.0, 4.1, 4.2
Oracle MySQL Server, versions 5.1.66 and earlier, 5.5.28 and earlier
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Modify Arbitrary Files -- Remote/Unauthenticated
Denial of Service -- Remote/Unauthenticated
Read-only Data Access -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Resolution: Patch/Upgrade
CVE Names: CVE-2013-0420 CVE-2013-0418 CVE-2013-0417
CVE-2013-0415 CVE-2013-0414 CVE-2013-0407
CVE-2013-0400 CVE-2013-0399 CVE-2013-0397
CVE-2013-0396 CVE-2013-0395 CVE-2013-0394
CVE-2013-0393 CVE-2013-0392 CVE-2013-0391
CVE-2013-0390 CVE-2013-0389 CVE-2013-0388
CVE-2013-0387 CVE-2013-0386 CVE-2013-0385
CVE-2013-0384 CVE-2013-0383 CVE-2013-0382
CVE-2013-0381 CVE-2013-0380 CVE-2013-0379
CVE-2013-0378 CVE-2013-0377 CVE-2013-0376
CVE-2013-0375 CVE-2013-0374 CVE-2013-0373
CVE-2013-0372 CVE-2013-0371 CVE-2013-0370
CVE-2013-0369 CVE-2013-0368 CVE-2013-0367
CVE-2013-0366 CVE-2013-0365 CVE-2013-0364
CVE-2013-0363 CVE-2013-0362 CVE-2013-0361
CVE-2013-0360 CVE-2013-0359 CVE-2013-0358
CVE-2013-0357 CVE-2013-0356 CVE-2013-0355
CVE-2013-0354 CVE-2013-0353 CVE-2013-0352
CVE-2012-5612 CVE-2012-5611 CVE-2012-5097
CVE-2012-5096 CVE-2012-5062 CVE-2012-5060
CVE-2012-5059 CVE-2012-3220 CVE-2012-3219
CVE-2012-3218 CVE-2012-3192 CVE-2012-3190
CVE-2012-3178 CVE-2012-3172 CVE-2012-3170
CVE-2012-3169 CVE-2012-3168 CVE-2012-1755
CVE-2012-1705 CVE-2012-1702 CVE-2012-1701
CVE-2012-1700 CVE-2012-1680 CVE-2012-1678
CVE-2012-1677 CVE-2012-0578 CVE-2012-0574
CVE-2012-0572 CVE-2012-0569 CVE-2012-0022
CVE-2011-5035
Member content until: Friday, February 15 2013
Reference: ASB-2012.0060
ASB-2012.0009
ESB-2012.0937
ESB-2012.0682
ESB-2012.0321
ASB-2012.0024.2
ASB-2012.0023.2
ESB-2012.0289.4
OVERVIEW
Oracle have released updates which correct vulnerabilities in
numerous products. [1]
IMPACT
Limited impact details have been published by Oracle in their Text Form
Risk Matrices. [2]
The Oracle Database Mobile/Lite Server has two with a CVSS score of
10, the highest possible score. [1]
Oracle states, "Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon as possible.
This Critical Patch Update contains 86 new security fixes across the
product families listed below." [1]
Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
Oracle Database Mobile Server, version 11.1.0.0
Oracle Database Lite Server, version 10.3.0.3
Oracle Access Manager/Webgate, versions 10.1.4.3.0, 11.1.1.5.0, 11.1.2.0.0
Oracle GoldenGate Veridata, version 3.0.0.11.0
Management Pack for Oracle GoldenGate, version 11.1.1.1.0
Oracle Outside In Technology, versions 8.3.7, 8.4
Oracle WebLogic Server, versions 9.2.4, 10.0.2, 10.3.5, 10.3.6, 12.1.1
Application Performance Management versions 6.5, 11.1, 12.1.0.2
Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.1, 12.1.0.2
Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle Agile PLM Framework, version 9.3.1.1
Oracle PeopleSoft HRMS, versions 9.0, 9.1
Oracle PeopleSoft PeopleTools, versions 8.51, 8.52
Oracle JD Edwards EnterpriseOne Tools, versions 8.9, 9.1, SP24
Oracle Siebel CRM, versions 8.1.1, 8.2.2
Oracle Sun Product Suite
Oracle VM VirtualBox, versions 4.0, 4.1, 4.2
Oracle MySQL Server, versions 5.1.66 and earlier, 5.5.28 and earlier
MITIGATION
Oracle states, "Due to the threat posed by a successful attack, Oracle
strongly recommends that customers apply CPU fixes as soon as possible."
Links to the appropriate patches are available at the Oracle site. [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - January 2013
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html
[2] Text Form of Oracle Critical Patch Update - January 2013 Risk
Matrices
www.oracle.com/technetwork/topics/security/cpujan2013verbose-1897756.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUPYc8e4yVqjM2NGpAQJefA//Y+JDhS50IdX7BE+jgo6aDhOyCK5fEf60
bg0pzgiJ1Eov3avVMs+y7c66wRLJVVDGNwru0hAysCNrW5JX7Oj92upITxSjNcHR
bbUsjMu9a6PSQn3KGacNVZdJ86tix5Tix/otM155O2SiU4MNRatg+h5iUuv8/evw
2zbfd8b42V1LogfNFP4VYST/ZnNh4mGnw6ZLl6YNtNm7+5An0mupVdbrQ0Fg5SXW
xG94RR+59zwkJmC68lVIcrQP3wmyfM+jPi4y/YP+NypM1TtWm5AfAXb8hZjilmHW
KYJadV1osP6VaiLkZxELAwP1n7JxZMXSbO+dF496frNa3Gb8vE/cvShkJcw74bgQ
xrFOPZOpb/Eey/zpAbvqcd52hTUiintLD9CZV+S+wf4fzdAfzI+NjfqaAhGx7XvX
dKZW2BsSDXIB8A1qr7seI41s0ztv24MMJrajsQr04ytLQgRCBugc74ZO5La+bGaf
VZSPJ46BEHKY7kd2+V0iGd3rq0qXCoiY5syiiuRlPVTPhogIC1J05O+tsPg2q+uI
61dPIgSxUBJgz2fWTWAxJy3VxLelpiBWW6nyObslovCUA5Awa23dbH/OxidARsVf
+tjypgFU+1QMSlftDwGqZhzVY23O1tUmzb9jmABvIqRaV4iupR5qWxM+K3gvTj07
Wnz5kMmb4/A=
=U5F6
-----END PGP SIGNATURE-----
|