|
|
ASB-2012.0143 - ALERT [Win][UNIX/Linux] Oracle Products: Multiple vulnerabilities |
|
Date: 17 October 2012 Original URL: http://www.auscert.org.au/render.html?cid=35&it=16479 References: ESB-2011.0765 ESB-2012.0538 ASB-2012.0114 ESB-2012.1003 ESB-2012.1004 ESB-2012.1087 ESB-2012.1133 ESB-2012.1147 ESB-2012.1173 ESB-2012.1187 ESB-2013.0006 ESB-2013.0021 ESB-2013.0051 ESB-2013.0053 ESB-2013.0123 ESB-2013.0156 ESB-2013.0157 ESB-2013.0189 ESB-2013.0276 ESB-2013.0298 ESB-2013.0322 ESB-2013.0330 ESB-2013.0356 ESB-2013.0432 ESB-2013.0437 ESB-2013.0589 ESB-2013.0619 ESB-2013.0621 ESB-2013.0646 ESB-2013.0653 Click here for PGP verifiable version -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2012.0143
Oracle Critical Patch Update Advisory - October 2012
17 October 2012
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database
Oracle Fusion Middleware
Oracle Forms and Reports
Oracle BI Publisher
Oracle Event Processing
Oracle Identity Management
Oracle Imaging and Process Management
Oracle JRockit
Oracle Outside In Technology
Oracle WebLogic Server
Oracle WebCenter Sites
Oracle E-Business Suite
Oracle Agile PLM For Process
Oracle Agile PLM Framework
Oracle Agile Product Supplier Collaboration for Process
Oracle PeopleSoft
Oracle Siebel UI Framework
Oracle Central Designer
Oracle Clinical/ Remote Data Capture
Oracle FLEXCUBE Direct Banking
Oracle FLEXCUBE Universal Banking
Oracle Sun Product Suite
Oracle Secure Global Desktop
Oracle VM Virtual Box
Oracle MySQL Server
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Access Privileged Data -- Remote/Unauthenticated
Increased Privileges -- Existing Account
Denial of Service -- Remote/Unauthenticated
Access Confidential Data -- Remote/Unauthenticated
Unauthorised Access -- Remote/Unauthenticated
Reduced Security -- Unknown/Unspecified
Resolution: Patch/Upgrade
CVE Names: CVE-2012-5095 CVE-2012-5094 CVE-2012-5093
CVE-2012-5092 CVE-2012-5091 CVE-2012-5090
CVE-2012-5085 CVE-2012-5083 CVE-2012-5081
CVE-2012-5066 CVE-2012-5065 CVE-2012-5064
CVE-2012-5063 CVE-2012-5061 CVE-2012-5058
CVE-2012-3230 CVE-2012-3229 CVE-2012-3228
CVE-2012-3227 CVE-2012-3226 CVE-2012-3225
CVE-2012-3224 CVE-2012-3223 CVE-2012-3222
CVE-2012-3221 CVE-2012-3217 CVE-2012-3215
CVE-2012-3214 CVE-2012-3212 CVE-2012-3211
CVE-2012-3210 CVE-2012-3209 CVE-2012-3208
CVE-2012-3207 CVE-2012-3206 CVE-2012-3205
CVE-2012-3204 CVE-2012-3203 CVE-2012-3202
CVE-2012-3201 CVE-2012-3200 CVE-2012-3199
CVE-2012-3198 CVE-2012-3197 CVE-2012-3196
CVE-2012-3195 CVE-2012-3194 CVE-2012-3193
CVE-2012-3191 CVE-2012-3189 CVE-2012-3188
CVE-2012-3187 CVE-2012-3186 CVE-2012-3185
CVE-2012-3184 CVE-2012-3183 CVE-2012-3182
CVE-2012-3181 CVE-2012-3180 CVE-2012-3179
CVE-2012-3177 CVE-2012-3176 CVE-2012-3175
CVE-2012-3173 CVE-2012-3171 CVE-2012-3167
CVE-2012-3166 CVE-2012-3165 CVE-2012-3164
CVE-2012-3163 CVE-2012-3162 CVE-2012-3161
CVE-2012-3160 CVE-2012-3158 CVE-2012-3157
CVE-2012-3156 CVE-2012-3155 CVE-2012-3154
CVE-2012-3153 CVE-2012-3152 CVE-2012-3151
CVE-2012-3150 CVE-2012-3149 CVE-2012-3148
CVE-2012-3147 CVE-2012-3146 CVE-2012-3145
CVE-2012-3144 CVE-2012-3142 CVE-2012-3141
CVE-2012-3140 CVE-2012-3139 CVE-2012-3138
CVE-2012-3137 CVE-2012-3132 CVE-2012-1763
CVE-2012-1751 CVE-2012-1686 CVE-2012-1685
CVE-2012-1531 CVE-2012-0518 CVE-2012-0217
CVE-2012-0108 CVE-2012-0107 CVE-2012-0106
CVE-2012-0095 CVE-2012-0093 CVE-2012-0092
CVE-2012-0090 CVE-2012-0086 CVE-2012-0071
CVE-2011-1411
Member content until: Friday, November 16 2012
Reference: ASB-2012.0114
ESB-2012.0538
ESB-2011.0765
OVERVIEW
Oracle have released updates which correct vulnerabilities in
numerous products. [1]
IMPACT
Specific impacts have not been published by Oracle at this time
however the following information regarding CVSS 2.0 scoring and
affected products is available from the Oracle site. [1]
According to Oracle, "This Critical Patch Update contains 109 new
security fixes across the product families listed below." [1]
Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
Oracle Fusion Middleware 11g Release 1, version 11.1.1.6
Oracle Forms and Reports 11g, Release 2, version 11.1.2.0
Oracle Forms and Reports 11g Release 1, version 11.1.1.4
Oracle BI Publisher, versions 10.1.3.4.2, 11.1.1.5.0, 11.1.1.6.0,
11.1.1.6.2
Oracle Event Processing, versions 2.0, 11.1.1.4.0, 11.1.1.6.0
Oracle Identity Management 10g, version 10.1.4.3
Oracle Imaging and Process Management, version 10.1.3.6.0
Oracle JRockit versions, R28.2.4 and earlier, R27.7.3 and earlier
Oracle Outside In Technology, version 8.3.7
Oracle WebLogic Server, versions 9.2.4.0, 10.0.2.0, 10.3.5.0, 10.3.6.0,
12.1.1.0
Oracle WebCenter Sites, versions 6.1, 6.2, 6.3.x, 7, 7.0.1, 7.0.2,
7.0.3, 7.5, 7.6.1, 7.6.2, 11.1.1.6.0
Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2,
12.1.3
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle Agile PLM For Process, versions 5.2.2, 6.0.0.6.3, 6.1.0.0,
6.1.0.1.14
Oracle Agile PLM Framework, versions 9.3.1.0, 9.3.1.1
Oracle Agile Product Supplier Collaboration for Process, versions
5.2.2, 6.1.0.0
Oracle PeopleSoft Enterprise Campus Solutions, version 9.0
Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52
Oracle Siebel UI Framework, version 8.1.1
Oracle Central Designer, versions 1.3, 1.4, 1.4.2
Oracle Clinical/Remote Data Capture, versions 4.6.0, 4.6.2
Oracle FLEXCUBE Direct Banking, versions 5.0.2, 5.0.5, 5.1.0, 5.2.0,
5.3.0-5.3.4, 6.0.1, 6.2.0, 12
Oracle FLEXCUBE Universal Banking, versions 10.0.0-10.5.0,
11.0.0-11.4.0, 12
Oracle Sun Product Suite
Oracle Secure Global Desktop, version 4.6
Oracle VM Virtual Box, versions 3.2, 4.0, 4.1
Oracle MySQL Server, versions 5.1.63 and earlier, 5.5.25 and earlier
CVE-2012-3137 is the most critical with a CVSS score of 10.0 and
Proof-of-concept available, the NIST National Vulnerability Database
has more:
"The authentication protocol in Oracle Database 11g 1 and 2 allows
remote attackers to obtain the session key and salt for arbitrary
users, which leaks information about the cryptographic hash and makes
it easier to conduct brute force password guessing attacks, aka
"stealth password cracking vulnerability."" [2]
CVE-2012-3202 also has a CVSS score of 10.0 however information on this
vulnerability is not specific, the following is from the NIST
National Vulnerability Database:
"Multiple unspecified vulnerabilities in the Oracle JRockit component
in Oracle Fusion Middleware 28.2.4 and earlier, and 27.7.3 and earlier,
when using JDK/JRE 5 or 6, allow remote attackers to affect
confidentiality, integrity, and availability via unknown vectors. NOTE:
this overlaps CVE-2012-5083, CVE-2012-1531, CVE-2012-5081, and
CVE-2012-5085." [3]
MITIGATION
Oracle states that: "Due to the threat posed by a successful attack,
Oracle strongly recommends that customers apply CPU fixes as soon as
possible." [1]
All users should apply the fixes available from the Oracle website. [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - October 2012
http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html
[2] Vulnerability Summary for CVE-2012-3137
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3137
[3] Vulnerability Summary for CVE-2012-3202
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3202
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQIVAwUBUH4dPu4yVqjM2NGpAQJZbw/9HTr8h17qLaPW25VktaiLrM9YDgkz7UJZ
/OaAw1oFr3Pq9JN2TfENw0FZyVxJ2464Evx+JFnkphg/4+bMv1E/Ic+vKuRgr/6T
2xu+MzF9aqyMRF/wVKzpYxzsjP2P8Z5Et7DXhD74F2M8fHU/LDxqOfi3oOXfVfqu
uFzyKsoHZXVzd+HWuveapAQ4ZvXEDqNOg5WC1pY1i8SQTe2uNnyA1YBfQppz0KU0
hycv0fcw1llE8k+wdo7fCO+Y4Xnxx5qdh9ZKj6oFQlTeUrcUcShQ9shsX/ZkeDn6
HjoAwaanrSpCkgdyUWFPokZqvGUVqXo7y3Pgo5RRTxEUwHM1S5W2iZa+18YM+RiG
3ju8qO2BjW10nuqTp2ReOlqWVBxF+Jqfnv5/tjJnqUYAf4emO+iw+miDFlZmx/mB
9X8boDy4DimyL+VBTZGGWQiAqX/jC3lAqlhMYLDqmk40e3RDTD2uxYrPh8irafhK
+nDTpxfkyYjsOknbkXenEQ3lN34PtqZZvrszcxsGYnS3DDEfVlZs9SCBlplrrjLr
XCc787uxYKZjiBvU7XX1ryZ5KHidU8feOsAXWKSM3IV0xr52Km+S4L7erfEjlYjl
A0Bh3e6y8ZOTNrQox+BhuzidOv/gRTkNQxyOEVxN3yeiDfAzyRKfOx1DRiSCdP8+
hRV+G8C9Wkw=
=DVjg
-----END PGP SIGNATURE-----
|