Hash: SHA256

                         AUSCERT Security Bulletin

        Oracle have released updates which correct vulnerabilities
                           in numerous products
                              19 October 2016


        AusCERT Security Bulletin Summary

Product:              Oracle Products
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
                      Access Privileged Data          -- Remote/Unauthenticated
                      Modify Arbitrary Files          -- Remote/Unauthenticated
                      Denial of Service               -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2016-8296 CVE-2016-8295 CVE-2016-8294
                      CVE-2016-8293 CVE-2016-8292 CVE-2016-8291
                      CVE-2016-8290 CVE-2016-8289 CVE-2016-8288
                      CVE-2016-8287 CVE-2016-8286 CVE-2016-8285
                      CVE-2016-8284 CVE-2016-8283 CVE-2016-8281
                      CVE-2016-7440 CVE-2016-7052 CVE-2016-6662
                      CVE-2016-6309 CVE-2016-6308 CVE-2016-6307
                      CVE-2016-6306 CVE-2016-6305 CVE-2016-6304
                      CVE-2016-6303 CVE-2016-6302 CVE-2016-5635
                      CVE-2016-5634 CVE-2016-5633 CVE-2016-5632
                      CVE-2016-5631 CVE-2016-5630 CVE-2016-5629
                      CVE-2016-5628 CVE-2016-5627 CVE-2016-5626
                      CVE-2016-5625 CVE-2016-5624 CVE-2016-5622
                      CVE-2016-5621 CVE-2016-5620 CVE-2016-5619
                      CVE-2016-5618 CVE-2016-5617 CVE-2016-5616
                      CVE-2016-5615 CVE-2016-5613 CVE-2016-5612
                      CVE-2016-5611 CVE-2016-5610 CVE-2016-5609
                      CVE-2016-5608 CVE-2016-5607 CVE-2016-5606
                      CVE-2016-5605 CVE-2016-5604 CVE-2016-5603
                      CVE-2016-5602 CVE-2016-5601 CVE-2016-5600
                      CVE-2016-5599 CVE-2016-5598 CVE-2016-5597
                      CVE-2016-5596 CVE-2016-5595 CVE-2016-5594
                      CVE-2016-5593 CVE-2016-5592 CVE-2016-5591
                      CVE-2016-5589 CVE-2016-5588 CVE-2016-5587
                      CVE-2016-5586 CVE-2016-5585 CVE-2016-5584
                      CVE-2016-5583 CVE-2016-5582 CVE-2016-5581
                      CVE-2016-5580 CVE-2016-5579 CVE-2016-5578
                      CVE-2016-5577 CVE-2016-5576 CVE-2016-5575
                      CVE-2016-5574 CVE-2016-5573 CVE-2016-5572
                      CVE-2016-5571 CVE-2016-5570 CVE-2016-5569
                      CVE-2016-5568 CVE-2016-5567 CVE-2016-5566
                      CVE-2016-5565 CVE-2016-5564 CVE-2016-5563
                      CVE-2016-5562 CVE-2016-5561 CVE-2016-5560
                      CVE-2016-5559 CVE-2016-5558 CVE-2016-5557
                      CVE-2016-5556 CVE-2016-5555 CVE-2016-5554
                      CVE-2016-5553 CVE-2016-5544 CVE-2016-5543
                      CVE-2016-5542 CVE-2016-5540 CVE-2016-5539
                      CVE-2016-5538 CVE-2016-5537 CVE-2016-5536
                      CVE-2016-5535 CVE-2016-5534 CVE-2016-5533
                      CVE-2016-5532 CVE-2016-5531 CVE-2016-5530
                      CVE-2016-5529 CVE-2016-5527 CVE-2016-5526
                      CVE-2016-5525 CVE-2016-5524 CVE-2016-5523
                      CVE-2016-5522 CVE-2016-5521 CVE-2016-5519
                      CVE-2016-5518 CVE-2016-5517 CVE-2016-5516
                      CVE-2016-5515 CVE-2016-5514 CVE-2016-5513
                      CVE-2016-5512 CVE-2016-5511 CVE-2016-5510
                      CVE-2016-5508 CVE-2016-5507 CVE-2016-5506
                      CVE-2016-5505 CVE-2016-5504 CVE-2016-5503
                      CVE-2016-5502 CVE-2016-5501 CVE-2016-5500
                      CVE-2016-5499 CVE-2016-5498 CVE-2016-5497
                      CVE-2016-5495 CVE-2016-5493 CVE-2016-5492
                      CVE-2016-5491 CVE-2016-5490 CVE-2016-5489
                      CVE-2016-5488 CVE-2016-5487 CVE-2016-5486
                      CVE-2016-5482 CVE-2016-5481 CVE-2016-5480
                      CVE-2016-5479 CVE-2016-4979 CVE-2016-3562
                      CVE-2016-3551 CVE-2016-3505 CVE-2016-3495
                      CVE-2016-3492 CVE-2016-3473 CVE-2016-3081
                      CVE-2016-2183 CVE-2016-2182 CVE-2016-2181
                      CVE-2016-2180 CVE-2016-2179 CVE-2016-2178
                      CVE-2016-2177 CVE-2016-2176 CVE-2016-2109
                      CVE-2016-2107 CVE-2016-2106 CVE-2016-2105
                      CVE-2016-1950 CVE-2016-1881 CVE-2016-1546
                      CVE-2016-1182 CVE-2016-1181 CVE-2016-0763
                      CVE-2016-0714 CVE-2016-0706 CVE-2016-0635
                      CVE-2015-7940 CVE-2015-7501 CVE-2015-5351
                      CVE-2015-4852 CVE-2015-3253 CVE-2015-3197
                      CVE-2015-3195 CVE-2015-2568 CVE-2015-1793
                      CVE-2015-1792 CVE-2015-1791 CVE-2015-1790
                      CVE-2015-1789 CVE-2015-1788 CVE-2015-1351
                      CVE-2015-0500 CVE-2015-0433 CVE-2015-0423
                      CVE-2015-0411 CVE-2015-0409 CVE-2015-0382
                      CVE-2015-0381 CVE-2015-0286 CVE-2015-0235
                      CVE-2014-9296 CVE-2014-9295 CVE-2014-9294
                      CVE-2014-9293 CVE-2014-7809 CVE-2014-3571
                      CVE-2014-2532 CVE-2014-0227 CVE-2014-0224
                      CVE-2014-0119 CVE-2014-0114 CVE-2014-0099
                      CVE-2014-0096 CVE-2014-0075 CVE-2014-0050
                      CVE-2013-4590 CVE-2013-4444 CVE-2013-4322
                      CVE-2013-4286 CVE-2013-2566 CVE-2013-2067
                      CVE-2012-1007 CVE-2010-5312 
Member content until: Friday, November 18 2016
Reference:            ASB-2016.0087


        Oracle has released updates which correct vulnerabilities in 
        numerous products. [1]
        Oracle states: "This Critical Patch Update contains 253 new
        security fixes across the product families listed below." [1]
        Application Express, version(s) prior to
        Oracle Database Server, version(s),
        Oracle Secure Backup, version(s) prior to, prior to
        Big Data Graph, version(s) prior to 1.2
        NetBeans, version(s) 8.1
        Oracle BI Publisher, version(s),,
        Oracle Big Data Discovery, version(s) 1.1.1, 1.1.3, 1.2.0
        Oracle Business Intelligence Enterprise Edition, version(s),,,
        Oracle Data Integrator, version(s),,,,,
        Oracle Discoverer, version(s)
        Oracle Fusion Middleware, version(s),,,,,,
        Oracle GlassFish Server, version(s) 2.1.1, 3.0.1, 3.1.2
        Oracle Identity Manager, version(s)
        Oracle iPlanet Web Proxy Server, version(s) 4.0
        Oracle iPlanet Web Server, version(s) 7.0
        Oracle Outside In Technology, version(s) 8.4.0, 8.5.1, 8.5.2, 8.5.3
        Oracle Platform Security for Java, version(s),,
        Oracle Web Services, version(s),,,
        Oracle WebCenter Sites, version(s),,
        Oracle WebLogic Server, version(s),,,
        Enterprise Manager, version(s) 12.1.4, 12.2.2, 12.3.2
        Enterprise Manager Base Platform, version(s)
        Oracle Application Testing Suite, version(s),,
        Oracle E-Business Suite, version(s) 12.1.1, 12.1.2, 12.1.3, 12.2.3, 12.2.4, 12.2.5, 12.2.6 	
        Oracle Advanced Supply Chain Planning, version(s) 12.2.3, 12.2.4, 12.2.5
        Oracle Agile Engineering Data Management, version(s),
        Oracle Agile PLM, version(s) 9.3.4, 9.3.5
        Oracle Agile Product Lifecycle Management for Process, version(s),,
        Oracle Transportation Management, version(s) 6.1, 6.2, 6.3.0, 6.3.1, 6.3.2, 6.3.3, 6.3.4, 6.3.5, 6.3.6, 6.3.7
        PeopleSoft Enterprise HCM, version(s) 9.2
        PeopleSoft Enterprise PeopleTools, version(s) 8.54, 8.55
        PeopleSoft Enterprise SCM Services Procurement, version(s) 9.1, 9.2
        JD Edwards EnterpriseOne Tools, version(s) 9.1
        JD Edwards World Security, version(s) A9.4
        Siebel Applications, version(s) 7.1, 16.1
        Oracle Commerce Guided Search, version(s) 6.2.2, 6.3.0,, 6.5.0, 6.5.1, 6.5.2
        Oracle Commerce Guided Search / Oracle Commerce Experience Manager, version(s) 3.1.1, 3.1.2, 6.2.2, 6.3.0,, 6.5.0, 6.5.1, 6.5.2, 11.0, 11.1, 11.2
        Oracle Commerce Platform, version(s),, 
        Oracle Commerce Service Center, version(s),
        Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
        Oracle Communications Policy Management, version(s) 9.7.3, 9.9.1, 10.4.1, 12.1.1 and prior
        Oracle Enterprise Communications Broker, version(s) Pcz2.0.0m4p5 and earlier 
        Oracle Enterprise Session Border Controller, version(s) Ecz7.3m2p2 and earlier
        Oracle Banking Digital Experience, version(s) 15.1
        Oracle Financial Services Analytical Applications Infrastructure, version(s) 7.3.0, 7.3.1, 7.3.2, 7.3.3, 7.3.4, 7.3.5, 8.0.0, 8.0.1, 8.0.2, 8.0.3
        Oracle Financial Services Lending and Leasing, version(s) 14.1.0, 14.2.0
        Oracle FLEXCUBE Core Banking, version(s),
        Oracle FLEXCUBE Enterprise Limits and Collateral Management, version(s) 12.0.0, 12.1.0
        Oracle FLEXCUBE Investor Servicing, version(s) 12.0.1
        Oracle FLEXCUBE Private Banking, version(s) 2.0.0, 2.0.1, 2.2.0, 12.0.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0
        Oracle FLEXCUBE Universal Banking, version(s) 11.3.0, 11.4.0, 12.0.1, 12.0.2, 12.0.3, 12.1.0, 12.2.0, 12.87.1, 12.87.2
        Oracle Life Sciences Data Hub, version(s) 2.x
        Oracle Hospitality OPERA 5 Property Services, version(s),,,,,
        Oracle Insurance IStream, version(s) 4.3.2
        MICROS XBR, version(s) 7.0.2, 7.0.4
        Oracle Retail Back Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
        Oracle Retail Central Office, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
        Oracle Retail Clearance Optimization Engine, version(s) 13.2, 13.3, 13.4, 14.0
        Oracle Retail Customer Insights, version(s) 15.0
        Oracle Retail Merchandising Insights, version(s) 15.0
        Oracle Retail Returns Management, version(s) 13.0, 13.1, 13.2, 13.3, 13.4, 14.0, 14.1
        Oracle Retail Xstore Payment, version(s) 1.x
        Oracle Retail Xstore Point of Service, version(s) 5.0, 5.5, 6.0, 6.5, 7.0, 7.1
        Primavera P6 Enterprise Project Portfolio Management, version(s) 8.4, 15.x, 16.x
        Primavera P6 Professional Project Management, version(s) 8.3, 8.4, 15.x, 16.x
        Oracle Java SE, version(s) 6u121, 7u111, 8u102
        Oracle Java SE Embedded, version(s) 8u101
        Solaris, version(s) 10, 11.3
        Solaris Cluster, version(s) 3.3, 4.3
        Sun ZFS Storage Appliance Kit (AK), version(s) AK 2013
        Oracle VM VirtualBox, version(s) prior to 5.0.28, prior to 5.1.8
        Secure Global Desktop, version(s) 4.7, 5.2
        Sun Ray Operating Software, version(s) prior to 11.1.7
        Virtual Desktop Infrastructure, version(s) prior to 3.5.3
        MySQL Connector, version(s) 2.0.4 and prior, 2.1.3 and prior
        MySQL Server, version(s) 5.5.52 and prior, 5.6.33 and prior, 5.7.15 and prior
        Oracle also notes the following:
        "Vulnerabilities affecting Oracle Database and Oracle Fusion Middleware
        may affect Oracle Fusion Applications, so Oracle customers should refer
        to Oracle Fusion Applications Critical Patch Update Knowledge Document,
        My Oracle Support Note 1967316.1 for information on patches to be
        applied to Fusion Application environments.
        Users running Java SE with a browser can download the latest release
        from http://java.com. Users on the Windows and Mac OS X platforms can
        also use automatic updates to get the latest release.
        Vulnerabilities affecting Oracle Solaris may affect Oracle ZFSSA so
        Oracle customers should refer to the Oracle and Sun Systems Product
        Suite Critical Patch Update Knowledge Document, My Oracle Support Note
        2160904.1 for information on minimum revisions of security fixes
        required to resolve ZFSSA issues published in Critical Patch Updates
        (CPUs) and Solaris Third Party bulletins.
        Users can download the latest release of Netbeans from 
        http://netbeans.org. Users running earlier versions of Netbeans can use
        automatic updates to get the latest patches." [1]


        Limited impact details have been published by Oracle in their Text 
        Form Risk Matrices. [2]


        Oracle states:
        "Due to the threat posed by a successful attack, Oracle strongly 
        recommends that customers apply CPU fixes as soon as possible. Until
        you apply the CPU fixes, it may be possible to reduce the risk of 
        successful attack by blocking network protocols required by an 
        attack. For attacks that require certain privileges or access to 
        certain packages, removing the privileges or the ability to access 
        the packages from users that do not need the privileges may help 
        reduce the risk of successful attack. Both approaches may break 
        application functionality, so Oracle strongly recommends that 
        customers test changes on non-production systems. Neither approach 
        should be considered a long-term solution as neither corrects the 
        underlying problem." [1]


        [1] Oracle Critical Patch Update Advisory - October 2016

        [2] Text Form of Oracle Critical Patch Update - October 2016 Risk

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967