Oracle Critical Patch Update Advisory - January 2014

Number: AV14-003
Date: 15 January 2014

Purpose

The purpose of this advisory is to bring attention to the following critical patch update released for Oracle.

Assessment

Oracle has issued a Critical Patch Update (CPU) which addresses 144 new security fixes across multiple Oracle products.

Affected products and versions:

Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
Oracle Database 12c Release 1, version 12.1.0.1
Oracle Fusion Middleware 11g Release 1, versions 11.1.1.6, 11.1.1.7
Oracle Fusion Middleware 11g Release 2, versions 11.1.2.0, 11.1.2.1
Oracle Fusion Middleware 12c Release 2, version 12.1.2
Oracle Containers for J2EE, version 10.1.3.5
Oracle Enterprise Data Quality, versions 8.1, 9.0.8
Oracle Forms and Reports 11g, Release 2, version 11.1.2.1
Oracle GlassFish Server, version 2.1.1, Sun Java Application Server, versions 8.1, 8.2
Oracle HTTP Server 11g, versions 11.1.1.6, 11.1.1.7
Oracle HTTP Server 12c, version 12.1.2
Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.0, 11.1.2.1
Oracle Internet Directory, versions 11.1.1.6, 11.1.1.7
Oracle iPlanet Web Proxy Server, version 4.0
Oracle iPlanet Web Server, versions 6.1, 7.0
Oracle Outside In Technology, versions 8.4.0, 8.4.1
Oracle Portal, version 11.1.1.6
Oracle Reports Developer, versions 11.1.1.6, 11.1.1.7, 11.1.2.1
Oracle Traffic Director, versions 11.1.1.6, 11.1.1.7
Oracle WebCenter Portal versions 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0
Oracle WebCenter Sites versions 11.1.1.6.1, 11.1.1.8.0
Oracle Hyperion Essbase Administration Services, versions 11.1.2.1, 11.1.2.2, 11.1.2.3
Oracle Hyperion Strategic Finance, versions 11.1.2.1, 11.1.2.2
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
Oracle Agile Product Lifecycle Management for Process, versions 6.0, 6.1, 6.1.1
Oracle AutoVue, versions 20.1.1
Oracle Demantra Demand Management, versions 7.2.0.3 SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3
Oracle Transportation Management, versions 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0
Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2
Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53
Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2
Oracle Siebel Core, versions 8.1.1, 8.2.2
Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2
Oracle iLearning, version 6.0
Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1, 12.0.2
Oracle JavaFX, versions 2.2.45 and earlier
Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier
Oracle Java SE Embedded, versions 7u45 and earlier
Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier
Oracle Solaris versions 8, 9, 10, 11.1
Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10
Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.6
Oracle MySQL Enterprise Monitor, versions 2.3, 3.0
Oracle MySQL Server, versions 5.1, 5.5, 5.6

Suggested action

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. CCIRC recommends that system administrators identify their affected assets and potential interdependencies with their organization's critical services, and follow their patch management process accordingly.

References

http://www.oracle.com/technetwork/topics/security/cpujan2014-1972949.html

Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.
http://www.publicsafety.gc.ca/cnt/ntnl-scrt/cbr-scrt/_fl/CCIRCPublicPGPKey.txt

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: ps.communications-communications.sp@canada.ca

Date modified: