Oracle Critical Patch Update Advisory - January 2014

Number: AV14-003
Date: 15 January 2014


The purpose of this advisory is to bring attention to the following critical patch update released for Oracle.


Oracle has issued a Critical Patch Update (CPU) which addresses 144 new security fixes across multiple Oracle products.

Affected products and versions:

Oracle Database 11g Release 1, version
Oracle Database 11g Release 2, versions,
Oracle Database 12c Release 1, version
Oracle Fusion Middleware 11g Release 1, versions,
Oracle Fusion Middleware 11g Release 2, versions,
Oracle Fusion Middleware 12c Release 2, version 12.1.2
Oracle Containers for J2EE, version
Oracle Enterprise Data Quality, versions 8.1, 9.0.8
Oracle Forms and Reports 11g, Release 2, version
Oracle GlassFish Server, version 2.1.1, Sun Java Application Server, versions 8.1, 8.2
Oracle HTTP Server 11g, versions,
Oracle HTTP Server 12c, version 12.1.2
Oracle Identity Manager, versions,,,
Oracle Internet Directory, versions,
Oracle iPlanet Web Proxy Server, version 4.0
Oracle iPlanet Web Server, versions 6.1, 7.0
Oracle Outside In Technology, versions 8.4.0, 8.4.1
Oracle Portal, version
Oracle Reports Developer, versions,,
Oracle Traffic Director, versions,
Oracle WebCenter Portal versions,,
Oracle WebCenter Sites versions,
Oracle Hyperion Essbase Administration Services, versions,,
Oracle Hyperion Strategic Finance, versions,
Oracle E-Business Suite Release 11i, version
Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
Oracle Agile Product Lifecycle Management for Process, versions 6.0, 6.1, 6.1.1
Oracle AutoVue, versions 20.1.1
Oracle Demantra Demand Management, versions SQL-Server, 7.3.0, 7.3.1, 12.2.0, 12.2.1, 12.2.2, 12.2.3
Oracle Transportation Management, versions 6.0, 6.1, 6.2, 6.3, 6.3.1, 6.3.2
Oracle PeopleSoft Enterprise HRMS, versions 9.1.0, 9.2.0
Oracle PeopleSoft Enterprise HRMS Human Resources, versions 9.1, 9.2
Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53
Oracle PeopleSoft Enterprise SCM Services Procurement, version 9.2
Oracle Siebel Core, versions 8.1.1, 8.2.2
Oracle Siebel Life Sciences, versions 8.1.1, 8.2.2
Oracle iLearning, version 6.0
Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1,, 3.0, 12.0.1, 12.0.2
Oracle JavaFX, versions 2.2.45 and earlier
Oracle Java JDK and JRE, versions 5.0u55 and earlier, 6u65 and earlier, 7u45 and earlier
Oracle Java SE Embedded, versions 7u45 and earlier
Oracle JRockit, versions R27.7.7 and earlier, R28.2.9 and earlier
Oracle Solaris versions 8, 9, 10, 11.1
Oracle Secure Global Desktop, versions 4.63.x, 4.71.x, 5.0.x, 5.10
Oracle VM VirtualBox, versions prior to 3.2.20, 4.0.22, 4.1.30, 4.2.20, 4.3.6
Oracle MySQL Enterprise Monitor, versions 2.3, 3.0
Oracle MySQL Server, versions 5.1, 5.5, 5.6

Suggested action

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. CCIRC recommends that system administrators identify their affected assets and potential interdependencies with their organization's critical services, and follow their patch management process accordingly.


Note to Readers

In support of Public Safety's mission to build a safe and resilient Canada, CCIRC's mandate is to help ensure the security and resilience of the vital non-federal government cyber systems that underpin Canada's national security, public safety and economic prosperity. As Canada's computer security incident response team, CCIRC is Canada's national coordination centre for the prevention and mitigation of, preparedness for, response to, and recovery from cyber incidents on non-federal government systems. It does this by providing authoritative advice and support, and coordinating information sharing and incident response.

Please note, CCIRC PGP key has recently been updated.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589

Date modified: