-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0055 Title: Oracle Critical Patch Update - April 2012 [1] Version history: 18.04.2012 Initial publication Summary ======= A Critical Patch Update is a collection of patches for multiple security vulnerabilities. The Critical Patch Update for Java SE also includes non-security fixes. Critical Patch Updates are cumulative and each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 88 new security fixes across the product families listed below. Several vulnerabilities addressed in this Critical Patch Update affect multiple products. Each vulnerability is identified by a CVE# which is a unique identifier for a vulnerability The most critical include: CVE-2012-0552, CVE-2012-0519, CVE-2012-0510, CVE-2012-0511, CVE-2012-0528 CVSS Base Score (of the most critical ones) CVSS v2 Base Score: 9.0 (CRITICAL) (AV:N/AC:L/Au:N/C:C/I:C/A:C) [2] Affected Products and Versions ============================== Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3 Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 Oracle Application Server 10g Release 3, version 10.1.3.5.0 Oracle BI Publisher, versions 10.1.3.4.1, 10.1.3.4.2 Oracle DB UM Connector for Oracle Identity Manager, Version 9.1.0.4 Oracle Identity Manager 11g, versions 11.1.1.3, 11.1.1.5 Oracle JDeveloper, version 10.1.3.5.0 Oracle JRockit versions, R28.2.2 and earlier, R27.7.1 and earlier Oracle Outside In Technology, versions 8.3.5, 8.3.7 Oracle WebCenter Forms Recognition, version 10.1.3.5 Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1 Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5 Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3 Oracle E-Business Suite Release 11i, version 11.5.10.2 Oracle Agile, version 6.0.0 Oracle AutoVue version 20.0.2 Oracle PeopleSoft Enterprise CRM, version 9.1 Oracle PeopleSoft Enterprise HCM, version 9.1 Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1 Oracle PeopleSoft Enterprise FCSM, versions 9.0, 9.1 Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52 Oracle PeopleSoft Enterprise Portal version 9.1 Oracle PeopleSoft Enterprise SCM, versions 9.0, 9.1 Oracle Siebel Life Sciences, versions 8.0.0, 8.1.1, 8.2.2 Oracle FLEXCUBE Direct Banking, versions 5.0.2, 5.3.0-5.3.4, 6.0.1, 6.2.0 Oracle FLEXCUBE Universal Banking, versions 10.0.0-10.5.0, 11.0.0-11.4.0 Primavera P6 Enterprise Project Portfolio Management, versions 6.2.1, 8.0, 8.1, 8.2 Oracle Sun Product Suite Oracle MySQL Server, versions 5.1, 5.5 What can you do? ================ Deploy the updated versions of the software [1]. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. Run your applications with non-privileged account. More information ================ [1] http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html [2] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU CERT-EU Pre-configuration Team (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 (DISCLAIMER: CERT-EU, the CERT for the EU institutions, is currently in its setup phase, until May 2012. Services are provided in a pilot fashion, and are not yet fully functional. Announcements, alerts and warnings are sent out in best effort manner, and to contact information currently known to us. We apologise if you are not the correct recipient, or if you had already been warned about this issue from another source . Format, content and way of alerting are subject to change in the future. Contact information or even the team name may change as well.) -----BEGIN PGP SIGNATURE----- Version: BCPG v1.39 iQJXBAEBAgBBBQJPjqiPOhxDRVJUIGZvciB0aGUgRXVyb3BlYW4gSW5zdGl0dXRp b25zIDxjZXJ0LWV1QGVjLmV1cm9wYS5ldT4ACgkQJ6QGykasQ4NsnhAAliOwqE4C oxVm8DSFtxuRYbUtqSbwnY5IjNDzGJNraE7+hVkw5D9SskHzxMU9aLFwyvg1Ti+h kBFMYb4leG7qhui5H/HEFnrz/a3CKq0hE4YEXglVJuqkjKhYKpqXa0aSvX9g6bm+ hUPRQ+EU4ojWNWphCenpsyymW2BfvUR91LpTAXxM0xMuUKl5KiFzVRjZCxOxWnyN JsQwIhCDnEoFZX7rcWCmbNFT5I8H6fcaJPbV/4FIRg6E+46zngt7z0ZzJgAzNmC8 pG5/F9pPHD1IDeXlI8XobeTugZLRV3VAMHlD9unh3AObBaZC/JLLXK5+7zJJ/3/b 5q9f3zUfEVypLc9xDyOmmCTfkPaqyncS0/Ty46KwRKlkMTAaooxRoDmPe39hP4fW rkNFDk0ByF79YO2e6vuGEJJvN0bi8W8tTxMc36dvFBMqKrZ9m2k9Gq0Sx5vs36FG eAf1OmTUy3hYGDykP+lf+m3fuTtX21B5m6hPRgb8cQQk7QZ1c0IrOBAqU6lD8OJO ZxnPZyfOhL627i4EA3HtJSOOh9Ne3PSemeXEBkyDAbKzDWsMmJGEvwvQx4R1Dk2W u3JIJ1hv5ELYKUqkO0gwR4eeNWZazMxNHkA8HLLv9PWM/oDHeDxTSDTRNqJkxAY2 6rgx/VJ3boiog4+8H4iZa3Qf0cYA7r+JzHE= =lXFL -----END PGP SIGNATURE-----