-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Reference: CERT-EU Security Advisory 2012-0124 Title: Oracle Critical Patch Update - October 2012 [1] Version history: 17.10.2012 Initial publication Summary ======= The Critical Patch Update for October 2012 [2] and The Oracle Java SE Critical Patch Update [3] for October 2012 were released. Oracle strongly recommends applying the patches as soon as possible. Please note that Sun products are included in this Critical Patch Update. The Critical Patch Update Advisory [1] is the starting point for relevant information. It includes a list of products affected, pointers to obtain the patches, a summary of the security vulnerabilities, and links to other important documents. Also, it is essential to review the Critical Patch Update supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information. Affected Products and Versions: ============================== Oracle Critical Patch Update Advisory - October 2012: ==================================================== Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3 Oracle Database 11g Release 1, version 11.1.0.7 Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 Oracle Fusion Middleware 11g Release 1, version 11.1.1.6 Oracle Forms and Reports 11g, Release 2, version 11.1.2.0 Oracle Forms and Reports 11g Release 1, version 11.1.1.4 Oracle BI Publisher, versions 10.1.3.4.2, 11.1.1.5.0, 11.1.1.6.0, 11.1.1.6.2 Oracle Event Processing, versions 2.0, 11.1.1.4.0, 11.1.1.6.0 Oracle Identity Management 10g, version 10.1.4.3 Oracle Imaging and Process Management, version 10.1.3.6.0 Oracle JRockit versions, R28.2.4 and earlier, R27.7.3 and earlier Oracle Outside In Technology, version 8.3.7 Oracle WebLogic Server, versions 9.2.4.0, 10.0.2.0, 10.3.5.0, 10.3.6.0, 12.1.1.0 Oracle WebCenter Sites, versions 6.1, 6.2, 6.3.x, 7, 7.0.1, 7.0.2, 7.0.3, 7.5, 7.6.1, 7.6.2, 11.1.1.6.0 Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3 Oracle E-Business Suite Release 11i, version 11.5.10.2 Oracle Agile PLM For Process, versions 5.2.2, 6.0.0.6.3, 6.1.0.0, 6.1.0.1.14 Oracle Agile PLM Framework, versions 9.3.1.0, 9.3.1.1 Oracle Agile Product Supplier Collaboration for Process, versions 5.2.2, 6.1.0.0 Oracle PeopleSoft Enterprise Campus Solutions, version 9.0 Oracle PeopleSoft Enterprise PeopleTools, versions 8.50, 8.51, 8.52 Oracle Siebel UI Framework, version 8.1.1 Oracle Central Designer, versions 1.3, 1.4, 1.4.2 Oracle Clinical/Remote Data Capture, versions 4.6.0, 4.6.2 Oracle FLEXCUBE Direct Banking, versions 5.0.2, 5.0.5, 5.1.0, 5.2.0, 5.3.0-5.3.4, 6.0.1, 6.2.0, 12 Oracle FLEXCUBE Universal Banking, versions 10.0.0-10.5.0, 11.0.0-11.4.0, 12 Oracle Sun Product Suite Oracle Secure Global Desktop, version 4.6 Oracle VM Virtual Box, versions 3.2, 4.0, 4.1 Oracle MySQL Server, versions 5.1.63 and earlier, 5.5.25 and earlier Oracle Java SE Critical Patch Update Advisory - October 2012 ============================================================ JDK and JRE 7 Update 7 and earlier JDK and JRE 6 Update 35 and earlier JDK and JRE 5.0 Update 36 and earlier SDK and JRE 1.4.2_38 and earlier JavaFX 2.2 and earlier What can you do? ================ Deploy the updated versions of the software [2,3]. What to tell your users? ======================== Normal security best practices apply. Especially, inform your Web users to be cautious about following links to sites that are provided by unfamiliar or suspicious sources. Users are to be aware not to click on the link in suspicious emails; to immediately forward the suspicious email to the respective IT security officer / contact in your institution. Run your applications with non-privileged account. More information ================ [1] http://www.oracle.com/technetwork/topics/security/alerts-086861.html [2] http://www.oracle.com/technetwork/topics/security/cpuoct2012-1515893.html [3] http://www.oracle.com/technetwork/topics/security/javacpuoct2012-1515924.html [4] Information about CVSS: http://www.first.org/cvss/cvss-guide.html Best regards, CERT-EU (http://cert.europa.eu) Phone: +32.2.2990005 / e-mail: cert-eu@ec.europa.eu PGP KeyID 0x46AC4383 FP: 9011 6BE9 D642 DD93 8348 DAFA 27A4 06CA 46AC 4383 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) iQIcBAEBAgAGBQJQfqnKAAoJEPpzpNLI8SVojJYQAJvtDOUXqu1QEtwxxTStyC0E UyuQJF88I7cwxCvkx15UY5Uqsn7j2uzc4vkCMqejXoQADi6QX+pPk4G7xtilSaSH +9PGCYgV3TLKKX7O/cSAiakX/gl/A4zJ2ns2HzB7xLf485T7aOyzpBDQVzgfUufY iF7aL9Tb0nIiZGnt8gd1g2VitgztnQXZBTIfv4lRntrhgUpNR+SQT0WFUgxAW19P CL86+XMA4MyCWNT7P7fDuffMxOzNaOsigLrLzn3BvlLiSokJJwMfBr+nl+HjZiwH 7b42dJnRDpPnoJSl6jJiy+GI5JHoFEJ82CBnmFTucZ2wZA+XpyLXSER0XX3+hkud Lp9sGa+O5Pnzl0rzLpqC1VJpak6eGAvm4tNup03WKjOWUGmLKwtG0ir6k3E8fBbr x6n0SKywhU1cbI6xIrCT4zWzAtw+f3Ac3BoCfxEtu9TzxdzDmLUt7AtvzItcY/8s lXJcvh6fQY8yQPE9RW3yvRWcojdLpiSIsIXR0PkMQ2ypuhWJ6IyPk9a7vRMrYy0I /tK4nEXwq6VX302YW/6h3DeFz4r0M1COWXjukMVSRZ+3aEIbrYWLnMMnvBddi2F0 RMiZF4wMCh8oxHGZbUcM/H8jdjVlKnZdAQLRqtoguZ81t+J0m6ILUCcIu+cNa2fU pRtH1yMmniky73e9t7GH =n2oa -----END PGP SIGNATURE-----