Oracle Critical Patch Update Pre-Release Announcement - July 2014


Description

This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for July 2014, which will be released on Tuesday, July 15, 2014.  While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. This Critical Patch Update contains 115 new security vulnerability fixes across hundreds of Oracle products. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products.  Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.

Vulnerabilities fixed by this Critical Patch Update are scored using the standard CVSS 2.0 scoring (see Oracle's Use of CVSS Scoring). The highest CVSS 2.0 Base Score for vulnerabilities in this Critical Patch Update is 10.0 for Java SE of Oracle Java SE.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the following products:

  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
  • Oracle Database 12c Release 1, version 12.1.0.1
  • Oracle Fusion Middleware 11g Release 1, version 11.1.1.7
  • Oracle Fusion Middleware 12c Release 1, version 12.1.2.0
  • Oracle Glassfish Server, versions 2.1.1, 3.0.1, 3.1.2
  • Oracle Traffic Director, version 11.1.1.7.0
  • Oracle iPlanet Web Proxy Server, version 4.0.24
  • Oracle iPlanet Web Server, version 6.1, 7.0
  • Oracle WebCenter Portal, versions 11.1.1.7.0, 11.1.1.8.0
  • Oracle WebLogic Server, versions 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
  • Oracle JDeveloper, versions 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0
  • Oracle BI Publisher, version 11.1.1.7
  • Oracle Glassfish Communications Server, versions 2.0
  • Oracle HTTP Server, versions 11.1.1.7.0, 12.1.2.0
  • Oracle Hyperion Essbase, versions 11.1.2.2, 11.1.2.3
  • Oracle Hyperion BI+, versions 11.1.2.2, 11.1.2.3
  • Oracle Hyperion Enterprise Performance Management Architect, versions 11.1.2.2, 11.1.2.3
  • Oracle Common Admin, versions 11.1.2.2, 11.1.2.3
  • Oracle Hyperion Analytic Provider Services, versions 11.1.2.2, 11.1.2.3
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.3, 12.2.2, 12.2.3
  • Oracle Transportation Management, versions 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4
  • Oracle Agile Product Collaboration, version 9.3.3
  • Oracle PeopleSoft Enterprise ELS Enterprise Learning Management, version 9.1
  • Oracle PeopleSoft Enterprise PT Tools, versions 8.52, 8.53
  • Oracle PeopleSoft Enterprise FIN Install, versions 8.52, 8.53
  • Oracle PeopleSoft Enterprise SCM Purchasing, versions 9.1, 9.2
  • Oracle Siebel Travel & Transportation, versions 8.1.1, 8.2.2
  • Oracle Siebel UI Framework, versions 8.1.1, 8.2.2
  • Oracle Siebel Core - Server OM Frwks, versions 8.1.1, 8.2.2
  • Oracle Siebel Core - EAI, versions 8.1.1, 8.2.2
  • Oracle Communications Messaging Server, versions 7.0.5.29.0, 7.0.5.30.0
  • Oracle Retail Back Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0
  • Oracle Retail Central Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0
  • Oracle Retail Returns Management, versions 2.0, 13.1, 13.2, 13.3, 13.4, 14.0
  • Primavera P6 Enterprise Project Portfolio Management, version 8.3.2
  • Oracle Java SE, versions 5.0u65, 6u75, 7u60, 8u5
  • Oracle JRockit, versions R27.8.2, R28.3.2
  • Oracle Solaris, versions 8, 9, 10, 11.1
  • Oracle Secure Global Desktop, versions prior to 4.63, 4.71, 5.0, 5.1
  • Oracle VM VirtualBox, versions prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.14
  • Oracle Virtual Desktop Infrastructure (VDI), versions prior to 3.5.1
  • Sun Ray Software, versions prior to 5.4.3
  • Oracle MySQL Server, versions 5.5, 5.6

 

 

 

 

 

Executive Summaries

 

 

 

 

 

Executive Summaries

 

Oracle Database Server Executive Summary

 

This Critical Patch Update contains 6 new security fixes for the Oracle Database Server.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  1 of these fixes is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.0

The Oracle Database Server components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Network Layer
  • RDBMS Core
  • XML Parser
 

Oracle Fusion Middleware Executive Summary

 

This Critical Patch Update contains 29 new security fixes for Oracle Fusion Middleware.  27 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Fusion Middleware is 7.5

The Oracle Fusion Middleware components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • BI Publisher
  • GlassFish Communications Server
  • Oracle Fusion Middleware
  • Oracle GlassFish Server
  • Oracle HTTP Server
  • Oracle iPlanet Web Proxy Server
  • Oracle iPlanet Web Server
  • Oracle JDeveloper
  • Oracle Traffic Director
  • Oracle WebCenter Portal
  • Oracle WebLogic Server
 

Oracle Hyperion Executive Summary

 

This Critical Patch Update contains 7 new security fixes for Oracle Hyperion.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Hyperion is 5.0

The Oracle Hyperion components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Hyperion Analytic Provider Services
  • Hyperion BI+
  • Hyperion Common Admin
  • Hyperion Enterprise Performance Management Architect
  • Hyperion Essbase
 

Oracle Enterprise Manager Grid Control Executive Summary

 

This Critical Patch Update contains 1 new security fix for Oracle Enterprise Manager Grid Control.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.  This fix is not applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed.

The highest CVSS Base Score of vulnerabilities affecting Oracle Enterprise Manager Grid Control is 4.0

The Oracle Enterprise Manager Grid Control components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Solaris
 

Oracle E-Business Suite Executive Summary

 

This Critical Patch Update contains 5 new security fixes for the Oracle E-Business Suite.  2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle E-Business Suite is 6.8

The Oracle E-Business Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle Application Object Library
  • Oracle Applications Manager
  • Oracle Applications Technology Stack
  • Oracle Concurrent Processing
  • Oracle iStore
 

Oracle Supply Chain Products Suite Executive Summary

 

This Critical Patch Update contains 3 new security fixes for the Oracle Supply Chain Products Suite.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Supply Chain Products Suite is 5.5

The Oracle Supply Chain Products Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle Agile Product Collaboration
  • Oracle Transportation Management
 

Oracle PeopleSoft Products Executive Summary

 

This Critical Patch Update contains 5 new security fixes for Oracle PeopleSoft Products.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle PeopleSoft Products is 5.5

The Oracle PeopleSoft Products components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • PeopleSoft Enterprise ELS Enterprise Learning Management
  • PeopleSoft Enterprise FIN Install
  • PeopleSoft Enterprise PT PeopleTools
  • PeopleSoft Enterprise SCM Purchasing
 

Oracle Siebel CRM Executive Summary

 

This Critical Patch Update contains 6 new security fixes for Oracle Siebel CRM.  4 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Siebel CRM is 4.3

The Oracle Siebel CRM components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Siebel Core - EAI
  • Siebel Core - Server OM Frwks
  • Siebel Travel & Transportation
  • Siebel UI Framework
 

Oracle Communications Applications Executive Summary

 

This Critical Patch Update contains 1 new security fix for Oracle Communications Applications.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Communications Applications is 7.5

The Oracle Communications Applications components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle Communications Messaging Server
 

Oracle Retail Applications Executive Summary

 

This Critical Patch Update contains 3 new security fixes for Oracle Retail Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Retail Applications is 7.5

The Oracle Retail Applications components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle Retail Back Office
  • Oracle Retail Central Office
  • Oracle Retail Returns Management
 

Oracle Primavera Products Suite Executive Summary

 

This Critical Patch Update contains 1 new security fix for the Oracle Primavera Products Suite.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Primavera Products Suite is 7.5

The Oracle Primavera Products Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Primavera P6 Enterprise Project Portfolio Management
 

Oracle Java SE Executive Summary

 

This Critical Patch Update contains 20 new security fixes for Oracle Java SE.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Java SE is 10.0

The Oracle Java SE components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Java SE
  • JRockit
 

Oracle and Sun Systems Products Suite Executive Summary

 

This Critical Patch Update contains 3 new security fixes for the Oracle and Sun Systems Products Suite.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle and Sun Systems Products Suite is 6.9

The Oracle and Sun Systems Products Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Solaris
 

Oracle Virtualization Executive Summary

 

This Critical Patch Update contains 15 new security fixes for Oracle Virtualization.  8 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Virtualization is 7.5

The Oracle Virtualization components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle Secure Global Desktop (SGD)
  • Oracle Virtual Desktop Infrastructure (VDI)
  • Oracle VM VirtualBox
  • Sun Ray Software
 

Oracle MySQL Executive Summary

 

This Critical Patch Update contains 10 new security fixes for Oracle MySQL.  None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle MySQL is 6.5

The Oracle MySQL components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • MySQL Server