Oracle Critical Patch Update Pre-Release Announcement - October 2014


Description

This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for October 2014, which will be released on Tuesday, October 14, 2014.  While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. This Critical Patch Update contains 155 new security vulnerability fixes across hundreds of Oracle products. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products.  Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.

Vulnerabilities fixed by this Critical Patch Update are scored using the standard CVSS 2.0 scoring (see Oracle's Use of CVSS Scoring). The highest CVSS 2.0 Base Score for vulnerabilities in this Critical Patch Update is 10.0 for Java SE Embedded of Oracle Java SE and Java SE of Oracle Java SE.

Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the following products:

  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
  • Oracle Database 12c Release 1, versions 12.1.0.1, 12.1.0.2
  • Oracle Application Express, versions prior to 4.2.6
  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.5, 11.1.1.7
  • Oracle Fusion Middleware 11g Release 2, versions 11.1.2.1, 11.1.2.2, 11.1.2.4
  • Oracle Fusion Middleware 12c, versions 12.1.1.0, 12.1.2.0, 12.1.3.0
  • Oracle Access Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
  • Oracle Endeca Information Discovery Studio versions 2.2.2, 2.3, 2.4, 3.0, 3.1
  • Oracle Enterprise Data Quality versions 8.1.2, 9.0.11
  • Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
  • Oracle JDeveloper, versions 10.1.3.5, 11.1.1.7, 11.1.2.4, 12.1.2.0, 12.1.3.0
  • Oracle OpenSSO version 3.0-04
  • Oracle WebLogic Server, versions 10.0.2, 10.3.6, 12.1.1, 12.1.2, 12.1.3
  • Application Performance Management, versions 12.1.0.4.4, 12.1.0.5.4, 12.1.0.6.1
  • Enterprise Manager for Oracle Database Releases 10g, 11g, 12c
  • Enterprise Manager Ops Center, versions 11.1, 12.1, 12.2
  • Oracle E-Business Suite Release 11i version 11.5.10.2
  • Oracle E-Business Suite Release 12 versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, 12.2.4
  • Oracle Agile PLM, versions 9.3.1.2, 9.3.3
  • Oracle Transportation Management, versions 6.1, 6.2, 6.3.0 through 6.3.5
  • Oracle PeopleSoft Enterprise HRMS, version 9.2
  • Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53, 8.54
  • Oracle JD Edwards EnterpriseOne Tools, version 8.98
  • Oracle Communications MetaSolv Solution, versions MetaSolv Solution: 6.2.1.0.0, LSR: 9.4.0, 10.1.0, ASR: 49.0.0
  • Oracle Communications Session Border Controller, version SCX640m5
  • Oracle Retail Allocation, versions 10.0, 11.0, 12.0, 13.0, 13.1, 13.2
  • Oracle Retail Clearance Optimization Engine, versions 13.3, 13.4, 14.0
  • Oracle Retail Invoice Matching, versions 11.0, 12.0, 12.0 IN, 12.1, 13.0, 13.1, 13.2, 14.0
  • Oracle Retail Markdown Optimization, versions 12.0, 13.0, 13.1, 13.2, 13.4
  • Oracle Health Sciences Empirica Inspections, versions 1.0.x, 3.1.x and 7.3.x
  • Oracle Health Sciences Empirica Signal, versions 1.0.x, 3.1.x and 7.3.x
  • Oracle Health Sciences Empirica Study, versions 1.0.x, 3.1.x and 7.3.x
  • Oracle Primavera Contract Management, versions 13.1, 14.0
  • Oracle Primavera P6 Enterprise Project Portfolio Management, versions 7.0, 8.1, 8.2, 8.3
  • Oracle JavaFX, version 2.2.65
  • Oracle Java SE, versions 5.0u71, 6u81, 7u67, 8u20
  • Oracle Java SE Embedded, version 7u60
  • Oracle JRockit, versions R27.8.3, R28.3.3
  • Oracle Fujitsu server versions, M10-1, M10-4, M10-4S
  • Oracle Solaris, versions 10, 11
  • Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1
  • Oracle VM VirtualBox, versions prior to 4.1.34, 4.2.26, 4.3.14
  • Oracle MySQL Server, versions 5.5.39 and earlier, 5.6.20 and earlier

 

 

Executive Summaries

 

Oracle Database Server Executive Summary

 

This Critical Patch Update contains 32 new security fixes for the Oracle Database Server.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.  4 of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.

The highest CVSS Base Score of vulnerabilities affecting Oracle Database Server is 9.0

The Oracle Database Server components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Application Express
  • Core RDBMS
  • Java VM
  • JDBC
  • JPublisher
  • PL/SQL
  • SQLJ
 

Oracle Fusion Middleware Executive Summary

 

This Critical Patch Update contains 17 new security fixes for Oracle Fusion Middleware.  13 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.   

The highest CVSS Base Score of vulnerabilities affecting Oracle Fusion Middleware is 7.5

The Oracle Fusion Middleware components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle Access Manager
  • Oracle Endeca Information Discovery Studio
  • Oracle Enterprise Data Quality
  • Oracle Identity Manager
  • Oracle JDeveloper
  • Oracle OpenSSO
  • Oracle WebLogic Server
 

Oracle Enterprise Manager Grid Control Executive Summary

 

This Critical Patch Update contains 3 new security fixes for Oracle Enterprise Manager Grid Control.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.    None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Enterprise Manager Grid Control installed.

The highest CVSS Base Score of vulnerabilities affecting Oracle Enterprise Manager Grid Control is 4.9

The Oracle Enterprise Manager Grid Control components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Application Performance Management
  • Enterprise Manager for Oracle Database
  • Enterprise Manager Ops Center
 

Oracle E-Business Suite Executive Summary

 

This Critical Patch Update contains 9 new security fixes for the Oracle E-Business Suite.  7 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle E-Business Suite is 5.0

The Oracle E-Business Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle Applications Framework
  • Oracle Applications Manager
  • Oracle Applications Object Library
  • Oracle Applications Technology
  • Oracle Payments
 

Oracle Supply Chain Products Suite Executive Summary

 

This Critical Patch Update contains 6 new security fixes for the Oracle Supply Chain Products Suite.  3 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Supply Chain Products Suite is 6.8

The Oracle Supply Chain Products Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Agile PLM
  • Oracle Transportation Management
 

Oracle PeopleSoft Products Executive Summary

 

This Critical Patch Update contains 5 new security fixes for Oracle PeopleSoft Products.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle PeopleSoft Products is 5.8

The Oracle PeopleSoft Products components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • PeopleSoft Enterprise HRMS
  • PeopleSoft Enterprise PeopleTools
  • PeopleSoft Enterprise PT PeopleTools
 

Oracle JD Edwards Products Executive Summary

 

This Critical Patch Update contains 1 new security fix for Oracle JD Edwards Products.  This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle JD Edwards Products is 4.3

The Oracle JD Edwards Products components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • JD Edwards EnterpriseOne Tools
 

Oracle Communications Applications Executive Summary

 

This Critical Patch Update contains 2 new security fixes for Oracle Communications Applications.  1 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Communications Applications is 7.5

The Oracle Communications Applications components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle Communications MetaSolv Solution
  • Oracle Communications Session Border Controller
 

Oracle Retail Applications Executive Summary

 

This Critical Patch Update contains 4 new security fixes for Oracle Retail Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Retail Applications is 7.5

The Oracle Retail Applications components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle Retail Allocation
  • Oracle Retail Clearance Optimization Engine
  • Oracle Retail Invoice Matching
  • Oracle Retail Markdown Optimization
 

Oracle Health Sciences Applications Executive Summary

 

This Critical Patch Update contains 3 new security fixes for Oracle Health Sciences Applications.  All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Health Sciences Applications is 5.0

The Oracle Health Sciences Applications components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle Health Sciences Empirica Inspections
  • Oracle Health Sciences Empirica Signal
  • Oracle Health Sciences Empirica Study
 

Oracle Primavera Products Suite Executive Summary

 

This Critical Patch Update contains 2 new security fixes for the Oracle Primavera Products Suite.  Neither of these vulnerabilities may be remotely exploitable without authentication, i.e., neither may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Primavera Products Suite is 6.5

The Oracle Primavera Products Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Primavera Contract Management
  • Primavera P6 Enterprise Project Portfolio Management
 

Oracle Java SE Executive Summary

 

This Critical Patch Update contains 25 new security fixes for Oracle Java SE.  22 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Java SE is 10.0

The Oracle Java SE components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Java SE
  • Java SE Embedded
  • JavaFX
  • JRockit
 

Oracle Sun Systems Products Suite Executive Summary

 

This Critical Patch Update contains 15 new security fixes for the Oracle Sun Systems Products Suite.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Sun Systems Products Suite is 7.8

The Oracle Sun Systems Products Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Fujitsu M10-1, Fujitsu M10-4, and Fujitsu M10-4S servers
  • Solaris
 

Oracle Virtualization Executive Summary

 

This Critical Patch Update contains 7 new security fixes for Oracle Virtualization.  6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle Virtualization is 5.0

The Oracle Virtualization components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle Secure Global Desktop
  • Oracle VM VirtualBox
 

Oracle MySQL Executive Summary

 

This Critical Patch Update contains 24 new security fixes for Oracle MySQL.  9 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

The highest CVSS Base Score of vulnerabilities affecting Oracle MySQL is 8.0

The Oracle MySQL components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • MySQL Server