Red Hat has released a security advisory and updated packages to address the Oracle Critical Patch Update for July 2012. CentOS has also released updated packages to address these vulnerabilities.
Oracle has released the July 2012 Critical Patch Update. As part of the security response, Oracle has released updates to correct 90 vulnerabilities in multiple products that could allow attackers to gain unauthorized access to targeted systems, access sensitive information, or cause a denial of service (DoS) condition.
The following Oracle products are affected:
Oracle Application Server 10g 10.1.3.1.5 and prior
Oracle Database Server 10g 126.96.36.199 and prior
Oracle Database Server 11g 188.8.131.52 and prior and 184.108.40.206 and prior
Oracle E-Business Suite 220.127.116.11, 12.0.4, 120.6, and 12.1.3 and prior
Oracle Enterprise Manager Grid Control 10g 10.2.0.5 and prior
Oracle Fusion Middleware 18.104.22.168 and prior
Oracle Hyperion Performance Suite 11.1.2 and prior
Oracle Identity Management 10g 10.1.4.3
Oracle Outside In Technology 8.3.5 and 8.3.7
Oracle Secure Backup 10.3.0.3 and prior and 10.4.1 and prior
Oracle Siebel Customer Relationship Management (CRM) 8.1.1 and 8.2.2
Oracle Transportation Manager 5.5.06, 6.0.03, 6.1, and 6.2
PeopleSoft Enterprise HRMS 9.0 and 9.1
PeopleSoft Enterprise PeopleTools 8.50, 8.51, and 8.52
Oracle Enterprise Manager Grid Control 11g 22.214.171.124
Oracle AutoVue 20.0.1 and 20.0.2
Oracle Clinical 4.6.3 and prior
Proof-of-concept code that demonstrates an exploit for Oracle Outside In Technology is publicly available.
Oracle has released patches for registered users at the following link: Oracle
CentOS packages can be updated using the up2date or yum command.
Red Hat has released a security advisory at the following link: RHSA-2012-1462.
Red Hat has released updated software for registered subscribers at the following link: Red Hat Network. Red Hat packages can be updated on Red Hat Enterprise Linux versions 5 and later using the yum tool.
US-CERT has released a vulnerability note at the following link: VU#118913
Version 2, July 23, 2012, 3:42 PM: Proof-of-concept code that demonstrates an exploit for Oracle Outside In Technology is publicly available. US-CERT has also released a vulnerability note to address this vulnerability.
Version 1, July 18, 2012, 10:40 AM: Oracle has released the July 2012 Critical Patch Update to address multiple security vulnerabilities in multiple Oracle products.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.