====================================================================

                                 CERT-Renater

                       Note d'Information No. 2012/VULN189
____________________________________________________________________

DATE                : 18/04/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S) : Systems running Oracle Database Server,
                       Oracle Fusion Middleware,
                       Oracle Enterprise Manager Grid Control,
                       Oracle E-Business Suite,
                       Oracle Supply Chain Products Suite,
                       Oracle PeopleSoft Enterprise, Oracle FLEXCUBE,
                       Oracle Siebel Clinical Trial Management System,
                       Oracle Primavera, Oracle Sun products suite,
                       Oracle MySQL.

======================================================================
https://blogs.oracle.com/security/entry/april_2012_critical_patch_update
______________________________________________________________________


April 2012 Critical Patch Update Released
By Eric P. Maurice on Apr 17, 2012

Hi, this is Eric Maurice.

Oracle has just released the April 2012 Critical Patch Update. This
Critical Patch Update provides 88 new security fixes across the
following product families: Oracle Database Server, Oracle Fusion
Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business
Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise,
Oracle FLEXCUBE, Oracle Siebel Clinical Trial Management System, Oracle
Primavera, Oracle Sun products suite, and Oracle MySQL.

Of the 88 new vulnerabilities, 6 directly affect Oracle Database Server.
The highest CVSS Base Score for these Database Server vulnerabilities is
9.0. This Base Score affects the Oracle Spatial component on Windows
platforms (on non-Windows platforms, i.e., Linux, Unix, the CVSS Base
Score is 6.5). In addition, 6 Enterprise Manager Grid Control fixes may
be relevant to Database Server deployments. The highest CVSS Base Score
for the Enterprise Manager Grid Control vulnerabilities is 5.8; but 4 of
the 6 vulnerabilities can be remotely exploitable without
authentication. Therefore, Oracle highly recommends that these fixes be
applied as soon as possible.

This Critical patch Update also includes 11 new security fixes for
Oracle Fusion Middleware. The highest CVSS Base Score for these Fusion
Middleware vulnerabilities is 10.0 (for vulnerability CVE-2012-1695).
This score affects a series of vulnerabilities in the Java Runtime
Environment that are applicable to JRockit. Starting again with this
Critical Patch Update, JRockit fixes will no longer be provided with the
Critical Patch Update for Java SE, but be provided in “the normal”
Critical Patch Update along with other Oracle Fusion Middleware fixes.

This Critical Patch Update provides the following application security
fixes: 4 for Oracle E-Business Suite, 5 for Oracle Supply Chain Products
Suite, 15 for Oracle PeopleSoft Enterprise, 2 for Siebel Clinical Trial
Management System, 17 for Oracle FLEXCUBE, and 1 for Oracle Primavera
Enterprise Project Management.

Finally, this Critical Patch Update provides 15 new security fixes for
the Oracle Sun Products Suite (including Oracle Grid Engine, Oracle
Glassfish Enterprise Server, Oracle Solaris, etc.) and 6 new security
fixes for Oracle MySQL.

While a great amount of caution is required when analyzing the content
of the Critical Patch Updates in an attempt to identify potential
trends; I believe the content of this Critical Patch Update is
consistent with the views expressed in previous blog entries: Oracle
Software Security Assurance activities tend to result in lowering the
number of exploitable security bugs in most mature product lines (that
is the product lines who have implemented Oracle secure development
practices for the longest time), and as a result we see a downward trend
in the number of fixes for these product lines. On the other hand, newly
acquired product lines often experience relatively large number of
security fixes in the Critical Patch Updates. This is due in part to the
increased visibility these products may get as a result of their
acquisition by Oracle, as well as development’s access to an extended
toolset (e.g., security scanning tools) and increased executive
attention around security matters as a result of joining Oracle.

For More Information:

The April 2012 Critical Patch Update Advisory is located at
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

More information about Oracle Software Security Assurance is located at
http://www.oracle.com/us/support/assurance/index.html

======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================