====================================================================

                             CERT-Renater

                  Note d'Information No. 2012/VULN279
____________________________________________________________________

DATE                :  18/07/2012

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S):  Systems running Oracle Database,
                       Oracle Application Express,
                       Oracle Secure Backup, Oracle Fusion Middleware,
                       Oracle Enterprise Manager, Oracle Applications,
                       Oracle Sun product suites.

======================================================================
https://blogs.oracle.com/security/entry/july_2012_critical_patch_update
______________________________________________________________________

July 2012 Critical Patch Update Released
By Eric P. Maurice on Jul 17, 2012

Hi, this is Eric Maurice again.

Oracle has just released the July 2012 Critical Patch Update.  This
Critical Patch Update delivers a total of 87 new fixes across a number
of product families including: Oracle Database, Oracle Application
Express, Oracle Secure Backup, Oracle Fusion Middleware, Oracle
Enterprise Manager, Oracle Applications, and the Oracle Sun product
suites.

For the first time, in addition to the usual advisories, Oracle is
producing the Critical Patch Update advisory in an XML format that
conforms to the Common Vulnerability Reporting Format (CVRF) version
1.1.  CVRF is an XML language intended for the sharing of
security-related information in a machine-readable fashion.  This format
has
been designed by the Industry Consortium for Advancement of Security on
the Internet (ICASI), of which Oracle is a member.  In a future blog
post, we will discuss CVRF in more detail, particularly to highlight
its benefit as a means to enable the sharing of vulnerability-related
information in a way that can be interpreted by a wide range of systems.

Out of these 87 new security fixes, 4 are for the Oracle Database.  The
highest CVSS Base Score for these database vulnerabilities is 5.0.  3
of these 4 vulnerabilities are remotely exploitable without
authentication; however 2 of these vulnerabilities affect the Database
on the Windows platform only.

In addition, this Critical Patch Update includes 1 fix for the Oracle
Application Express Listener, 2 new fixes for Oracle Secure Backup, and
1 new fix for Oracle Enterprise Manager.

With this Critical Patch Update, Oracle Fusion Middleware receives 22
new fixes.  The highest CVSS Base Score for these Fusion Middleware
vulnerabilities is 10.0, but this score affects a series of Java
Runtime Environment issues in JRockit.  These Java SE fixes were
previously released in the June 2012 Critical Patch Update for Java
SE.  This Critical Patch Update also includes a new security fix for
Oracle Hyperion.

This Critical Patch Update provides the following applications security
fixes: 4 for Oracle E-Business Suite, 5 for Oracle Supply Chain
Products Suite, 9 for Oracle PeopleSoft Enterprise, 7 for Oracle Siebel
CRM, and 1 for Oracle Life Sciences.

 Finally, the Oracle Sun product suites receive 24 new security fixes,
and MySQL gets 6 new security fixes.   The highest CVSS Base Score for
the Sun product suites vulnerabilities is 7.8.

As usual, Oracle recommends that customers apply this Critical Patch
Update as soon as possible.  This is particularly important as our
experience has shown that potentially malicious hackers comb through
vendors’ advisories and often attempt to reverse-engineer the fixes
contained in them to develop new exploits.

Customers seeking recommendations for applying the Critical Patch
Update should refer to the “Recommendations for leveraging the Critical
Patch Update and maintaining a proper security posture” white paper
available on Oracle’s web site.  In addition, customers are encouraged
to take advantage of the broad range of resources, tools, and best
practices available on My Oracle Support.

For more information:

·         The Oracle Software Security Assurance web site is located at
http://www.oracle.com/us/support/assurance/index.html

·         The July 2012 Critical Patch Update Advisory is located at
http://www.oracle.com/technetwork/topics/security/alerts-086861.html

·         Information about Oracle Support resources, tools, and best
practices are available at
http://www.oracle.com/us/support/best-practices/overview/index.html


======================================================================

=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
=========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44          +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
+ 75013 Paris           | email: certsvp@renater.fr     +
=========================================================