====================================================================

                           CERT-Renater

               Note d'Information No. 2015/VULN141
_____________________________________________________________________

DATE                : 15/07/2015

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Oracle Database,
    Oracle Fusion Middleware, Oracle Hyperion,                   Oracle
Enterprise Manager, Oracle E-Business Suite,                Oracle
Supply Chain Suite, Oracle PeopleSoft Enterprise,                Oracle
Siebel CRM, Oracle Communications Applications,                Oracle
Java SE, Oracle Sun Systems Products Suite,                Oracle Linux
and Virtualization, Oracle MySQL.

======================================================================
https://blogs.oracle.com/security/entry/july_2015_critical_patch_update
______________________________________________________________________

 July 2015 Critical Patch Update Released
By Eric P. Maurice-Oracle on Jul 14, 2015

Hello, this is Eric Maurice.

Oracle today released the July 2015 Critical Patch Update. The Critical
Patch Update program is Oracle’s primary mechanism for the release of
security fixes across all Oracle products, including security fixes
intended to address vulnerabilities in third-party components included
in Oracle’s product distributions.

The July 2015 Critical Patch Update provides fixes for 193 new security
vulnerabilities across a wide range of product families including:
Oracle Database, Oracle Fusion Middleware, Oracle Hyperion, Oracle
Enterprise Manager, Oracle E-Business Suite, Oracle Supply Chain Suite,
Oracle PeopleSoft Enterprise, Oracle Siebel CRM, Oracle Communications
Applications, Oracle Java SE, Oracle Sun Systems Products Suite, Oracle
Linux and Virtualization, and Oracle MySQL.

Out of these 193 fixes, 44 are for third-party components included in
Oracle products distributions (e.g., Qemu, Glibc, etc.)

This Critical Patch Update provides 10 fixes for the Oracle Database,
and 2 of the Database vulnerabilities fixed in today’s Critical Patch
Update are remotely exploitable without authentication. The most severe
of these database vulnerabilities has received a CVSS Base Score of 9.0
for the Windows platform and 7.5 for Linux and Unix platforms. This
vulnerability (CVE-2015-2629) reflects the availability of new Java
fixes for the Java VM in the database.

With this Critical Patch Update, Oracle Fusion Middleware receives 39
new security fixes, 36 of which are for vulnerabilities which are
remotely exploitable without authentication. The highest CVSS Base Score
for these Fusion Middleware vulnerabilities is 7.5.

This Critical Patch Update also includes a number of fixes for Oracle
applications. Oracle E-Business Suite gets 13 fixes, Oracle Supply Chain
Suite gets 7, PeopleSoft Enterprise gets 8, and Siebel gets 5 fixes.
Rounding up this list are 2 fixes for the Oracle Commerce Platform.

The Oracle Communications Applications receive 2 new security fixes. The
highest CVSS Base Score for these vulnerabilities is 10.0, this score is
for vulnerability CVE-2015-0235, which affects Glibc, a component used
in the Oracle Communications Session Border Controller. Note that this
same Glibc vulnerability is also addressed in a number of Oracle Sun
Systems products.

Also included in this Critical Patch Update are 25 fixes Oracle Java SE.
23 of these Java SE vulnerabilities are remotely exploitable without
authentication. 16 of these Java SE fixes are for Java client-only,
including one fix for the client installation of Java SE. 5 of the Java
fixes are for client and server deployment. One fix is specific to the
Mac platform. And 4 fixes are for JSSE client and server deployments.
Please note that this Critical Patch Update also addresses a recently
announced 0-day vulnerability (CVE-2015-2590), which was being reported
as actively exploited in the wild.

This Critical Patch Update addresses 25 vulnerabilities in Oracle
Berkeley DB, and none of these vulnerabilities are remotely exploitable
without authentication. The highest CVSS Base score reported for these
vulnerabilities is 6.9.

Note that the CVSS standard was recently updated to version 3.0. In a
previous blog entry, Darius Wiles highlighted some of the enhancements
introduced by this new version. Darius will soon publish another blog
entry to discuss this updated CVSS standard and its implication for
Oracle’s future security advisories. Note that the CVSS Base Score
reported in the risk matrices in today’s Critical Patch Update were
based on CVSS v2.0.

For More Information:

The July 2015 Critical Patch Update advisory is located at
http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html

The Oracle Software Security Assurance web site is located at
http://www.oracle.com/us/support/assurance



=========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================