Oracle Critical Patch Update Pre-Release Announcement – January 2013
This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for January 2013, which will be released on Tuesday, January 15, 2013. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.
Oracle Security Alert for CVE-2013-0422 was released on January 13, 2013.
This Security Alert addresses security issue CVE-2013-0422 (US-CERT Alert TA13-010A) affecting Java running in web browsers on desktops.
The flaw is limited to JDK7. It does not exist in other releases of Java, and does not affect Java applications directly installed and running on servers, desktops, laptops, and other devices.
Oracle strongly recommends applying Security Alert fixes as soon as possible.
The Security Alert Advisory is the starting point for relevant information. It includes the list of products affected, a summary of security vulnerabilities, and a pointer to obtain the latest patches. Supported products that are not listed in the "Affected Products and Versions" section of the advisory do not require new patches to be applied.
Also, it is essential to review the Security Alert supporting documentation referenced in the Advisory before applying patches, as this is where you can find important pertinent information.
The Advisory is available at the following location:
Oracle Critical Patch Updates and Security Alerts:
Oracle Security Alert CVE-2013-0422:
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. This Critical Patch Update contains 86 new security vulnerability fixes across hundreds of Oracle products. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.
Vulnerabilities fixed by Critical Patch Update are scored using the standard CVSS 2.0 scoring (see Oracle's Use of CVSS Scoring). The highest CVSS 2.0 Base Score for vulnerabilities in this Critical Patch Update is 10.0 for Mobile Server of Oracle Database Mobile/Lite Server.
Affected Products and Components
Security vulnerabilities addressed by this Critical Patch Update affect the following products:
- Oracle Database 11g Release 2, versions 184.108.40.206, 220.127.116.11
- Oracle Database 11g Release 1, version 18.104.22.168
- Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
- Oracle Database Mobile Server, version 22.214.171.124
- Oracle Database Lite Server, version 10.3.0.3
- Oracle Access Manager/Webgate, versions 10.1.4.3.0, 126.96.36.199.0, 188.8.131.52.0
- Oracle GoldenGate Veridata, version 184.108.40.206.0
- Management Pack for Oracle GoldenGate, version 220.127.116.11.0
- Oracle Outside In Technology, version 8.3.7, 8.4
- Oracle WebLogic Server, versions 9.2.4, 10.0.2, 10.3.5, 10.3.6, 12.1.1
- Application Performance Management versions 6.5, 11.1, 18.104.22.168
- Enterprise Manager Grid Control 11g Release 1, version 22.214.171.124
- Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
- Enterprise Manager Plugin for Database 12c Release 1, versions 126.96.36.199, 188.8.131.52
- Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
- Oracle E-Business Suite Release 11i, version 184.108.40.206
- Oracle Agile PLM Framework, version 220.127.116.11
- Oracle PeopleSoft HRMS, versions 9.0, 9.1
- Oracle PeopleSoft PeopleTools, versions 8.51, 8.52
- Oracle JD Edwards EnterpriseOne Tools, versions 8.9, 9.1, SP24
- Oracle Siebel CRM, versions 8.1.1, 8.2.2
- Oracle Sun Product Suite
- Oracle VM Virtual Box, versions 4.0, 4.1, 4.2
- Oracle MySQL Server, versions 5.1.66 and earlier, 5.5.28 and earlier.
Oracle Siebel CRM Executive Summary
This Critical Patch Update contains 10 new security fixes for Oracle Siebel CRM. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
The highest CVSS Base Score of vulnerabilities affecting Oracle Siebel CRM is 5.0
Reference and more details