SUSE-SU-2015:1353-1: important: Security update for oracle-update

sle-security-updates at lists.suse.com sle-security-updates at lists.suse.com
Thu Aug 6 06:33:01 MDT 2015


   SUSE Security Update: Security update for oracle-update
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:1353-1
Rating:             important
References:         #938160 
Cross-References:   CVE-2015-0468 CVE-2015-2599 CVE-2015-2629
                    CVE-2015-2646 CVE-2015-2647 CVE-2015-4735
                    CVE-2015-4740 CVE-2015-4753
Affected Products:
                    SUSE Manager 2.1
______________________________________________________________________________

   An update that fixes 8 vulnerabilities is now available.

Description:

   oracle-update was updated to fix eight security issues.

   These security issues were fixed:
   - CVE-2015-2629: Vulnerability in the Java VM component of Oracle Database
     Server. This vulnerability requires Create Session privileges for a
     successful attack. Easily exploitable vulnerability allows successful
     authenticated network attacks via multiple protocols. Successful attack
     of this vulnerability can result in unauthorized Operating System
     takeover including arbitrary code execution (bsc#938160).
   - CVE-2015-2599: Vulnerability in the RDBMS Scheduler component of Oracle
     Database Server. This vulnerability requires Alter Session privileges
     for a successful attack. Successful attack of this vulnerability can
     result in unauthorized read access to all RDBMS Scheduler accessible
     data (bsc#938160).
   - CVE-2015-4735: Vulnerability in the Enterprise Manager for Oracle
     Database component of Oracle Enterprise Manager Grid Control
     (subcomponent: RAC Management). Easily exploitable vulnerability allows
     successful unauthenticated network attacks via HTTP. Successful attack
     of this vulnerability can result in unauthorized read access to a subset
     of Enterprise Manager for Oracle Database accessible data (bsc#938160).
   - CVE-2015-4740: Vulnerability in the RDBMS Partitioning component of
     Oracle Database Server. This vulnerability requires Create Session,
     Create Any Index, Index object privilege on a Table privileges for a
     successful attack. Difficult to exploit vulnerability allows successful
     authenticated network attacks via Oracle Net. Successful attack of this
     vulnerability can result in unauthorized takeover of RDBMS Partitioning
     possibly including arbitrary code execution within the RDBMS
     Partitioning (bsc#938160).
   - CVE-2015-4753: Vulnerability in the RDBMS Support Tools component of
     Oracle Database Server. Easily exploitable vulnerability requiring logon
     to Operating System. Successful attack of this vulnerability can result
     in unauthorized read access to all RDBMS Support Tools accessible data
     (bsc#938160).
   - CVE-2015-0468: Vulnerability in the Core RDBMS component of Oracle
     Database Server. This vulnerability requires Analyze Any or Create
     Materialized View privileges for a successful attack. Difficult to
     exploit vulnerability allows successful authenticated network attacks
     via Oracle Net. Successful attack of this vulnerability can result in
     unauthorized takeover of Core RDBMS possibly including arbitrary code
     execution within the Core RDBMS (bsc#938160).
   - CVE-2015-2647: Vulnerability in the Enterprise Manager for Oracle
     Database component of Oracle Enterprise Manager Grid Control
     (subcomponent: Content Management). Easily exploitable vulnerability
     allows successful authenticated network attacks via HTTP. Successful
     attack of this vulnerability can result in unauthorized update, insert
     or delete access to all Enterprise Manager for Oracle Database
     accessible data as well as read access to all Enterprise Manager for
     Oracle Database accessible data (bsc#938160).
   - CVE-2015-2646: Vulnerability in the Enterprise Manager for Oracle
     Database component of Oracle Enterprise Manager Grid Control
     (subcomponent: Content Management). Difficult to exploit vulnerability
     allows successful unauthenticated network attacks via HTTP. Successful
     attack of this vulnerability can result in unauthorized update, insert
     or delete access to some Enterprise Manager for Oracle Database
     accessible data (bsc#938160).

   For more details please see
   http://www.oracle.com/technetwork/topics/security/cpujul2015verbose-2367947
   .html


Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Manager 2.1:

      zypper in -t patch sleman21-oracle-update-12017=1

   To bring your system up-to-date, use "zypper patch".


Package List:

   - SUSE Manager 2.1 (x86_64):

      oracle-update-1.7-0.34.1


References:

   https://www.suse.com/security/cve/CVE-2015-0468.html
   https://www.suse.com/security/cve/CVE-2015-2599.html
   https://www.suse.com/security/cve/CVE-2015-2629.html
   https://www.suse.com/security/cve/CVE-2015-2646.html
   https://www.suse.com/security/cve/CVE-2015-2647.html
   https://www.suse.com/security/cve/CVE-2015-4735.html
   https://www.suse.com/security/cve/CVE-2015-4740.html
   https://www.suse.com/security/cve/CVE-2015-4753.html
   https://bugzilla.suse.com/938160



More information about the sle-security-updates mailing list