SUSE-SU-2015:1353-1: important: Security update for oracle-update
sle-security-updates at lists.suse.com
sle-security-updates at lists.suse.com
Thu Aug 6 06:33:01 MDT 2015
SUSE Security Update: Security update for oracle-update
______________________________________________________________________________
Announcement ID: SUSE-SU-2015:1353-1
Rating: important
References: #938160
Cross-References: CVE-2015-0468 CVE-2015-2599 CVE-2015-2629
CVE-2015-2646 CVE-2015-2647 CVE-2015-4735
CVE-2015-4740 CVE-2015-4753
Affected Products:
SUSE Manager 2.1
______________________________________________________________________________
An update that fixes 8 vulnerabilities is now available.
Description:
oracle-update was updated to fix eight security issues.
These security issues were fixed:
- CVE-2015-2629: Vulnerability in the Java VM component of Oracle Database
Server. This vulnerability requires Create Session privileges for a
successful attack. Easily exploitable vulnerability allows successful
authenticated network attacks via multiple protocols. Successful attack
of this vulnerability can result in unauthorized Operating System
takeover including arbitrary code execution (bsc#938160).
- CVE-2015-2599: Vulnerability in the RDBMS Scheduler component of Oracle
Database Server. This vulnerability requires Alter Session privileges
for a successful attack. Successful attack of this vulnerability can
result in unauthorized read access to all RDBMS Scheduler accessible
data (bsc#938160).
- CVE-2015-4735: Vulnerability in the Enterprise Manager for Oracle
Database component of Oracle Enterprise Manager Grid Control
(subcomponent: RAC Management). Easily exploitable vulnerability allows
successful unauthenticated network attacks via HTTP. Successful attack
of this vulnerability can result in unauthorized read access to a subset
of Enterprise Manager for Oracle Database accessible data (bsc#938160).
- CVE-2015-4740: Vulnerability in the RDBMS Partitioning component of
Oracle Database Server. This vulnerability requires Create Session,
Create Any Index, Index object privilege on a Table privileges for a
successful attack. Difficult to exploit vulnerability allows successful
authenticated network attacks via Oracle Net. Successful attack of this
vulnerability can result in unauthorized takeover of RDBMS Partitioning
possibly including arbitrary code execution within the RDBMS
Partitioning (bsc#938160).
- CVE-2015-4753: Vulnerability in the RDBMS Support Tools component of
Oracle Database Server. Easily exploitable vulnerability requiring logon
to Operating System. Successful attack of this vulnerability can result
in unauthorized read access to all RDBMS Support Tools accessible data
(bsc#938160).
- CVE-2015-0468: Vulnerability in the Core RDBMS component of Oracle
Database Server. This vulnerability requires Analyze Any or Create
Materialized View privileges for a successful attack. Difficult to
exploit vulnerability allows successful authenticated network attacks
via Oracle Net. Successful attack of this vulnerability can result in
unauthorized takeover of Core RDBMS possibly including arbitrary code
execution within the Core RDBMS (bsc#938160).
- CVE-2015-2647: Vulnerability in the Enterprise Manager for Oracle
Database component of Oracle Enterprise Manager Grid Control
(subcomponent: Content Management). Easily exploitable vulnerability
allows successful authenticated network attacks via HTTP. Successful
attack of this vulnerability can result in unauthorized update, insert
or delete access to all Enterprise Manager for Oracle Database
accessible data as well as read access to all Enterprise Manager for
Oracle Database accessible data (bsc#938160).
- CVE-2015-2646: Vulnerability in the Enterprise Manager for Oracle
Database component of Oracle Enterprise Manager Grid Control
(subcomponent: Content Management). Difficult to exploit vulnerability
allows successful unauthenticated network attacks via HTTP. Successful
attack of this vulnerability can result in unauthorized update, insert
or delete access to some Enterprise Manager for Oracle Database
accessible data (bsc#938160).
For more details please see
http://www.oracle.com/technetwork/topics/security/cpujul2015verbose-2367947
.html
Patch Instructions:
To install this SUSE Security Update use YaST online_update.
Alternatively you can run the command listed for your product:
- SUSE Manager 2.1:
zypper in -t patch sleman21-oracle-update-12017=1
To bring your system up-to-date, use "zypper patch".
Package List:
- SUSE Manager 2.1 (x86_64):
oracle-update-1.7-0.34.1
References:
https://www.suse.com/security/cve/CVE-2015-0468.html
https://www.suse.com/security/cve/CVE-2015-2599.html
https://www.suse.com/security/cve/CVE-2015-2629.html
https://www.suse.com/security/cve/CVE-2015-2646.html
https://www.suse.com/security/cve/CVE-2015-2647.html
https://www.suse.com/security/cve/CVE-2015-4735.html
https://www.suse.com/security/cve/CVE-2015-4740.html
https://www.suse.com/security/cve/CVE-2015-4753.html
https://bugzilla.suse.com/938160
More information about the sle-security-updates
mailing list