Jump to content
Compatible Support Forums
Sign in to follow this  
news

[security-announce] SUSE-SU-2015:1353-1: important: Security update for oracle-update

Recommended Posts

SUSE Security Update: Security update for oracle-update

______________________________________________________________________________

 

Announcement ID: SUSE-SU-2015:1353-1

Rating: important

References: #938160

Cross-References: CVE-2015-0468 CVE-2015-2599 CVE-2015-2629

CVE-2015-2646 CVE-2015-2647 CVE-2015-4735

CVE-2015-4740 CVE-2015-4753

Affected Products:

SUSE Manager 2.1

______________________________________________________________________________

 

An update that fixes 8 vulnerabilities is now available.

 

Description:

 

oracle-update was updated to fix eight security issues.

 

These security issues were fixed:

- CVE-2015-2629: Vulnerability in the Java VM component of Oracle Database

Server. This vulnerability requires Create Session privileges for a

successful attack. Easily exploitable vulnerability allows successful

authenticated network attacks via multiple protocols. Successful attack

of this vulnerability can result in unauthorized Operating System

takeover including arbitrary code execution (bsc#938160).

- CVE-2015-2599: Vulnerability in the RDBMS Scheduler component of Oracle

Database Server. This vulnerability requires Alter Session privileges

for a successful attack. Successful attack of this vulnerability can

result in unauthorized read access to all RDBMS Scheduler accessible

data (bsc#938160).

- CVE-2015-4735: Vulnerability in the Enterprise Manager for Oracle

Database component of Oracle Enterprise Manager Grid Control

(subcomponent: RAC Management). Easily exploitable vulnerability allows

successful unauthenticated network attacks via HTTP. Successful attack

of this vulnerability can result in unauthorized read access to a subset

of Enterprise Manager for Oracle Database accessible data (bsc#938160).

- CVE-2015-4740: Vulnerability in the RDBMS Partitioning component of

Oracle Database Server. This vulnerability requires Create Session,

Create Any Index, Index object privilege on a Table privileges for a

successful attack. Difficult to exploit vulnerability allows successful

authenticated network attacks via Oracle Net. Successful attack of this

vulnerability can result in unauthorized takeover of RDBMS Partitioning

possibly including arbitrary code execution within the RDBMS

Partitioning (bsc#938160).

- CVE-2015-4753: Vulnerability in the RDBMS Support Tools component of

Oracle Database Server. Easily exploitable vulnerability requiring logon

to Operating System. Successful attack of this vulnerability can result

in unauthorized read access to all RDBMS Support Tools accessible data

(bsc#938160).

- CVE-2015-0468: Vulnerability in the Core RDBMS component of Oracle

Database Server. This vulnerability requires Analyze Any or Create

Materialized View privileges for a successful attack. Difficult to

exploit vulnerability allows successful authenticated network attacks

via Oracle Net. Successful attack of this vulnerability can result in

unauthorized takeover of Core RDBMS possibly including arbitrary code

execution within the Core RDBMS (bsc#938160).

- CVE-2015-2647: Vulnerability in the Enterprise Manager for Oracle

Database component of Oracle Enterprise Manager Grid Control

(subcomponent: Content Management). Easily exploitable vulnerability

allows successful authenticated network attacks via HTTP. Successful

attack of this vulnerability can result in unauthorized update, insert

or delete access to all Enterprise Manager for Oracle Database

accessible data as well as read access to all Enterprise Manager for

Oracle Database accessible data (bsc#938160).

- CVE-2015-2646: Vulnerability in the Enterprise Manager for Oracle

Database component of Oracle Enterprise Manager Grid Control

(subcomponent: Content Management). Difficult to exploit vulnerability

allows successful unauthenticated network attacks via HTTP. Successful

attack of this vulnerability can result in unauthorized update, insert

or delete access to some Enterprise Manager for Oracle Database

accessible data (bsc#938160).

 

For more details please see

http://www.oracle.com/technetwork/topics/security/cpujul2015verbose-2367947

.html

 

 

Patch Instructions:

 

To install this SUSE Security Update use YaST online_update.

Alternatively you can run the command listed for your product:

 

- SUSE Manager 2.1:

 

zypper in -t patch sleman21-oracle-update-12017=1

 

To bring your system up-to-date, use "zypper patch".

 

 

Package List:

 

- SUSE Manager 2.1 (x86_64):

 

oracle-update-1.7-0.34.1

 

 

References:

 

https://www.suse.com/security/cve/CVE-2015-0468.html

https://www.suse.com/security/cve/CVE-2015-2599.html

https://www.suse.com/security/cve/CVE-2015-2629.html

https://www.suse.com/security/cve/CVE-2015-2646.html

https://www.suse.com/security/cve/CVE-2015-2647.html

https://www.suse.com/security/cve/CVE-2015-4735.html

https://www.suse.com/security/cve/CVE-2015-4740.html

https://www.suse.com/security/cve/CVE-2015-4753.html

https://bugzilla.suse.com/938160

 

--

To unsubscribe, e-mail: opensuse-security-announce+unsubscribe ( -at -) opensuse.org

For additional commands, e-mail: opensuse-security-announce+help ( -at -) opensuse.org

 

 

 

Share this post


Link to post

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Sign in to follow this  

×