Security update for oracle-update

Announcement ID:	SUSE-SU-2015:1353-1
Rating:	important
References:	bsc#938160
Cross-References:	CVE-2015-0468 CVE-2015-2599 CVE-2015-2629 CVE-2015-2646 CVE-2015-2647 CVE-2015-4735 CVE-2015-4740 CVE-2015-4753
CVSS scores:
Affected Products:	SUSE Manager Server 2.1

An update that solves eight vulnerabilities can now be installed.

Description:

oracle-update was updated to fix eight security issues.

These security issues were fixed: - CVE-2015-2629: Vulnerability in the Java VM component of Oracle Database Server. This vulnerability requires Create Session privileges for a successful attack. Easily exploitable vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution (bsc#938160). - CVE-2015-2599: Vulnerability in the RDBMS Scheduler component of Oracle Database Server. This vulnerability requires Alter Session privileges for a successful attack. Successful attack of this vulnerability can result in unauthorized read access to all RDBMS Scheduler accessible data (bsc#938160). - CVE-2015-4735: Vulnerability in the Enterprise Manager for Oracle Database component of Oracle Enterprise Manager Grid Control (subcomponent: RAC Management). Easily exploitable vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized read access to a subset of Enterprise Manager for Oracle Database accessible data (bsc#938160). - CVE-2015-4740: Vulnerability in the RDBMS Partitioning component of Oracle Database Server. This vulnerability requires Create Session, Create Any Index, Index object privilege on a Table privileges for a successful attack. Difficult to exploit vulnerability allows successful authenticated network attacks via Oracle Net. Successful attack of this vulnerability can result in unauthorized takeover of RDBMS Partitioning possibly including arbitrary code execution within the RDBMS Partitioning (bsc#938160). - CVE-2015-4753: Vulnerability in the RDBMS Support Tools component of Oracle Database Server. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized read access to all RDBMS Support Tools accessible data (bsc#938160). - CVE-2015-0468: Vulnerability in the Core RDBMS component of Oracle Database Server. This vulnerability requires Analyze Any or Create Materialized View privileges for a successful attack. Difficult to exploit vulnerability allows successful authenticated network attacks via Oracle Net. Successful attack of this vulnerability can result in unauthorized takeover of Core RDBMS possibly including arbitrary code execution within the Core RDBMS (bsc#938160). - CVE-2015-2647: Vulnerability in the Enterprise Manager for Oracle Database component of Oracle Enterprise Manager Grid Control (subcomponent: Content Management). Easily exploitable vulnerability allows successful authenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to all Enterprise Manager for Oracle Database accessible data as well as read access to all Enterprise Manager for Oracle Database accessible data (bsc#938160). - CVE-2015-2646: Vulnerability in the Enterprise Manager for Oracle Database component of Oracle Enterprise Manager Grid Control (subcomponent: Content Management). Difficult to exploit vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Enterprise Manager for Oracle Database accessible data (bsc#938160).

For more details please see http://www.oracle.com/technetwork/topics/security/cpujul2015verbose-2367947.html

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• SUSE Manager Server 2.1
  zypper in -t patch sleman21-oracle-update-12017=1

Package List:

• SUSE Manager Server 2.1 (x86_64)
  • oracle-update-1.7-0.34.1

References:

• https://www.suse.com/security/cve/CVE-2015-0468.html
• https://www.suse.com/security/cve/CVE-2015-2599.html
• https://www.suse.com/security/cve/CVE-2015-2629.html
• https://www.suse.com/security/cve/CVE-2015-2646.html
• https://www.suse.com/security/cve/CVE-2015-2647.html
• https://www.suse.com/security/cve/CVE-2015-4735.html
• https://www.suse.com/security/cve/CVE-2015-4740.html
• https://www.suse.com/security/cve/CVE-2015-4753.html
• https://bugzilla.suse.com/show_bug.cgi?id=938160