SUSE Security Update: Security update for oracle-update ______________________________________________________________________________ Announcement ID: SUSE-SU-2015:1353-1 Rating: important References: #938160 Cross-References: CVE-2015-0468 CVE-2015-2599 CVE-2015-2629 CVE-2015-2646 CVE-2015-2647 CVE-2015-4735 CVE-2015-4740 CVE-2015-4753 Affected Products: SUSE Manager 2.1 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: oracle-update was updated to fix eight security issues. These security issues were fixed: - CVE-2015-2629: Vulnerability in the Java VM component of Oracle Database Server. This vulnerability requires Create Session privileges for a successful attack. Easily exploitable vulnerability allows successful authenticated network attacks via multiple protocols. Successful attack of this vulnerability can result in unauthorized Operating System takeover including arbitrary code execution (bsc#938160). - CVE-2015-2599: Vulnerability in the RDBMS Scheduler component of Oracle Database Server. This vulnerability requires Alter Session privileges for a successful attack. Successful attack of this vulnerability can result in unauthorized read access to all RDBMS Scheduler accessible data (bsc#938160). - CVE-2015-4735: Vulnerability in the Enterprise Manager for Oracle Database component of Oracle Enterprise Manager Grid Control (subcomponent: RAC Management). Easily exploitable vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized read access to a subset of Enterprise Manager for Oracle Database accessible data (bsc#938160). - CVE-2015-4740: Vulnerability in the RDBMS Partitioning component of Oracle Database Server. This vulnerability requires Create Session, Create Any Index, Index object privilege on a Table privileges for a successful attack. Difficult to exploit vulnerability allows successful authenticated network attacks via Oracle Net. Successful attack of this vulnerability can result in unauthorized takeover of RDBMS Partitioning possibly including arbitrary code execution within the RDBMS Partitioning (bsc#938160). - CVE-2015-4753: Vulnerability in the RDBMS Support Tools component of Oracle Database Server. Easily exploitable vulnerability requiring logon to Operating System. Successful attack of this vulnerability can result in unauthorized read access to all RDBMS Support Tools accessible data (bsc#938160). - CVE-2015-0468: Vulnerability in the Core RDBMS component of Oracle Database Server. This vulnerability requires Analyze Any or Create Materialized View privileges for a successful attack. Difficult to exploit vulnerability allows successful authenticated network attacks via Oracle Net. Successful attack of this vulnerability can result in unauthorized takeover of Core RDBMS possibly including arbitrary code execution within the Core RDBMS (bsc#938160). - CVE-2015-2647: Vulnerability in the Enterprise Manager for Oracle Database component of Oracle Enterprise Manager Grid Control (subcomponent: Content Management). Easily exploitable vulnerability allows successful authenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to all Enterprise Manager for Oracle Database accessible data as well as read access to all Enterprise Manager for Oracle Database accessible data (bsc#938160). - CVE-2015-2646: Vulnerability in the Enterprise Manager for Oracle Database component of Oracle Enterprise Manager Grid Control (subcomponent: Content Management). Difficult to exploit vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Enterprise Manager for Oracle Database accessible data (bsc#938160). For more details please see http://www.oracle.com/technetwork/topics/security/cpujul2015verbose-2367947 .html Patch Instructions: To install this SUSE Security Update use YaST online_update. Alternatively you can run the command listed for your product: - SUSE Manager 2.1: zypper in -t patch sleman21-oracle-update-12017=1 To bring your system up-to-date, use "zypper patch". Package List: - SUSE Manager 2.1 (x86_64): oracle-update-1.7-0.34.1 References: https://www.suse.com/security/cve/CVE-2015-0468.html https://www.suse.com/security/cve/CVE-2015-2599.html https://www.suse.com/security/cve/CVE-2015-2629.html https://www.suse.com/security/cve/CVE-2015-2646.html https://www.suse.com/security/cve/CVE-2015-2647.html https://www.suse.com/security/cve/CVE-2015-4735.html https://www.suse.com/security/cve/CVE-2015-4740.html https://www.suse.com/security/cve/CVE-2015-4753.html https://bugzilla.suse.com/938160 -- To unsubscribe, e-mail: opensuse-security-announce+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security-announce+help@opensuse.org