Oracle Security Alert for CVE-2014-7169

简介: Oracle Security Alert for CVE-2014-7169 Description This Security Alert addresses multiple publicly disclosed vulnerabil...

Oracle Security Alert for CVE-2014-7169


Description


This Security Alert addresses multiple publicly disclosed vulnerabilities affecting GNU Bash, specifically CVE-2014-6271, CVE-2014-7169, CVE-2014-7186, CVE-2014-7187, CVE-2014-6277 and CVE-2014-6278.GNU Bash is a popular open source command line shell incorporated into Linux and other widely used operating systems. These           vulnerabilities affect multiple Oracle products. These           vulnerabilities may be remotely exploitable without           authentication, i.e. may be exploited over a network without           the need for a username and password. A remote user can           exploit these vulnerabilities to execute arbitrary code on           systems that are running affected versions of Bash.

      

Forthis document, the vulnerabilities listed above                 will be referred to collectively as CVE-2014-7169.         

Oracle is investigating and will provide fixes for           affected products as soon as they have been fully tested and           determined to provide effective mitigation against these           vulnerabilities.

       Due to the severity, public disclosure, and             reports of active exploitation of CVE-2014-7169 and the             related vulnerabilities, Oracle strongly recommends that             customers apply the fixes provided by this Security Alert as             soon as they are released by Oracle.


Affected Products and Versions


      

Please refer to Bash Vulnerabilities - CVE-2014-7169 for a           list of Oracle products and versions that are affected by these           vulnerabilities.That page will            be updated when new information becomes available.

Patch Availability


      

Patch availability information related to these vulnerabilities can be found on theBash Vulnerabilities - CVE-2014-7169 page. Note that in some instances, the instructions           on this page or references from this page may include           important steps to take before and after the application of           the relevant patch.

      

Supported Products and Versions

      

Patch availability information is provided only for           product versions that are covered under the Premier Support or           Extended Support phases of theLifetime              Support Policy. We recommend that customers remain on           actively supported versions to ensure that they continue to           receive security fixes from Oracle.

      

Product releases that are not under Premier Support or           Extended Support are not tested for the presence of           the vulnerabilities addressed by this Security Alert. However, it is           likely that earlier versions of affected releases are also           affected by these vulnerabilities.

      

Products in Extended Support

      

Security Alert fixes are available to customers who have           purchased Extended Support under theLifetime              Support Policy. Customers must have a valid Extended           Support service contract to apply Security Alert fixes for           products in the Extended Support Phase.

References

Modification History


Date Comments
2014-September-26 Rev 1. Initial Release
2014-September-27 Rev 2. Fixes available for Exalogic
2014-September-28 Rev 3. Tables modified for products affected with and without fixes
2014-September-29 Rev 4. Detailed product information moved to Bash Vulnerabilities - CVE-2014-7169

 

Appendix - Oracle Sun Systems Products Suite

             

Oracle Sun Systems Products Suite Executive Summary

This Security Alert contains 1 new security fix for the Oracle Sun Systems Products Suite.   This vulnerability is remotely exploitable without authentication,  i.e.,  may be exploited over a network without the need for a username and password.    The English text form of this Risk Matrix can be found here.

Oracle Sun Systems Products Suite Risk Matrix


            
CVE# Component Protocol Sub-
                         component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (seeRisk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
                         tication
Confiden-
                         tiality
Integrity Avail-
                         ability
CVE-2014-7169 Solaris Multiple Bash Yes 10.0 Network Low None Complete Complete Complete 8,  9,  10,  11 See Note 1

Notes:

  1. The CVSS score is taken from
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169.
 
              

Appendix - Oracle Linux and Virtualization

 

Oracle Linux Executive Summary

This Security Alert contains 1 new security fix for Oracle Linux.   This vulnerability is remotely exploitable without authentication,  i.e.,  may be exploited over a network without the need for a username and password.    The English text form of this Risk Matrix can be found here.

Oracle Linux Risk Matrix


            
CVE# Component Protocol Sub-
                         component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (seeRisk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
                         tication
Confiden-
                         tiality
Integrity Avail-
                         ability
CVE-2014-7169 Oracle Linux Multiple Bash Yes 10.0 Network Low None Complete Complete Complete 4,  5,  6,  7 See Note 1

Notes:

  1. The CVSS score is taken from
    http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169.
目录
相关文章
|
SQL 关系型数据库 Linux
ORACLE 告警日志alert过大的处理
  现在,对于我来说,处理ORACLE告警日志alert多大不再是什么难题;但是,由于数据库是公司最重要的设备,不容有失,处理数据库相关的进程或文件还是要特别小心。  目前,ORACLE数据库主要分widows和LINUX/UNIX版本,对于LINUX/UNIX平台,我们可以使用tail -n /path/alert*.log|more来查看,很方便;但是,windows操作平台,我们遇到如下图所示那么大个的告警日志,该怎么查看。
3100 0
|
SQL 监控 Oracle
Oracle EBS Alert 预警
Alert 是一种Oracle系统中的一种机制,它可以监视系统数据库,在规定的情况下给规定用户一个通知,通知可以是邮件或者其他形式,在标注的系统和客户化系统中都是可以定义使用的。
1261 0
|
安全 Oracle 关系型数据库
Oracle Security Alert for CVE-2014-0160
Oracle Security Alert for CVE-2014-0160 Description This Security Alert addresses CVE-2014-0160 ('Heartbleed'), a publicl...
958 0
|
Oracle 关系型数据库
Oracle 9i,10g,11g各自alert日志的位置
10g&9i的alert日志: 进入oracle: [zhangshengdong@oralocal1 ~]$ sudo su - oracle [oracle@oralocal1 ~]$ sqlplus "/as sysdba" SQL> select * from v$v...
863 0
|
1月前
|
存储 Oracle 关系型数据库
Oracle数据库的应用场景有哪些?
【10月更文挑战第15天】Oracle数据库的应用场景有哪些?
166 64
|
23天前
|
SQL Oracle 关系型数据库
Oracle数据库优化方法
【10月更文挑战第25天】Oracle数据库优化方法
30 7
|
23天前
|
Oracle 关系型数据库 数据库
oracle数据库技巧
【10月更文挑战第25天】oracle数据库技巧
25 6
|
23天前
|
存储 Oracle 关系型数据库
Oracle数据库优化策略
【10月更文挑战第25天】Oracle数据库优化策略
20 5
|
30天前
|
存储 Oracle 关系型数据库
数据库数据恢复—Oracle ASM磁盘组故障数据恢复案例
Oracle数据库数据恢复环境&故障: Oracle ASM磁盘组由4块磁盘组成。Oracle ASM磁盘组掉线 ,ASM实例不能mount。 Oracle数据库故障分析&恢复方案: 数据库数据恢复工程师对组成ASM磁盘组的磁盘进行分析。对ASM元数据进行分析发现ASM存储元数据损坏,导致磁盘组无法挂载。