ID CVE-2014-4280 Type cve Reporter cve@mitre.org Modified 2015-11-06T15:49:00
Description
Unspecified vulnerability in Oracle Sun Solaris 11 allows local users to affect confidentiality, integrity, and availability via vectors related to IPS transfer module, a different vulnerability than CVE-2014-4284.
{"nessus": [{"lastseen": "2021-01-17T14:01:45", "description": "This Solaris system is missing necessary patches to address critical\nsecurity updates :\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: SMB server kernel\n module). The supported version that is affected is 11.\n Easily exploitable vulnerability requiring logon to\n Operating System. Successful attack of this\n vulnerability can result in unauthorized Operating\n System hang or frequently repeatable crash (complete\n DOS). (CVE-2014-4275)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Common Internet\n File System(CIFS)). The supported version that is\n affected is 11. Easily exploitable vulnerability allows\n successful unauthenticated network attacks via CIFS.\n Successful attack of this vulnerability can result in\n unauthorized update, insert or delete access to some\n Solaris accessible data as well as read access to a\n subset of Solaris accessible data and ability to cause a\n partial denial of service (partial DOS) of Solaris.\n (CVE-2014-4276)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Automated Install\n Engine). The supported version that is affected is 11.\n Easily exploitable vulnerability allows successful\n unauthenticated network attacks via HTTP. Successful\n attack of this vulnerability can result in unauthorized\n read access to a subset of Solaris accessible data.\n (CVE-2014-4277)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: IPS transfer\n module). The supported version that is affected is 11.\n Easily exploitable vulnerability requiring logon to\n Operating System. Successful attack of this\n vulnerability can result in unauthorized update, insert\n or delete access to some Solaris accessible data as well\n as read access to a subset of Solaris accessible data\n and ability to cause a partial denial of service\n (partial DOS) of Solaris. (CVE-2014-4280)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Automated Install\n Engine). The supported version that is affected is 11.\n Difficult to exploit vulnerability allows successful\n unauthenticated network attacks via SSL/TLS. Successful\n attack of this vulnerability can result in unauthorized\n read access to a subset of Solaris accessible data.\n (CVE-2014-4283)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Kernel/X86). The\n supported version that is affected is 11. Easily\n exploitable vulnerability requiring logon to Operating\n System. Successful attack of this vulnerability can\n result in unauthorized Operating System takeover\n including arbitrary code execution. (CVE-2014-4282)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: IPS transfer\n module). The supported version that is affected is 11.\n Difficult to exploit vulnerability requiring logon to\n Operating System. Successful attack of this\n vulnerability can result in unauthorized update, insert\n or delete access to some Solaris accessible data as well\n as read access to a subset of Solaris accessible data\n and ability to cause a partial denial of service\n (partial DOS) of Solaris. (CVE-2014-4284)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Archive Utility).\n The supported version that is affected is 11. Easily\n exploitable vulnerability requiring logon to Operating\n System plus additional login/authentication to component\n or subcomponent. Successful attack of this vulnerability\n can escalate attacker privileges resulting in\n unauthorized Operating System takeover including\n arbitrary code execution. (CVE-2014-6470)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Zone Framework).\n Supported versions that are affected are 10 and 11.\n Easily exploitable vulnerability requiring logon to\n Operating System. Successful attack of this\n vulnerability can result in unauthorized Operating\n System takeover including arbitrary code execution.\n Note: For Solaris 10, it only applies to SPARC systems\n with Solaris 8 and Solaris 9 branded zones.\n (CVE-2014-6473)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: SMB server user\n component). The supported version that is affected is\n 11. Easily exploitable vulnerability allows successful\n unauthenticated network attacks via SMB. Successful\n attack of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial\n DOS) of Solaris. (CVE-2014-6490)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Kernel). The\n supported version that is affected is 11. Easily\n exploitable vulnerability requiring logon to Operating\n System. Successful attack of this vulnerability can\n result in unauthorized Operating System hang or\n frequently repeatable crash (complete DOS).\n (CVE-2014-6497)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: SSH). The\n supported version that is affected is 11. Easily\n exploitable vulnerability requiring logon to Operating\n System. Successful attack of this vulnerability can\n result in unauthorized read access to a subset of\n Solaris accessible data. (CVE-2014-6501)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Hermon HCA PCIe\n driver). The supported version that is affected is 11.\n Very difficult to exploit vulnerability allows\n successful unauthenticated network attacks via None, but\n can only be launched from an adjacent network.\n Successful attack of this vulnerability can result in\n unauthorized Operating System takeover including\n arbitrary code execution. (CVE-2014-6529)", "edition": 27, "published": "2014-10-15T00:00:00", "title": "Oracle Solaris Critical Patch Update : oct2014_11_2SRU0", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-4280", "CVE-2014-4282", "CVE-2014-6501", "CVE-2014-4284", "CVE-2014-6490", "CVE-2014-6529", "CVE-2014-6470", "CVE-2014-4276", "CVE-2014-4277", "CVE-2014-6473", "CVE-2014-4275", "CVE-2014-4283", "CVE-2014-6497"], "modified": "2014-10-15T00:00:00", "cpe": ["cpe:/o:oracle:solaris:11.2"], "id": "SOLARIS_OCT2014_11_2SRU0.NASL", "href": "https://www.tenable.com/plugins/nessus/78462", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from the Oracle CPU for oct2014.\n#\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(78462);\n script_version(\"1.15\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2014-4275\", \"CVE-2014-4276\", \"CVE-2014-4277\", \"CVE-2014-4280\", \"CVE-2014-4282\", \"CVE-2014-4283\", \"CVE-2014-4284\", \"CVE-2014-6470\", \"CVE-2014-6473\", \"CVE-2014-6490\", \"CVE-2014-6497\", \"CVE-2014-6501\", \"CVE-2014-6529\");\n script_bugtraq_id(70503, 70509, 70513, 70520, 70539, 70543, 70546, 70551, 70557, 70559, 70561, 70563);\n\n script_name(english:\"Oracle Solaris Critical Patch Update : oct2014_11_2SRU0\");\n script_summary(english:\"Check for the oct2014 CPU\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Solaris system is missing a security patch from CPU\noct2014.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"This Solaris system is missing necessary patches to address critical\nsecurity updates :\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: SMB server kernel\n module). The supported version that is affected is 11.\n Easily exploitable vulnerability requiring logon to\n Operating System. Successful attack of this\n vulnerability can result in unauthorized Operating\n System hang or frequently repeatable crash (complete\n DOS). (CVE-2014-4275)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Common Internet\n File System(CIFS)). The supported version that is\n affected is 11. Easily exploitable vulnerability allows\n successful unauthenticated network attacks via CIFS.\n Successful attack of this vulnerability can result in\n unauthorized update, insert or delete access to some\n Solaris accessible data as well as read access to a\n subset of Solaris accessible data and ability to cause a\n partial denial of service (partial DOS) of Solaris.\n (CVE-2014-4276)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Automated Install\n Engine). The supported version that is affected is 11.\n Easily exploitable vulnerability allows successful\n unauthenticated network attacks via HTTP. Successful\n attack of this vulnerability can result in unauthorized\n read access to a subset of Solaris accessible data.\n (CVE-2014-4277)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: IPS transfer\n module). The supported version that is affected is 11.\n Easily exploitable vulnerability requiring logon to\n Operating System. Successful attack of this\n vulnerability can result in unauthorized update, insert\n or delete access to some Solaris accessible data as well\n as read access to a subset of Solaris accessible data\n and ability to cause a partial denial of service\n (partial DOS) of Solaris. (CVE-2014-4280)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Automated Install\n Engine). The supported version that is affected is 11.\n Difficult to exploit vulnerability allows successful\n unauthenticated network attacks via SSL/TLS. Successful\n attack of this vulnerability can result in unauthorized\n read access to a subset of Solaris accessible data.\n (CVE-2014-4283)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Kernel/X86). The\n supported version that is affected is 11. Easily\n exploitable vulnerability requiring logon to Operating\n System. Successful attack of this vulnerability can\n result in unauthorized Operating System takeover\n including arbitrary code execution. (CVE-2014-4282)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: IPS transfer\n module). The supported version that is affected is 11.\n Difficult to exploit vulnerability requiring logon to\n Operating System. Successful attack of this\n vulnerability can result in unauthorized update, insert\n or delete access to some Solaris accessible data as well\n as read access to a subset of Solaris accessible data\n and ability to cause a partial denial of service\n (partial DOS) of Solaris. (CVE-2014-4284)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Archive Utility).\n The supported version that is affected is 11. Easily\n exploitable vulnerability requiring logon to Operating\n System plus additional login/authentication to component\n or subcomponent. Successful attack of this vulnerability\n can escalate attacker privileges resulting in\n unauthorized Operating System takeover including\n arbitrary code execution. (CVE-2014-6470)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Zone Framework).\n Supported versions that are affected are 10 and 11.\n Easily exploitable vulnerability requiring logon to\n Operating System. Successful attack of this\n vulnerability can result in unauthorized Operating\n System takeover including arbitrary code execution.\n Note: For Solaris 10, it only applies to SPARC systems\n with Solaris 8 and Solaris 9 branded zones.\n (CVE-2014-6473)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: SMB server user\n component). The supported version that is affected is\n 11. Easily exploitable vulnerability allows successful\n unauthenticated network attacks via SMB. Successful\n attack of this vulnerability can result in unauthorized\n ability to cause a partial denial of service (partial\n DOS) of Solaris. (CVE-2014-6490)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Kernel). The\n supported version that is affected is 11. Easily\n exploitable vulnerability requiring logon to Operating\n System. Successful attack of this vulnerability can\n result in unauthorized Operating System hang or\n frequently repeatable crash (complete DOS).\n (CVE-2014-6497)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: SSH). The\n supported version that is affected is 11. Easily\n exploitable vulnerability requiring logon to Operating\n System. Successful attack of this vulnerability can\n result in unauthorized read access to a subset of\n Solaris accessible data. (CVE-2014-6501)\n\n - Vulnerability in the Solaris component of Oracle Sun\n Systems Products Suite (subcomponent: Hermon HCA PCIe\n driver). The supported version that is affected is 11.\n Very difficult to exploit vulnerability allows\n successful unauthenticated network attacks via None, but\n can only be launched from an adjacent network.\n Successful attack of this vulnerability can result in\n unauthorized Operating System takeover including\n arbitrary code execution. (CVE-2014-6529)\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://support.oracle.com/epmos/faces/DocumentDisplay?id=1931712.1\"\n );\n # https://www.oracle.com/ocom/groups/public/@otn/documents/webcontent/2292506.xml\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?18981068\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Install the oct2014 CPU from the Oracle support website.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:oracle:solaris:11.2\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2014/11/21\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2014/10/15\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2014-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Solaris Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Solaris11/release\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"solaris.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/Solaris11/release\");\nif (isnull(release)) audit(AUDIT_OS_NOT, \"Solaris11\");\n\n\nfix_release = \"0.5.11-0.175.2.0.0.0.0\";\n\nflag = 0;\n\nif (solaris_check_release(release:\"0.5.11-0.175.2.0.0.0.0\", sru:\"S11.2\") > 0) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:solaris_get_report2());\n else security_hole(0);\n exit(0);\n}\naudit(AUDIT_OS_RELEASE_NOT, \"Solaris\", fix_release, release);\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:09:57", "bulletinFamily": "software", "cvelist": ["CVE-2014-6495", "CVE-2014-6506", "CVE-2014-6500", "CVE-2014-2478", "CVE-2014-6564", "CVE-2014-6482", "CVE-2014-6536", "CVE-2014-6544", "CVE-2014-6558", "CVE-2014-6516", "CVE-2014-6560", "CVE-2014-6530", "CVE-2014-6505", "CVE-2014-4301", "CVE-2014-6463", "CVE-2014-6515", "CVE-2014-6460", "CVE-2014-6554", "CVE-2014-6539", "CVE-2014-4292", "CVE-2014-6487", "CVE-2014-6538", "CVE-2014-6493", "CVE-2014-4280", "CVE-2014-6488", "CVE-2014-4282", "CVE-2014-6519", "CVE-2014-2472", "CVE-2014-6466", "CVE-2014-6517", "CVE-2014-6471", "CVE-2014-6501", "CVE-2014-6504", "CVE-2014-6534", "CVE-2014-6455", "CVE-2014-6459", "CVE-2014-6502", "CVE-2014-6472", "CVE-2014-0224", "CVE-2014-6492", "CVE-2014-6457", "CVE-2014-4284", "CVE-2014-6484", "CVE-2014-6476", "CVE-2014-6479", "CVE-2014-6535", "CVE-2014-6507", "CVE-2014-6503", "CVE-2014-6490", "CVE-2014-6557", "CVE-2014-6542", "CVE-2014-6454", "CVE-2014-4295", "CVE-2014-4291", "CVE-2014-6469", "CVE-2014-4278", "CVE-2014-6537", "CVE-2014-6486", "CVE-2014-6496", "CVE-2013-1741", "CVE-2014-6555", "CVE-2014-2476", "CVE-2014-6529", "CVE-2014-6562", "CVE-2014-4293", "CVE-2014-6511", "CVE-2014-6475", "CVE-2014-6485", "CVE-2014-6559", "CVE-2014-6470", "CVE-2014-4274", "CVE-2014-4294", "CVE-2014-6531", "CVE-2014-0119", "CVE-2014-6456", "CVE-2014-6547", "CVE-2014-2880", "CVE-2014-0114", "CVE-2014-4310", "CVE-2014-6543", "CVE-2014-6464", "CVE-2014-6468", "CVE-2014-4297", "CVE-2014-0050", "CVE-2014-6520", "CVE-2014-6551", "CVE-2014-6458", "CVE-2014-6532", "CVE-2014-6533", "CVE-2014-4276", "CVE-2014-4277", "CVE-2014-4288", "CVE-2014-6550", "CVE-2014-4296", "CVE-2014-4290", "CVE-2014-6478", "CVE-2014-6553", "CVE-2014-6483", "CVE-2014-6473", "CVE-2014-2475", "CVE-2014-4300", "CVE-2014-6546", "CVE-2014-6465", "CVE-2014-4299", "CVE-2014-6491", "CVE-2014-6508", "CVE-2014-4289", "CVE-2014-6453", "CVE-2014-2473", "CVE-2014-4285", "CVE-2014-6522", "CVE-2012-5615", "CVE-2014-6467", "CVE-2014-6523", "CVE-2014-6452", "CVE-2014-6513", "CVE-2014-6474", "CVE-2014-6489", "CVE-2014-2474", "CVE-2014-6563", "CVE-2014-6545", "CVE-2014-4281", "CVE-2014-4275", "CVE-2014-4287", "CVE-2014-6552", "CVE-2014-6540", "CVE-2014-6494", "CVE-2014-6461", "CVE-2014-4283", "CVE-2014-6527", "CVE-2014-6462", "CVE-2014-6561", "CVE-2014-4298", "CVE-2014-6499", "CVE-2014-6512", "CVE-2014-6498", "CVE-2014-6497"], "description": "Quarterly update covers 138 different vulnerabilities.", "edition": 1, "modified": "2014-11-03T00:00:00", "published": "2014-11-03T00:00:00", "id": "SECURITYVULNS:VULN:14031", "href": "https://vulners.com/securityvulns/SECURITYVULNS:VULN:14031", "title": "Oracle / Sun / PeopleSoft / MySQL multiple security vulnerabilities", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "oracle": [{"lastseen": "2019-05-29T18:21:14", "bulletinFamily": "software", "cvelist": ["CVE-2014-6495", "CVE-2014-6506", "CVE-2014-6500", "CVE-2014-2478", "CVE-2014-6564", "CVE-2014-6482", "CVE-2014-6536", "CVE-2014-6544", "CVE-2014-6558", "CVE-2014-6516", "CVE-2014-6560", "CVE-2014-6530", "CVE-2014-6505", "CVE-2014-4301", "CVE-2014-6463", "CVE-2014-6515", "CVE-2014-6460", "CVE-2014-6554", "CVE-2014-6539", "CVE-2014-4292", "CVE-2014-6487", "CVE-2014-6538", "CVE-2014-6493", "CVE-2014-4280", "CVE-2014-6488", "CVE-2014-4282", "CVE-2014-6519", "CVE-2014-2472", "CVE-2014-6466", "CVE-2014-6517", "CVE-2014-6471", "CVE-2014-6501", "CVE-2014-6504", "CVE-2014-6534", "CVE-2014-6455", "CVE-2014-6459", "CVE-2014-6502", "CVE-2014-7169", "CVE-2013-5605", "CVE-2014-6472", "CVE-2014-0224", "CVE-2014-6492", "CVE-2014-6457", "CVE-2014-4284", "CVE-2014-6484", "CVE-2014-6476", "CVE-2014-6479", "CVE-2014-6535", "CVE-2014-6507", "CVE-2014-6503", "CVE-2014-6490", "CVE-2014-6557", "CVE-2014-6542", "CVE-2014-6454", "CVE-2014-4295", "CVE-2014-4291", "CVE-2014-6469", "CVE-2014-4278", "CVE-2014-6537", "CVE-2014-6486", "CVE-2014-6496", "CVE-2013-1741", "CVE-2014-6555", "CVE-2014-2476", "CVE-2014-6529", "CVE-2014-6562", "CVE-2013-1740", "CVE-2014-4293", "CVE-2014-6511", "CVE-2014-3470", "CVE-2013-1739", "CVE-2014-6475", "CVE-2014-6485", "CVE-2014-6559", "CVE-2014-6470", "CVE-2014-4274", "CVE-2014-4294", "CVE-2014-6531", "CVE-2014-0119", "CVE-2014-1492", "CVE-2014-6456", "CVE-2014-6547", "CVE-2014-2880", "CVE-2013-5606", "CVE-2014-0114", "CVE-2014-4310", "CVE-2014-6543", "CVE-2014-6464", "CVE-2014-6468", "CVE-2014-4297", "CVE-2013-4322", "CVE-2014-0050", "CVE-2014-6520", "CVE-2014-6551", "CVE-2014-1490", "CVE-2010-5298", "CVE-2013-4286", "CVE-2014-6458", "CVE-2014-6532", "CVE-2014-6533", "CVE-2014-4276", "CVE-2014-4277", "CVE-2014-4288", "CVE-2014-6550", "CVE-2014-0195", "CVE-2014-4296", "CVE-2014-0198", "CVE-2013-4590", "CVE-2014-4290", "CVE-2014-6478", "CVE-2014-6553", "CVE-2014-6483", "CVE-2014-6473", "CVE-2014-0096", "CVE-2014-2475", "CVE-2014-4300", "CVE-2014-0075", "CVE-2014-6546", "CVE-2014-6465", "CVE-2014-4299", "CVE-2014-6491", "CVE-2014-6508", "CVE-2014-4289", "CVE-2014-6453", "CVE-2014-2473", "CVE-2014-4285", "CVE-2014-6522", "CVE-2014-0033", "CVE-2012-5615", "CVE-2014-6467", "CVE-2014-6523", "CVE-2014-6452", "CVE-2014-0095", "CVE-2014-6513", "CVE-2014-6474", "CVE-2014-1491", "CVE-2014-6489", "CVE-2014-2474", "CVE-2014-6563", "CVE-2014-6545", "CVE-2014-4281", "CVE-2014-4275", "CVE-2014-4287", "CVE-2014-6477", "CVE-2014-6552", "CVE-2014-6540", "CVE-2014-6494", "CVE-2014-6461", "CVE-2014-4283", "CVE-2014-6527", "CVE-2014-6462", "CVE-2014-6561", "CVE-2014-4298", "CVE-2014-6499", "CVE-2014-6512", "CVE-2014-0221", "CVE-2014-6498", "CVE-2014-6497"], "description": "A Critical Patch Update (CPU) is a collection of patches for multiple security vulnerabilities. Critical Patch Update patches are usually cumulative, but each advisory describes only the security fixes added since the previous Critical Patch Update advisory. Thus, prior Critical Patch Update advisories should be reviewed for information regarding earlier published security fixes. Please refer to:\n\n[Critical Patch Updates and Security Alerts](<http://www.oracle.com/technetwork/topics/security/alerts-086861.html>) for information about Oracle Security Advisories.\n\n**Oracle has received specific reports of malicious exploitation of vulnerabilities for which Oracle has already released fixes. In some instances, it has been reported that malicious attackers have been successful because customers had failed to apply these Oracle patches. Oracle therefore _strongly_ recommends that customers remain on actively-supported versions and apply Critical Patch Update fixes _without_ delay.**\n\nOracle acknowledges Dana Taylor of netinfiltration.com for bringing to Oracle's attention a number of sites that were vulnerable to disclosure of sensitive information because Oracle CPU fixes were not applied to those sites for more than a year.\n\nThis Critical Patch Update contains 154 new security fixes across the product families listed below. Please note that a blog entry summarizing the content of this Critical Patch Update and other Oracle Software Security Assurance activities is located at <https://blogs.oracle.com/security>.\n\nPlease note that on September 26, 2014, Oracle released a [Security Alert for CVE-2014-7169 \"Bash\"](<http://www.oracle.com/technetwork/topics/security/alert-cve-2014-7169-2303276.html>) and other publicly disclosed vulnerabilities affecting GNU Bash. Customers of affected Oracle products are strongly advised to apply the fixes that were announced in the Security Alert for CVE-2014-7169.\n\nThis Critical Patch Update advisory is also available in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1. More information about Oracle's use of CVRF is available at: <http://www.oracle.com/technetwork/topics/security/cpufaq-098434.html#CVRF>.\n", "modified": "2014-11-21T00:00:00", "published": "2014-10-14T00:00:00", "id": "ORACLE:CPUOCT2014-1972960", "href": "", "type": "oracle", "title": "Oracle Critical Patch Update - October 2014", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}]}