개요

• Oracle Critical Patch Update(CPU)는 Oracle사의 제품을 대상으로 다수의 보안 패치를 발표하는 주요 수단임
• Oracle CPU 발표 이후, 관련 공격코드의 출현으로 인한 피해가 예상되는 바 Oracle 제품의 다중 취약점에 대한 패치를 권고함

설명

• 2014년 10월 Oracle CPU에서는 Oracle 자사 제품의 보안취약점 154개에 대한 패치를 발표함[1]
  • 원격 및 로컬 공격을 통하여 취약한 서버를 공격하는데 악용될 가능성이 있는 취약점을 포함하여 DB의 가용성 및 기밀성/무결성에 영향을 줄 수 있는 취약점 존재

영향받는 시스템

• Oracle Database 11g Release 1, version 11.1.0.7
• Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
• Oracle Database 12c Release 1, versions 12.1.0.1, 12.1.0.2
• Oracle Application Express, versions prior to 4.2.6
• Oracle Fusion Middleware 11g Release 1, versions 11.1.1.5, 11.1.1.7
• Oracle Fusion Middleware 11g Release 2, versions 11.1.2.1, 11.1.2.2, 11.1.2.4
• Oracle Fusion Middleware 12c, versions 12.1.1.0, 12.1.2.0, 12.1.3.0
• Oracle Fusion Applications, versions 11.1.2 through 11.1.8
• Oracle Access Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
• Oracle Adaptive Access Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
• Oracle Endeca Information Discovery Studio versions 2.2.2, 2.3, 2.4, 3.0, 3.1
• Oracle Enterprise Data Quality versions 8.1.2, 9.0.11
• Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
• Oracle JDeveloper, versions 10.1.3.5, 11.1.1.7, 11.1.2.4, 12.1.2.0, 12.1.3.0
• Oracle OpenSSO version 3.0-04
• Oracle WebLogic Server, versions 10.0.2, 10.3.6, 12.1.1, 12.1.2, 12.1.3
• Application Performance Management, versions prior to 12.1.0.6.2
• Enterprise Manager for Oracle Database Releases 10g, 11g, 12c
• Oracle E-Business Suite Release 11i version 11.5.10.2
• Oracle E-Business Suite Release 12 versions 12.0.4, 12.0.6, 12.1.1, 12.1.2,   12.1.3, 12.2.2, 12.2.3, 12.2.4
• Oracle Agile PLM, versions 9.3.1.2, 9.3.3
• Oracle Transportation Management, versions 6.1, 6.2, 6.3.0 through 6.3.5
• Oracle PeopleSoft Enterprise HRMS, version 9.2
• Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53, 8.54
• Oracle JD Edwards EnterpriseOne Tools, version 8.98
• Oracle Communications MetaSolv Solution, versions MetaSolv Solution: 6.2.1.0.0, LSR: 9.4.0, 10.1.0, ASR: 49.0.0
• Oracle Communications Session Border Controller, version SCX640m5
• Oracle Retail Allocation, versions 10.0, 11.0, 12.0, 13.0, 13.1, 13.2
• Oracle Retail Clearance Optimization Engine, versions 13.3, 13.4, 14.0
• Oracle Retail Invoice Matching, versions 11.0, 12.0, 12.0 IN, 12.1, 13.0, 13.1, 13.2, 14.0
• Oracle Retail Markdown Optimization, versions 12.0, 13.0, 13.1, 13.2, 13.4
• Oracle Health Sciences Empirica Inspections, versions 1.0.1.0 and prior
• Oracle Health Sciences Empirica Signal, versions 7.3.3.3 and prior
• Oracle Health Sciences Empirica Study, versions 3.1.2.0 and prior
• Oracle Primavera Contract Management, versions 13.1, 14.0
• Oracle Primavera P6 Enterprise Project Portfolio Management, versions 7.0, 8.1, 8.2, 8.3
• Oracle JavaFX, version 2.2.65
• Oracle Java SE, versions 5.0u71, 6u81, 7u67, 8u20
• Oracle Java SE Embedded, version 7u60
• Oracle JRockit, versions R27.8.3, R28.3.3
• Oracle Fujitsu server, versions M10-1, M10-4, M10-4S
• Oracle Solaris, versions 10, 11
• Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1
• Oracle VM VirtualBox, versions prior to 4.1.34, 4.2.26, 4.3.14
• Oracle MySQL Server, versions 5.5.39 and earlier, 5.6.20 and earlier      
        ※ 영향받는 시스템의 상세 정보는 참고사이트[1]를 참조

해결방안

• 해결방안으로서 "Oracle Critical Patch Update Advisory - October 2014" 문서를 검토하고 벤더사 및 유지보수업체와 협의/검토 후 패치적용 요망[1]

기타 문의사항

• 한국인터넷진흥원 인터넷침해대응센터: 국번없이 118

[참고사이트]
[1] http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html