Sunday Jan 13, 2013

Security Alert for CVE-2013-0422 Released

Hi, this is Eric Maurice again.

Oracle has just released Security Alert CVE-2012-0422 to address two vulnerabilities affecting Java in web browsers.  These vulnerabilities do not affect Java on servers, Java desktop applications, or embedded Java.  The vulnerabilities addressed with this Security Alert are CVE-2013-0422 and CVE-2012-3174.  These vulnerabilities, which only affect Oracle Java 7 versions, are both remotely exploitable without authentication and have received a CVSS Base Score of 10.0.  Oracle recommends that this Security Alert be applied as soon as possible because these issues may be exploited “in the wild” and some exploits are available in various hacking tools.

The exploit conditions for these vulnerabilities are the same.  To be successfully exploited, an attacker needs to trick an unsuspecting user into browsing a malicious website.  The execution of the malicious applet within the browser of the unsuspecting users then allows the attacker to execute arbitrary code in the vulnerable system.  These vulnerabilities are applicable only to Java in web browsers because they are exploitable through malicious browser applets. 

With this Security Alert, and in addition to the fixes for CVE-2013-0422 and CVE-2012-3174, Oracle is switching Java security settings to “high” by default.  The high security setting requires users to expressly authorize the execution of applets which are either unsigned or are self-signed.  As a result, unsuspecting users visiting malicious web sites will be notified before an applet is run and will gain the ability to deny the execution of the potentially malicious applet.  Note also that Java SE 7 Update 10 introduced the ability for users to easily disable Java in their browsers through the Java Control Panel.

Tuesday Oct 16, 2012

October 2012 Critical Patch Update and Critical Patch Update for Java SE Released

Hi, this is Eric Maurice.

Oracle has just released the October 2012 Critical Patch Update and the October 2012 Critical Patch Update for Java SE

As a reminder, the release of security patches for Java SE continues to be on a different schedule than for other Oracle products due to commitments made to customers prior to the Oracle acquisition of Sun Microsystems.  We do however expect to ultimately bring Java SE in line with the regular Critical Patch Update schedule, thus increasing the frequency of scheduled security releases for Java SE to 4 times a year (as opposed to the current 3 yearly releases).  The schedules for the “normal” Critical Patch Update and the Critical Patch Update for Java SE are posted online on the Critical Patch Updates and Security Alerts page.

The October 2012 Critical Patch Update provides a total of 109 new security fixes across a number of product families including: Oracle Database Server, Oracle Fusion Middleware, Oracle E-Business Suite, Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle Customer Relationship Management (CRM), Oracle Industry Applications, Oracle FLEXCUBE, Oracle Sun products suite, Oracle Linux and Virtualization, and Oracle MySQL.

Out of these 109 new vulnerabilities, 5 affect Oracle Database Server.  The most severe of these Database vulnerabilities has received a CVSS Base Score of 10.0 on Windows platforms and 7.5 on Linux and Unix platforms.  This vulnerability (CVE-2012-3137) is related to the “Cryptographic flaws in Oracle Database authentication protocol” disclosed at the Ekoparty Conference.  Because of timing considerations (proximity to the release date of the October 2012 Critical Patch Update) and the need to extensively test the fixes for this vulnerability to ensure compatibility across the products stack, the fixes for this vulnerability were not released through a Security Alert, but instead mitigation instructions were provided prior to the release of the fixes in this Critical Patch Update in My Oracle Support Note 1492721.1.  Because of the severity of these vulnerabilities, Oracle recommends that this Critical Patch Update be installed as soon as possible.

Another 26 vulnerabilities fixed in this Critical Patch Update affect Oracle Fusion Middleware.  The most severe of these Fusion Middleware vulnerabilities has received a CVSS Base Score of 10.0; it affects Oracle JRockit and is related to Java vulnerabilities fixed in the Critical Patch Update for Java SE. 
The Oracle Sun products suite gets 18 new security fixes with this Critical Patch Update.  Note also that Oracle MySQL has received 14 new security fixes; the most severe of these MySQL vulnerabilities has received a CVSS Base Score of 9.0.

Today’s Critical Patch Update for Java SE provides 30 new security fixes.  The most severe CVSS Base Score for these Java SE vulnerabilities is 10.0 and this score affects 10 vulnerabilities.  As usual, Oracle reports the most severe CVSS Base Score, and these CVSS 10.0s assume that the user running a Java Applet or Java Web Start application has administrator privileges (as is typical on Windows XP). However, when the user does not run with administrator privileges (as is typical on Solaris and Linux), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability are "Partial" instead of "Complete", typically lowering the CVSS Base Score to 7.5 denoting that the compromise does not extend to the underlying Operating System. 

Also, as is typical in the Critical Patch Update for Java SE, most of the vulnerabilities affect Java and Java FX client deployments only.  Only 2 of the Java SE vulnerabilities fixed in this Critical Patch Update affect client and server deployments of Java SE, and only one affects server deployments of JSSE.  This reflects the fact that Java running on servers operate in a more secure and controlled environment.  As discussed during a number of sessions at JavaOne, Oracle is considering security enhancements for Java in desktop and browser environments. 

Finally, note that the Critical Patch Update for Java SE is cumulative, in other words it includes all previously released security fixes, including the fix provided through Security Alert CVE-2012-4681, which was released on August 30, 2012.

For More Information:

 

Thursday Aug 30, 2012

Security Alert for CVE-2012-4681 Released

Hi, this is Eric Maurice again!

Oracle has just released Security Alert CVE-2012-4681 to address 3 distinct but related vulnerabilities and one security-in-depth issue affecting Java running in desktop browsers.  These vulnerabilities are: CVE-2012-4681, CVE-2012-1682, CVE-2012-3136, and CVE-2012-0547.  These vulnerabilities are not applicable to standalone Java desktop applications or Java running on servers, i.e. these vulnerabilities do not affect any Oracle server based software.

Vulnerabilities CVE-2012-4681, CVE-2012-1682, and CVE-2012-3136 have each received a CVSS Base Score of 10.0.  This score assumes that the affected users have administrative privileges, as is typical in Windows XP.  Vulnerability CVE-20120-0547 has received a CVSS Base Score of 0.0 because this vulnerability is not directly exploitable in typical user deployments, but Oracle has issued a security-in-depth fix for this issue as it can be used in conjunction with other vulnerabilities to significantly increase the overall impact of a successful exploit.

If successfully exploited, these vulnerabilities can provide a malicious attacker the ability to plant discretionary binaries onto the compromised system, e.g. the vulnerabilities can be exploited to install malware, including Trojans, onto the targeted system.  Note that this malware may in some instances be detected by current antivirus signatures upon its installation. 

Due to the high severity of these vulnerabilities, Oracle recommends that customers apply this Security Alert as soon as possible.  Furthermore, note that the technical details of these vulnerabilities are widely available on the Internet and Oracle has received external reports that these vulnerabilities are being actively exploited in the wild.   

For more information:

 

Friday Aug 10, 2012

Security Alert CVE-2012-3132 Released

Hi, this is Eric Maurice.

Oracle today released Security Alert CVE-2012-3132 to address a vulnerability affecting the Oracle Database Server, which was publicly disclosed at BlackHat 2012.  With a CVSS Base Score of 6.5, this vulnerability involves the ‘INDEXTYPE CTXSYS.CONTEXT’, and if successfully exploited, can allow a malicious attacker to gain ‘SYS’ privileges.  This vulnerability does not affect 11gR2 databases which have applied the July 2012 Critical Patch Update.  Note that this vulnerability is not remotely exploitable without authentication, in other words, the attacker needs to a have credentials and specific privileges, including the ‘Create Table’ privilege, in order to create the exploit conditions.  Oracle recommends that organizations apply this Security Alert as soon as possible because the technical details of this vulnerability have been very widely disclosed and one can easily find sample exploit code over the Internet.

As much as possible, it is important that organizations use the most current product versions available to them.  As stated in each Critical Patch Update and Security Alert Advisory, Oracle does not generally test for the presence of the vulnerabilities fixed through the Critical Patch Update and Security Alert programs in releases of affected product lines that are no longer supported.  However, it is likely that these vulnerabilities exist in previously released, but no longer supported releases of the affected products.  In a previous blog entry, I discussed Oracle’s security fixing policies, and recommended that customers remain on current releases in order to take advantage of Oracle’s ongoing security assurance effort.  This Security Alert, along with all recently released Critical Patch Updates, is an example of the importance of keeping up with newer and actively supported releases.  Customers on unsupported versions, unless they have purchased Extended Support under the Lifetime Support Policy, will not receive a permanent fix for the release they are running. 

It is unfortunate when the technical details of a security vulnerability are disclosed before a fix could be made available, especially when the disruption resulting from having to deal with an unplanned patch, and the amount of time required by customers to apply the patch, may yield less of a security posture improvement than other security efforts, such as ongoing hardening and auditing. 

For more information:

The Security Alerts and Critical Patch Updates page is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

The Advisory for Security Alert CVE-2012-3132 is located at www.oracle.com/technetwork/topics/security/alert-cve-2012-3132-1721017.html

The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/index.html

The blog entry “Take Advantage of Oracle's Ongoing Assurance Effort!” is located at https://blogs.oracle.com/security/entry/take_advantage_of_oracles_ongo

The blog entry “Keeping Up With Newer Releases is Good Security Practice” is located at https://blogs.oracle.com/security/entry/keeping_up_with_newer_releases

 

 

Friday Jul 20, 2012

Use of the Common Vulnerability Reporting Format (CVRF) for Oracle’s Security Advisories

Hi, this is Reshma Banerjee. I am a member of the Security Alerts group within the Global Product Security Team at Oracle. My primary responsibilities include working with security researchers on the vulnerabilities they report to Oracle and engaging with the various engineering organizations at Oracle to ensure timely delivery of security fixes in the Critical Patch Updates and Security Alerts.

As announced in a previous blog entry, starting with the July 2012 Critical Patch Update, Oracle will be producing the security advisory in an XML format that conforms to Common Vulnerability Reporting Format (CVRF version 1.1). Of course, Oracle will also continue to produce its Security Alert and Critical Patch Update advisories using the existing format (As a reminder, all Security Alert and Critical Patch Update Advisories are published at http://www.oracle.com/technetwork/topics/security/alerts-086861.html).

The Common Vulnerability Reporting Framework is an XML-based standard that enables sharing of vulnerability information in a machine-readable format. Originally derived from the Internet Engineering Task Force (IETF) draft Incident Object Description Exchange Format (IODEF), this format was then developed by the Industry Consortium for Advancement of Security on the Internet (ICASI). ICASI is a non-profit forum which enables industry collaboration for the development of security solutions and practices to address global security challenges. Oracle is a member of ICASI.

CVRF is a good example of a useful work-product that can come up from such a pragmatic forum of security-dedicated organizations. It provides an XML format that may be used by any vendor to publish relevant information pertaining to vulnerabilities. This includes among other useful information CVE# to identify vulnerability, CVSS score to rate the relative severity of a vulnerability, affected products and versions, mitigation instructions. We believe that CVRF will help customers with diverse IT environments be more efficient in assessing and processing security vulnerability advisories from different IT vendors. Having been personally involved with CVRF since the summer of 2009, I believe CVRF provides two key benefits:

(1) It provides a consistent way to depict security information thus simplifying the interpretation of the advisories, and

(2) It provides a machine-readable format for the interpretation of security advisories, thus allowing automation (and integration of the advisories in, for example, vulnerability scanning tools).

In absence of common security advisory format, IT industry vendors publish their security advisories and bulletins using their own proprietary format. Most organizations have to contend with heterogeneous IT infrastructure and therefore need to deal with multiple vendors. Consequently, security-conscious organizations need to deal with interpreting security advisories from multiple vendors. While security advisories from the various different IT vendors may include similar information, the differences in format and terminology cause, at best, customers to waste a lot of time interpreting security advisories, and at worst, these differences create confusion and errors as a result of the different terminology being used. To a large extent, this problem is similar to the problem that existed prior to the wide adoption of the Common Vulnerability and Exposures number (CVE #) with the identification of individual vulnerabilities.

As IT vendors adopt CVRF, and use it in their security advisories and bulletins, it will become much easier for customers to interpret relevant security information. In addition, customers will be able to more easily write their own automation tools to get the pertinent information from the various advisories without having to cope with multiple formats. Customers will also be able to write tools to automate the action to be taken if they find information in the advisories that affects them. Oracle plans to continue contributing to the CVRF working group and providing CVRF advisories with future Critical Patch Updates and Security Alerts.

For more Information:

ICASI’s web site is located at http://www.icasi.org/

More information on CVRF 1.1 is located at http://www.icasi.org/cvrf-1.1

Tuesday Jul 17, 2012

July 2012 Critical Patch Update Released

Hi, this is Eric Maurice again.

Oracle has just released the July 2012 Critical Patch Update.  This Critical Patch Update delivers a total of 87 new fixes across a number of product families including: Oracle Database, Oracle Application Express, Oracle Secure Backup, Oracle Fusion Middleware, Oracle Enterprise Manager, Oracle Applications, and the Oracle Sun product suites.

For the first time, in addition to the usual advisories, Oracle is producing the Critical Patch Update advisory in an XML format that conforms to the Common Vulnerability Reporting Format (CVRF) version 1.1.  CVRF is an XML language intended for the sharing of security-related information in a machine-readable fashion.  This format has been designed by the Industry Consortium for Advancement of Security on the Internet (ICASI), of which Oracle is a member.  In a future blog post, we will discuss CVRF in more detail, particularly to highlight its benefit as a means to enable the sharing of vulnerability-related information in a way that can be interpreted by a wide range of systems.

Out of these 87 new security fixes, 4 are for the Oracle Database.  The highest CVSS Base Score for these database vulnerabilities is 5.0.  3 of these 4 vulnerabilities are remotely exploitable without authentication; however 2 of these vulnerabilities affect the Database on the Windows platform only. 

In addition, this Critical Patch Update includes 1 fix for the Oracle Application Express Listener, 2 new fixes for Oracle Secure Backup, and 1 new fix for Oracle Enterprise Manager. 

With this Critical Patch Update, Oracle Fusion Middleware receives 22 new fixes.  The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 10.0, but this score affects a series of Java Runtime Environment issues in JRockit.  These Java SE fixes were previously released in the June 2012 Critical Patch Update for Java SE.  This Critical Patch Update also includes a new security fix for Oracle Hyperion.

This Critical Patch Update provides the following applications security fixes: 4 for Oracle E-Business Suite, 5 for Oracle Supply Chain Products Suite, 9 for Oracle PeopleSoft Enterprise, 7 for Oracle Siebel CRM, and 1 for Oracle Life Sciences.

 Finally, the Oracle Sun product suites receive 24 new security fixes, and MySQL gets 6 new security fixes.   The highest CVSS Base Score for the Sun product suites vulnerabilities is 7.8. 

As usual, Oracle recommends that customers apply this Critical Patch Update as soon as possible.  This is particularly important as our experience has shown that potentially malicious hackers comb through vendors’ advisories and often attempt to reverse-engineer the fixes contained in them to develop new exploits. 

Customers seeking recommendations for applying the Critical Patch Update should refer to the “Recommendations for leveraging the Critical Patch Update and maintaining a proper security posture” white paper available on Oracle’s web site.  In addition, customers are encouraged to take advantage of the broad range of resources, tools, and best practices available on My Oracle Support.

For more information:

·         The Oracle Software Security Assurance web site is located at http://www.oracle.com/us/support/assurance/index.html

·         The July 2012 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/alerts-086861.html

·         Information about Oracle Support resources, tools, and best practices are available at http://www.oracle.com/us/support/best-practices/overview/index.html

 

 

Tuesday Jun 12, 2012

June 2012 Critical Patch Update for Java SE Released

Hi, this is Eric Maurice.

Oracle just released the June 2012 Critical Patch Update for Java SE.  This Critical Patch Update provides 14 new security fixes across Java SE products.  As discussed in previous blog entries, Critical Patch Updates for Java SE will, for the foreseeable future, continue to be released on a separate schedule than that of other Oracle products due to previous commitments made to Java customers. 

12 of the 14 Java SE vulnerabilities fixed in this Critical Patch Update may be remotely exploitable without authentication.  6 of these vulnerabilities have a CVSS Base Score of 10.0.  In accordance with Oracle’s policies, these CVSS 10 scores represent instances where a user running a Java applet or Java Web Start application has administrator privileges (as is typical on Windows XP).  When the user does not run with administrator privileges (typical on the Solaris and Linux operating systems), the corresponding CVSS impact scores for Confidentiality, Integrity, and Availability for these vulnerabilities would be "Partial" instead of "Complete", thus lowering these CVSS Base Scores to 7.5.

Due to the high severity of these vulnerabilities, Oracle recommends that customers obtain and apply these security fixes as soon as possible:

In addition, Oracle recommends removing old an unused versions  of Java as the latest version is always the recommended version as it contains the most recent enhancements, and bug and security fixes. 

For more information:

•Instructions on removing older (and less secure) versions of Java can be found at http://java.com/en/download/faq/remove_olderversions.xml 

•Users can verify that they’re running the most recent version of Java by visiting: http://java.com/en/download/installed.jsp  

•The Advisory for the June 2012 Critical Patch Update for Java SE is located at http://www.oracle.com/technetwork/topics/security/javacpujun2012-1515912.html

Monday Apr 30, 2012

Security Alert for CVE-2012-1675 Released

Hi, this is Eric Maurice.

Oracle just released Security Alert CVE-2012-1675 to address the “TNS Listener Poison Attack” in the Oracle Database.  With a CVSS Base Score of 7.5, this vulnerability is remotely exploitable without authentication, and if successfully exploited, can result in a full compromise of the targeted Database.

In the April 2012 Critical Patch Update, Oracle provided Security-in-Depth recognition to Joxean Koret.  As stated in the Critical Patch Update advisories, “People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.

As stated in previous blog entries, Oracle fixes vulnerability first in the main code line, and then tries to backport fixes through the Critical Patch Update program for exploitable vulnerabilities that were externally reported.  In certain instances, such backporting is very difficult or impossible because of the amount of code change required, or because the fix would create significant regressions, or because there is no reasonable way to automate the application of the fix (for example when user interaction is required to change configuration parameters). 

Shortly after the release of the Critical Patch Update, mistakenly assuming that the issue had been backported through the CPU, Joxean Koret, the initial reporter of this vulnerability, fully disclosed its details, initially stating that it had been fixed by Oracle, then after realizing that it had not been fixed in current releases, reported the vulnerability as a “0-day.”  

As a result of this disclosure, Oracle has issued Security Alert CVE-2012-1675 to provide customers with a number of technical measures to provide effective defense against this vulnerability in all deployment scenarios.

Customers on single-node configurations (i.e., non Real Application Cluster (RAC) customers) should refer to the My Oracle Support Note titled “Using Class of Secure Transport (COST) to Restrict Instance Registration” (Doc ID 1453883.1) to limit registration to the local node and the IPC protocol through the COST (Class Of Secure Transport) feature in the listener.

RAC and Exadata customers should refer to the My Oracle Support Note “Using Class of Secure Transport (COST) to Restrict Instance Registration in Oracle RAC” (Doc ID 1340831.1) to implement similar COST restrictions. 

Note that implementing COST restrictions in RAC environments require the use of SSL/TLS encryption.  Such network encryption features were previously only available to customers who were licensed for Oracle Advanced Security.  However, RAC customers who were previously not licensed for Oracle Advanced Security need not be concerned about a licensing restriction as Oracle has updated its licensing to allow these customers the use of these features (namely SSL and TLS) to protect themselves against vulnerability CVE-2012-1675.  In other words, Oracle has added Oracle Advanced Security SSL/TLS to the Enterprise Edition Real Application Clusters (Oracle RAC) and RAC One Node options, and added Oracle Advanced Security SSL/TLS to the Oracle Database Standard Edition license when used with the Real Application Clusters.

Considering that the technical details of vulnerability CVE-2012-1675 have now widely been distributed, Oracle highly recommends that customers make the configuration changes documented in the above mentioned My Oracle Support Notes as soon as possible.  Customers should also feel free to contact Oracle Support if they have questions or concerns.

For More Information:

Tuesday Apr 17, 2012

April 2012 Critical Patch Update Released

Hi, this is Eric Maurice.

Oracle has just released the April 2012 Critical Patch Update. This Critical Patch Update provides 88 new security fixes across the following product families: Oracle Database Server, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite, Oracle Supply Chain Products Suite, Oracle PeopleSoft Enterprise, Oracle FLEXCUBE, Oracle Siebel Clinical Trial Management System, Oracle Primavera, Oracle Sun products suite, and Oracle MySQL.

Of the 88 new vulnerabilities, 6 directly affect Oracle Database Server. The highest CVSS Base Score for these Database Server vulnerabilities is 9.0. This Base Score affects the Oracle Spatial component on Windows platforms (on non-Windows platforms, i.e., Linux, Unix, the CVSS Base Score is 6.5). In addition, 6 Enterprise Manager Grid Control fixes may be relevant to Database Server deployments. The highest CVSS Base Score for the Enterprise Manager Grid Control vulnerabilities is 5.8; but 4 of the 6 vulnerabilities can be remotely exploitable without authentication. Therefore, Oracle highly recommends that these fixes be applied as soon as possible.

This Critical patch Update also includes 11 new security fixes for Oracle Fusion Middleware. The highest CVSS Base Score for these Fusion Middleware vulnerabilities is 10.0 (for vulnerability CVE-2012-1695). This score affects a series of vulnerabilities in the Java Runtime Environment that are applicable to JRockit. Starting again with this Critical Patch Update, JRockit fixes will no longer be provided with the Critical Patch Update for Java SE, but be provided in “the normal” Critical Patch Update along with other Oracle Fusion Middleware fixes.

This Critical Patch Update provides the following application security fixes: 4 for Oracle E-Business Suite, 5 for Oracle Supply Chain Products Suite, 15 for Oracle PeopleSoft Enterprise, 2 for Siebel Clinical Trial Management System, 17 for Oracle FLEXCUBE, and 1 for Oracle Primavera Enterprise Project Management.

Finally, this Critical Patch Update provides 15 new security fixes for the Oracle Sun Products Suite (including Oracle Grid Engine, Oracle Glassfish Enterprise Server, Oracle Solaris, etc.) and 6 new security fixes for Oracle MySQL.

While a great amount of caution is required when analyzing the content of the Critical Patch Updates in an attempt to identify potential trends; I believe the content of this Critical Patch Update is consistent with the views expressed in previous blog entries: Oracle Software Security Assurance activities tend to result in lowering the number of exploitable security bugs in most mature product lines (that is the product lines who have implemented Oracle secure development practices for the longest time), and as a result we see a downward trend in the number of fixes for these product lines. On the other hand, newly acquired product lines often experience relatively large number of security fixes in the Critical Patch Updates. This is due in part to the increased visibility these products may get as a result of their acquisition by Oracle, as well as development’s access to an extended toolset (e.g., security scanning tools) and increased executive attention around security matters as a result of joining Oracle.

For More Information:

The April 2012 Critical Patch Update Advisory is located at http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

More information about Oracle Software Security Assurance is located at http://www.oracle.com/us/support/assurance/index.html

 

Thursday Mar 29, 2012

Security Alert for CVE-2011-5035 Updated

Hi, this is Eric Maurice again. 

Oracle has just updated the Security Alert for CVE-2011-5035 to announce the availability of additional fixes for products that were affected by this vulnerability through their use of the WebLogic Server and Oracle Container for J2EE components.  As explained in a previous blog entry, a number of programming language implementations and web servers were found vulnerable to hash table collision attacks.  This vulnerability is typically remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password.  If successfully exploited, malicious attackers can use this vulnerability to create denial of service conditions against the targeted system.

A complete list of affected products and their versions, as well as instructions on how to obtain the fixes, are listed on the Security Alert Advisory.  Oracle highly recommends that customers apply these fixes as soon as possible.

About

This blog provides insight about key aspects of Oracle Software Security Assurance programs.

Search

Categories
Archives
« February 2016
SunMonTueWedThuFriSat
 
1
2
3
4
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
     
       
Today