US-CERT Technical Cyber Security Alert TA06-291A -- Oracle Updates for Multiple Vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                         National Cyber Alert System

                 Technical Cyber Security Alert TA06-291A


Oracle Updates for Multiple Vulnerabilities

   Original release date: October 18, 2006
   Last revised: --
   Source: US-CERT


Systems Affected

     * Oracle10g Database
     * Oracle9i Database
     * Oracle8i Database
     * Oracle Application Express (formerly known as Oracle HTML DB)
     * Oracle Application Server 10g
     * Oracle Collaboration Suite 10g
     * Oracle9i Collaboration Suite
     * Oracle E-Business Suite Release 11i
     * Oracle E-Business Suite Release 11.0
     * Oracle Pharmaceutical Applications
     * Oracle PeopleSoft Enterprise Portal Solutions
     * Oracle PeopleSoft Enterprise PeopleTools
     * JD Edwards EnterpriseOne Tools
     * JD Edwards OneWorld Tools
     * Oracle Reports Developer client-only installations
     * Oracle Containers for J2EE client-only installations

   For more information regarding affected product versions, please see
   the Oracle Critical Patch Update - October 2006.


Overview

   Oracle has released patch to address numerous vulnerabilities in
   different Oracle products. The impacts of these vulnerabilities
   include remote execution of arbitrary code, information disclosure,
   and denial of service.


I. Description

   Oracle has released the Critical Patch Update - October 2006.
   According to Oracle, this CPU contains:

     * 22 new security fixes for the Oracle Database
     * 6 new security fixes for Oracle HTTP Server
     * 35 new security fixes for Oracle Application Express
     * 14 new security fixes for the Oracle Application Server
     * 13 new security fixes for the Oracle E-Business Suite
     * 8 new security fixes for Oracle PeopleSoft Enterprise PeopleTools
       and Enterprise Portal Solutions
     * 1 new security fix for JD Edwards EnterpriseOne
     * 1 new security fix for Oracle Pharmaceutical Applications

   Many Oracle products include or share code with other vulnerable
   Oracle products and components. Therefore, one vulnerability may
   affect multiple Oracle products and components. For example, the
   October 2006 CPU does not contain any fixes specifically for Oracle
   Collaboration Suite. However, Oracle Collaboration Suite is affected
   by vulnerabilities in Oracle Database and Oracle Application Server,
   so sites running Oracle Collaboration suite should install fixes for
   Oracle Database and Oracle Application Server. Refer to the October
   2006 CPU for details regarding which vulnerabilities affect specific
   Oracle products and components.

   For a list of publicly known vulnerabilities addressed in the October
   2006 CPU, refer to the Map of Public Vulnerability to Advisory/Alert.
   The October 2006 CPU does not associate Vuln# identifiers (e.g., DB01)
   with other available information, even in the Map of Public
   Vulnerability to Advisory/Alert document. As more details about
   vulnerabilities and remediation strategies become available, we will
   update the individual vulnerability notes.


II. Impact

   The impact of these vulnerabilities varies depending on the product,
   component, and configuration of the system. Potential consequences
   include remote execution of arbitrary code or commands, sensitive
   information disclosure, and denial of service. Vulnerable components
   may be available to unauthenticated, remote attackers. An attacker who
   compromises an Oracle database may be able to gain access to sensitive
   information or take complete control of the host system.


III. Solution

Apply patches from Oracle

   Apply the appropriate patches or upgrade as specified in the Critical
   Patch Update - October 2006. Note that this Critical Patch Update only
   lists newly corrected vulnerabilities.

   As noted in the update, some patches are cumulative, others are not:

     The Oracle Database, Oracle Application Server, Oracle Enterprise
     Manager Grid Control, Oracle Collaboration Suite, JD Edwards
     EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise
     Portal Applications and PeopleSoft Enterprise PeopleTools patches
     in the Updates are cumulative; each Critical Patch Update contains
     the fixes from the previous Critical Patch Updates.
     Oracle E-Business Suite and Applications patches are not
     cumulative, so E-Business Suite and Applications customers should
     refer to previous Critical Patch Updates to identify previous fixes
     they want to apply. 

   The October 2006 CPU lists 35 vulnerabilities affecting Oracle
   Application Express. These vulnerabilities are addressed in Oracle
   Application Express version 2.2.1. Oracle Application Express users
   are encouraged to upgrade to version 2.2.1 as soon as possible.

   Vulnerabilities described in the October 2006 CPU may affect Oracle
   Database 10g Express Edition (XE). According to Oracle, Oracle
   Database XE is based on the Oracle Database 10g Release 2 code.

   Patches for some platforms and components were not available when the
   Critical Patch Update was published on October 17, 2006. Please see
   MetaLink Note 391563.1 (login required) for more information about
   patch availability.

   Known issues with Oracle patches are documented in the
   pre-installation notes and patch readme files. Please consult these
   documents and test before making changes to production systems.


IV. References

     * US-CERT Vulnerability Notes Related to Critical Patch Update -
       October 2006 -
       <http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_oct_2006>

     * Critical Patch Update - October 2006 -
       <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html>

     * Critical Patch Updates and Security Alerts -
       <http://www.oracle.com/technology/deploy/security/alerts.htm>

     * Map of Public Vulnerability to Advisory/Alert -
       <http://www.oracle.com/technology/deploy/security/critical-patch-updates/public_vuln_to_advisory_mapping.html>

     * Oracle Database Security Checklist (PDF) -
       <http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf>

     * Critical Patch Update Implementation Best Practices (PDF) -
       <http://www.oracle.com/technology/deploy/security/pdf/cpu_whitepaper.pdf>

     * Oracle Application Express 2.2 Downloads -
       <http://www.oracle.com/technology/products/database/application_express/download.html>

     * Oracle Metalink Note 391563.1 -
       <http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=391563.1>

     * Oracle Database 10g Express Edition -
       <http://www.oracle.com/technology/products/database/xe/index.html>

     * Analysis of the October 2006 Critical Patch Update for the Oracle
       RDBMS -
       <http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf>

     * Details Oracle Critical Patch Update October 2006 -
       <http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html>


 _________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA06-291A.html>
 _________________________________________________________________
 
 Feedback can be directed to US-CERT Technical Staff. Please send
 email to <cert@xxxxxxxx> with "TA06-291A Feedback VU#717140" in the
 subject.
 _________________________________________________________________

 Produced 2006 by US-CERT, a government organization.

 Terms of use:

   <http://www.us-cert.gov/legal.html>

 _________________________________________________________________

   Revision History

   October 18, 2006: Initial release
  
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRTZ35exOF3G+ig+rAQLbQQf/SjzV86X/E2WLcr2Y986MlPvgVNE/yzz8
LEJERUtIcWkii3t1UW7+T1D9jVToAajndSRs3AhLJLcH5qrcqTDR8Q16wRnPX/lN
VX0SzxWoi2WqX6BgmCUuAQOeODgdb9eoGHZDBGXpIXJMnKhyVCkwvGL1Gk5vmoSZ
YxqYZCwwkQHa+XXU1/SsA/caTBGszlCDBcUbBrAQ7ecC9k8HOH80V/FGdYk2GUEy
D/cATXeXMaYFtX4VQKt7y8N4f478TkmP5bZPTJJQNHJOyLr6nUDnW1SqE7VrSaWr
qsFFf/+Lhro4qAwa8kxj4Yb3nsDS09sgnWIjnZsbrkTcDAH0y4SWxQ==
=HHF5
-----END PGP SIGNATURE-----

[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux