US-CERT Technical Cyber Security Alert TA07-108A -- Oracle Releases Patches for Multiple Vulnerabilities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                        National Cyber Alert System

		  Technical Cyber Security Alert TA07-108A


Oracle Releases Patches for Multiple Vulnerabilities

   Original release date: April 18, 2007
   Last revised: --
   Source: US-CERT


Systems Affected

     * Oracle Database
     * Oracle Application Server
     * Oracle Secure Enterprise Search
     * Oracle Enterprise Manager
     * Oracle Collaboration Suite
     * Ultra Search component
     * Oracle E-Business Suite
     * JD Edwards EnterpriseOne Tools

   For more detailed information regarding affected product versions,
   refer to the Oracle Critical Patch Update - April 2007.


Overview

   Oracle has released patches to address numerous vulnerabilities in
   different Oracle products. The impacts of these vulnerabilities
   include remote execution of arbitrary code, information disclosure,
   and denial of service.


I. Description

   Oracle has released the Critical Patch Update - April 2007. According
   to Oracle, this Critical Patch Update (CPU) includes:

     * 13 new security fixes for the Oracle Databases
     * 1 new security fix for Oracle Secure Enterprise Search
     * 1 new security fix for Oracle Enterprise Manager
     * 1 new security fix for Oracle Workflow Cartridge
     * 1 new security fix for the Ultra Search component

   Many Oracle products include or share code with other vulnerable
   Oracle products and components. Therefore, one vulnerability may
   affect multiple Oracle products and components. Refer to the April
   2007 CPU for details regarding which vulnerabilities affect specific
   Oracle products and components.

   As of April 18, 2007, updates for Oracle Vuln#s DB01 and DB03 are not
   available. These vulnerabilities affect Oracle Database 9.2.0.8 on the
   Windows platform only.

   For a list of publicly known vulnerabilities addressed in the April
   2007 CPU, refer to the Map of Public Vulnerability to Advisory/Alert.
   The April 2007 CPU does not associate Vuln# identifiers (e.g., DB01)
   with other available information, even in the Map of Public
   Vulnerability to Advisory/Alert document. As more details about
   vulnerabilities and remediation strategies become available, we will
   update the individual vulnerability notes.


II. Impact

   The impact of these vulnerabilities varies depending on the product,
   component, and configuration of the system. Potential consequences
   include remote execution of arbitrary code or commands, sensitive
   information disclosure, and denial of service. Vulnerable components
   may be available to unauthenticated, remote attackers. An attacker who
   compromises an Oracle database may be able to gain access to sensitive
   information or take complete control of the host system.


III. Solution

Apply patches from Oracle

   Apply the appropriate patches or upgrade as specified in the Critical
   Patch Update - April 2007. Note that this Critical Patch Update only
   lists newly corrected vulnerabilities.

   As noted in the update, some patches are cumulative, others are not:

     The Oracle Database, Oracle Application Server, Oracle Enterprise
     Manager Grid Control, Oracle Collaboration Suite, JD Edwards
     EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise
     Portal Applications and PeopleSoft Enterprise PeopleTools patches
     in the Updates are cumulative; each Critical Patch Update contains
     the fixes from the previous Critical Patch Updates.
     Oracle E-Business Suite and Applications patches are not
     cumulative, so E-Business Suite and Applications customers should
     refer to previous Critical Patch Updates to identify previous fixes
     they want to apply. 

   Vulnerabilities described in the April 2007 CPU may affect Oracle
   Database 10g Express Edition (XE). According to Oracle, Oracle
   Database XE is based on the Oracle Database 10g Release 2 code.

   Known issues with Oracle patches are documented in the
   pre-installation notes and patch readme files. Please consult these
   documents and test before making changes to production systems.


IV. References

     * US-CERT Vulnerability Notes Related to Critical Patch Update -
       April 2007 -
       <http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_apr_2007>

     * Critical Patch Update - April 2007 -
       <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html>

     * Critical Patch Updates and Security Alerts -
       <http://www.oracle.com/technology/deploy/security/alerts.htm>

     * Map of Public Vulnerability to Advisory/Alert -
       <http://www.oracle.com/technology/deploy/security/critical-patch-updates/public_vuln_to_advisory_mapping.html>

     * Oracle Database Security Checklist (PDF) -
       <http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf>

     * Critical Patch Update Implementation Best Practices (PDF) -
       <http://www.oracle.com/technology/deploy/security/pdf/cpu_whitepaper.pdf>

     * Oracle Database 10g Express Edition -
       <http://www.oracle.com/technology/products/database/xe/index.html>

     * Details Oracle Critical Patch Update April 2007 -
       <http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html>


_________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA07-108A.html>
_________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@xxxxxxxx> with "TA07-108A Feedback VU#809457" in the
   subject.
_________________________________________________________________    

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>
_________________________________________________________________

   Produced 2007 by US-CERT, a government organization. 

   Terms of use:

   <http://www.us-cert.gov/legal.html>
_________________________________________________________________

   Revision History

   April 18, 2007: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRiaVVOxOF3G+ig+rAQK52wf/V5cVPufYmpQNPxG2xpO7tRnAboUHgjSm
iS+VSglvzvTHPJeMyeu7XB6R0Sx/MTRU18fR9JfdW7lPCTVPEbVnF+1w2AQXdppg
ct3uyLNoiVcEo41ynkiNxzO/WzQvJXgzc6un3lP4TAJ85TlGsbARuhV9NncDrgGP
tIXlfc7bfElYYJtXPjTk6ZDhCLG3GPkFt1Qmo5ps22FdVJFqzNNt8F/ae5/pbhv4
7faGiYx35CBbE8oquRv7LioZf/0SiKifvLhTlf+XxZ0Mg3m0lgvNpoyavRmD2vcd
tC5VRcNNK7SJkt9pTHBgOfXMtdWZ+3GnYP2WA12bFST08FaDyIOQvA==
=9AZ5
-----END PGP SIGNATURE-----
[Index of Archives]     [Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Bugtraq]     [USB]     [Fedora Security]

  Powered by Linux