Thursday, January 17, 2008

US-CERT Technical Cyber Security Alert TA08-017A -- Oracle Updates for Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-017A


Oracle Updates for Multiple Vulnerabilities

Original release date: January 17, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
* Oracle Database 10g version 10.1.0.5
* Oracle 9i Database Release 2, versions 9.2.0.8, 9.2.0.8DV
* Oracle Application Server 10g Release 3 (10.1.3), versions
10.1.3.0.0, 10.1.3.1.0, 10.1.3.3.0
* Oracle Application Server 10g Release 2 (10.1.2), versions
10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
* Oracle Application Server 10g (9.0.4), version 9.0.4.3
* Oracle Collaboration Suite 10g version 10.1.2
* Oracle PeopleSoft Enterprise versions 8.22, 8.48, 8.49
* Oracle E-Business Suite versions 12, versions 12.0.0 - 12.0.3
* Oracle E-Business Suite versions 11i, versions 11.5.9 - 11.5.10
CU2

For more information regarding affected product versions, please see
the Oracle Critical Patch Update - January 2008.

Overview

Oracle products and components are affected by multiple
vulnerabilities. The impacts of these vulnerabilities include remote
execution of arbitrary code, information disclosure, and denial of
service.

I. Description

Oracle has released Critical Patch Update - January 2008. This update
addresses 26 vulnerabilities in different Oracle products and
components.

The Critical Patch Update provides information about affected
components, access and authorization required, and the impact from the
vulnerabilities on data confidentiality, integrity, and availability.
MetaLink customers should refer to MetaLink Note 467880.1 (login
required) for more information on terms used in the Critical Patch
Update.

According to Oracle, none of the vulnerabilities corrected in the
Oracle Critical Patch Update affect Oracle Database Client-only
installations.

In most cases, Oracle does not associate Vuln# identifiers (e.g.,
DB01) with other available information. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.

II. Impact

The impact of these vulnerabilities varies depending on the product,
component, and configuration of the system. Potential consequences
include the execution of arbitrary code or commands, information
disclosure, and denial of service. Vulnerable components may be
available to unauthenticated, remote attackers. An attacker who
compromises an Oracle database may be able to gain access to sensitive
information.

III. Solution

Apply a patch

Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update - January 2008. Note that this Critical Patch
Update only lists newly corrected issues. Updates to patches for
previously known issues are not listed.

As noted in the update, some patches are cumulative, others are not:

The Oracle Database, Oracle Application Server, Oracle Enterprise
Manager Grid Control, Oracle E-Business Suite Applications (Release
12 only), JD Edwards EnterpriseOne, JD Edwards OneWorld Tools,
PeopleSoft Enterprise Portal Applications and PeopleSoft Enterprise
PeopleTools patches in the Updates are cumulative; patches for any
product included in a Critical Patch Update will include all fixes
for that product from the previous Critical Patch Updates.

Oracle E-Business Suite Applications Release 11i patches are not
cumulative, so Oracle E-Business Suite Applications customers
should refer to previous Critical Patch Updates to identify
previous security fixes they want to apply. Oracle Collaboration
Suite patches were cumulative up to and including the fixes
provided in the April 2007 Critical Patch Update. From the July
2007 Critical Patch Update on, Oracle Collaboration Suite security
fixes are delivered using the one-off patch infrastructure normally
used by Oracle to deliver single bug fixes to customers.

Patches for some platforms and components were not available when the
Critical Patch Update was published on January 17, 2008. Please see
MetaLink Note 467880.1 (login required) for more information.

Known issues with Oracle patches are documented in the
pre-installation notes and patch readme files. Please consult these
documents specific to your system before applying patches.


Appendix A. Vendor Information

Oracle

Please see Oracle Critical Patch Update - January 2008 and Critical
Patch Updates and Security Alerts.


Appendix B. References

* Critical Patch Update for January 2008 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html>

* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>

* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>

* Oracle Database Security Checklist (PDF) -
<http://www.oracle.com/technology/deploy/security/pdf/twp_security _checklist_db_database.pdf>

* MetaLink Note 467880.1 (login required) -
<https://metalink.oracle.com/metalink/plsql/f?p=200:37:8541351131282773504::::p_database_id,p_id:NOT,467880.1>

* Details Oracle Critical Patch Update for January 2008 -
<http://www.red-database-security.com/advisory/oracle_cpu_jan_2008.html>


_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-017A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-017A Feedback VU#338657" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

Revision History

January 17, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR4+u9PRFkHkM87XOAQLJ9gf9HGPnB6utau4KLV4FOtX9c5BF0nbtwj3w
xPlF0oX4aAh6E+LTxLHGbOMDE+Gv1rhnMiNABVNF/AzlsoscT7Z62uC3ZoGRCDTk
g8s0l2brZ4SXtoMNsbnkkjE0G78RUr0h1lvxirBdA5hfQYB/2zZHtwfpuZaMuV/Z
Vw5aewXZ58lj8l/ioVvwrSSSWZza69SHarAm3Yx+CRGXTr7SyEQPeimHV3CPM4Xb
DPoysoNKhARAmebrNOkTKvPc8gsLCc+DFKjyQOWnl5cXQchXLx1IBHeKnDW29tH1
cbzQE8bGjYls+fqTJ1CmeYsCT8O4lVINSZ2FRsCA6EhJv3vmY8K2xQ==
=lpZt
-----END PGP SIGNATURE-----

No comments:

CNN.com

News: Breaking News -- MercuryNews.com

AP Top U.S. News At 8:45 p.m.