US-CERT Technical Cyber Security Alert TA08-017A -- Oracle Updates for Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA08-017A

Oracle Updates for Multiple Vulnerabilities

Original release date: January 17, 2008
Last revised: --
Source: US-CERT

Systems Affected

* Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
* Oracle Database 10g version 10.1.0.5
* Oracle 9i Database Release 2, versions 9.2.0.8, 9.2.0.8DV
* Oracle Application Server 10g Release 3 (10.1.3), versions
10.1.3.0.0, 10.1.3.1.0, 10.1.3.3.0
* Oracle Application Server 10g Release 2 (10.1.2), versions
10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
* Oracle Application Server 10g (9.0.4), version 9.0.4.3
* Oracle Collaboration Suite 10g version 10.1.2
* Oracle PeopleSoft Enterprise versions 8.22, 8.48, 8.49
* Oracle E-Business Suite versions 12, versions 12.0.0 - 12.0.3
* Oracle E-Business Suite versions 11i, versions 11.5.9 - 11.5.10
CU2

For more information regarding affected product versions, please see
the Oracle Critical Patch Update - January 2008.

Overview

Oracle products and components are affected by multiple
vulnerabilities. The impacts of these vulnerabilities include remote
execution of arbitrary code, information disclosure, and denial of
service.

I. Description

Oracle has released Critical Patch Update - January 2008. This update
addresses 26 vulnerabilities in different Oracle products and
components.

The Critical Patch Update provides information about affected
components, access and authorization required, and the impact from the
vulnerabilities on data confidentiality, integrity, and availability.
MetaLink customers should refer to MetaLink Note 467880.1 (login
required) for more information on terms used in the Critical Patch
Update.

According to Oracle, none of the vulnerabilities corrected in the
Oracle Critical Patch Update affect Oracle Database Client-only
installations.

In most cases, Oracle does not associate Vuln# identifiers (e.g.,
DB01) with other available information. If significant additional
details about vulnerabilities and remediation techniques become
available, we will update the Vulnerability Notes Database.

II. Impact

The impact of these vulnerabilities varies depending on the product,
component, and configuration of the system. Potential consequences
include the execution of arbitrary code or commands, information
disclosure, and denial of service. Vulnerable components may be
available to unauthenticated, remote attackers. An attacker who
compromises an Oracle database may be able to gain access to sensitive
information.

III. Solution

Apply a patch

Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update - January 2008. Note that this Critical Patch
Update only lists newly corrected issues. Updates to patches for
previously known issues are not listed.

As noted in the update, some patches are cumulative, others are not:

The Oracle Database, Oracle Application Server, Oracle Enterprise
Manager Grid Control, Oracle E-Business Suite Applications (Release
12 only), JD Edwards EnterpriseOne, JD Edwards OneWorld Tools,
PeopleSoft Enterprise Portal Applications and PeopleSoft Enterprise
PeopleTools patches in the Updates are cumulative; patches for any
product included in a Critical Patch Update will include all fixes
for that product from the previous Critical Patch Updates.

Oracle E-Business Suite Applications Release 11i patches are not
cumulative, so Oracle E-Business Suite Applications customers
should refer to previous Critical Patch Updates to identify
previous security fixes they want to apply. Oracle Collaboration
Suite patches were cumulative up to and including the fixes
provided in the April 2007 Critical Patch Update. From the July
2007 Critical Patch Update on, Oracle Collaboration Suite security
fixes are delivered using the one-off patch infrastructure normally
used by Oracle to deliver single bug fixes to customers.

Patches for some platforms and components were not available when the
Critical Patch Update was published on January 17, 2008. Please see
MetaLink Note 467880.1 (login required) for more information.

Known issues with Oracle patches are documented in the
pre-installation notes and patch readme files. Please consult these
documents specific to your system before applying patches.

Appendix A. Vendor Information

Oracle

Please see Oracle Critical Patch Update - January 2008 and Critical
Patch Updates and Security Alerts.

Appendix B. References

* Critical Patch Update for January 2008 -
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html>

* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>

* Map of Public Vulnerability to Advisory/Alert -
<http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>

* Oracle Database Security Checklist (PDF) -
<http://www.oracle.com/technology/deploy/security/pdf/twp_security _checklist_db_database.pdf>

* MetaLink Note 467880.1 (login required) -
<https://metalink.oracle.com/metalink/plsql/f?p=200:37:8541351131282773504::::p_database_id,p_id:NOT,467880.1>

* Details Oracle Critical Patch Update for January 2008 -
<http://www.red-database-security.com/advisory/oracle_cpu_jan_2008.html>

_________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA08-017A.html>
_________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA08-017A Feedback VU#338657" in the
subject.
_________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

Produced 2008 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
_________________________________________________________________

Revision History

January 17, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR4+u9PRFkHkM87XOAQLJ9gf9HGPnB6utau4KLV4FOtX9c5BF0nbtwj3w
xPlF0oX4aAh6E+LTxLHGbOMDE+Gv1rhnMiNABVNF/AzlsoscT7Z62uC3ZoGRCDTk
g8s0l2brZ4SXtoMNsbnkkjE0G78RUr0h1lvxirBdA5hfQYB/2zZHtwfpuZaMuV/Z
Vw5aewXZ58lj8l/ioVvwrSSSWZza69SHarAm3Yx+CRGXTr7SyEQPeimHV3CPM4Xb
DPoysoNKhARAmebrNOkTKvPc8gsLCc+DFKjyQOWnl5cXQchXLx1IBHeKnDW29tH1
cbzQE8bGjYls+fqTJ1CmeYsCT8O4lVINSZ2FRsCA6EhJv3vmY8K2xQ==
=lpZt
-----END PGP SIGNATURE-----

California Fire News

News: U.S. intel alerted to threat of 'Forest Fire Jihad' Posted: 16 Jan 2008 01:25 PM CST The 2007 fires at Mount Parnitha, as seen from Athens. A terrorist website was discovered recently that carried a posting that called for "Forest Jihad." The posting was listed on the Internet on Nov. 26 and reported in U.S. intelligence channels last week. The statement, in Arabic, said that "summer has begun so do not forget the Forest Jihad." The writer called on all Muslims in the United States, Europe, Russia and Australia to "start forest fires." The posting quoted imprisoned Al Qaida terrorist Abu Musab Al-Suri, as saying "Jihad is an art just like poetry, music, and the fine arts. There are people that draw and there are others that are jihadists. They both act upon inspiration." Al-Suri is a senior Al Qaida leader captured in Pakistan in 2005 who is believed to be in U.S. custody. "The idea of forest fires is attributed to him, may God set him free, as is in this short clip," the writer stated. The posting said that setting forest fires were legal under extremist Islamic law as part of a "eye for an eye" and that can produce "amazing results." Wildfires in California burned more than 500,000 acres beginning in October and authorities said arson was to blame for some of the fires. In August, wildfires broke out in Greece that authorities say were deliberately set. The writer stated that it was permissible to burn trees in carrying out jihad. "Scholars have justified chopping down and burning the infidels' forests when they do the same to our lands," the writer said. The writer stated that "targeted forests" are in the nations that "are at war with Muslims," including the United States, Europe, Russia, and Australia. Other nations, including Brazil are "off limits" because Brazil has not joined the "armies of the crusade." On damage caused by wildfires, the report said that the fires typically take months to put out which means that "this terror will haunt them for an extended period of time." The fires also will cause economic damage because it will limit exports of timber used to make furniture and also will cause losses to pharmaceutical companies that use trees for ingredients for drugs, the posting said. Smoke caused by the fires will create pollution and military forces could be tied up fighting fires. The report noted that U.S. military forces in Iraq or Afghanistan "could even be recalled" as occurred following hurricane Katrina, which did not occur. "Imagine if, after all the losses caused by such an event, a jihadist organization were to claim responsibility for (starting) the forest fires," the writer said. "You can hardly begin to imagine the level of the fear that would take hold of people in the United States, in Europe, in Russia, and in Australia." The report said that Abu Musab Al-Suri, urges terrorists to use sulphuric acid to start a forest fire, as well as gasoline. The article was signed by Abu Thar Al-Kuwaiti, on behalf of a group called the Al-Ikhlas Islamic Network. Source: worldtribune.com

Red Flags - IMPERIAL COUNTY / RIVERSIDE COUNTY Posted: 16 Jan 2008 01:17 PM CST RED FLAG WARNING IN EFFECT FROM 9 AM THIS MORNING TO 6 PM PST THIS AFTERNOON FOR STRONG NORTHERLY WINDS AND LOW RELATIVE HUMIDITIES OVER SOUTHEAST CALIFORNIA... INCLUDING JOSHUA TREE NATIONAL PARK Actual/Immediate/Severe/Observed CALIFORNIA FIRE WEATHER ZONE 230JOSHUA TREE NATIONAL PARK-CALIFORNIA FIRE WEATHER ZONE 232IMPERIAL COUNTY AND EASTERN RIVERSIDE COUNTY- Alert sent at 04:38 PST on 2008-01-16 RED FLAG WARNING IN EFFECT FROM 10 AM MST /9 AM PST/ THIS MORNING TO 7 PM MST /6 PM PST/ THIS EVENING FOR STRONG NORTHERLY WINDS... LOW RELATIVE HUMIDITIES AND HIGH FIRE DANGER RATING Actual/Immediate/Severe/Observed ARIZONA FIRE WEATHER ZONE 131YUMA/MARTINEZ LAKE AND VICINITY/LOWER COLORADO RIVER VALLEY AZ-CALIFORNIA FIRE WEATHER ZONE 231LOWER COLORADO RIVER VALLEY CA- Alert sent at 04:38 PST on 2008-01-16

You are subscribed to email updates from California Fire News - Structure, Wildland, EMS To stop receiving these emails, you may unsubscribe now.	Email Delivery powered by FeedBurner
Inbox too full? Subscribe to the feed version of California Fire News - Structure, Wildland, EMS in a feed reader.
If you prefer to unsubscribe via postal mail, write to: California Fire News - Structure, Wildland, EMS, c/o FeedBurner, 20 W Kinzie, 9th Floor, Chicago IL USA 60610