October 2007

ID: 3431
Date: 17 October 2007 22:04

---

Title: 3431 - Oracle Updates for Multiple Vulnerabilities
Abstract: Oracle has released Critical Patch Update - October 2007. This update addresses more than forty vulnerabilities in different Oracle products and components.
Vendors affected:Oracle
Applications affected:Database 10g, 9i Database, Enterprise Manager 10g Database Control, Application Server 10g, Collaboration Suite 10g, PeopleSoft Enterprise, E-Business Suite, PeopleSoft Enterprise Human Capital Management
Potential Damage: Remote execution/modification
Availability of fix: Available
Type of fix: Patch
Source: US-CERT
Reliability of source: Trusted
Source URL: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

 National Cyber Alert System
  
   Technical Cyber Security Alert TA07-290A

Oracle Updates for Multiple Vulnerabilities

   Original release date: October 17, 2007
   Last revised: --
   Source: US-CERT

Systems Affected

     * Oracle Database 10g
     * Oracle 9i Database
     * Oracle Enterprise Manager 10g Database Control
     * Oracle Application Server 10g
     * Oracle Collaboration Suite 10g
     * Oracle PeopleSoft Enterprise
     * Oracle E-Business Suite
     * Oracle PeopleSoft Enterprise Human Capital Management

   For more information regarding affected product versions, please see
   the Oracle Critical Patch Update - October 2007.

Overview

   Oracle products and components are affected by multiple
   vulnerabilities. The impacts of these vulnerabilities include remote
   execution of arbitrary code, information disclosure, and denial of
   service.

I. Description

   Oracle has released Critical Patch Update - October 2007. This update
   addresses more than forty vulnerabilities in different Oracle products
   and components.

   The Critical Patch Update provides information about affected
   components, access and authorization required, and the impact from the
   vulnerabilities on data confidentiality, integrity, and availability.
   MetaLink customers should refer to MetaLink Note 394487.1 (login
   required) for more information on terms used in the Critical Patch
   Update.

   According to Oracle, none of the vulnerabilities corrected in the
   Oracle Critical Patch Update affect Oracle Database Client-only
   installations.

   In most cases, Oracle does not associate Vuln# identifiers (e.g.,
   DB01) with other available information. If significant additional
   details about vulnerabilities and remediation techniques become
   available, we will update the Vulnerability Notes Database.

II. Impact

   The impact of these vulnerabilities varies depending on the product,
   component, and configuration of the system. Potential consequences
   include the execution of arbitrary code or commands, information
   disclosure, and denial of service. Vulnerable components may be
   available to unauthenticated, remote attackers. An attacker who
   compromises an Oracle database may be able to gain access to sensitive
   information.

III. Solution

Apply a patch

   Apply the appropriate patches or upgrade as specified in the Oracle
   Critical Patch Update - October 2007. Note that this Critical Patch
   Update only lists newly corrected issues. Updates to patches for
   previously known issues are not listed.

   As noted in the update, some patches are cumulative, others are not:

     The Oracle Database, Oracle Application Server, Oracle Enterprise
     Manager Grid Control, Oracle Collaboration Suite, JD Edwards
     EnterpriseOne and OneWorld Tools, and PeopleSoft Enterprise Portal
     Applications patches in the Updates are cumulative; each successive
     Critical Patch Update contains the fixes from the previous Critical
     Patch Updates.
     Oracle E-Business Suite and Applications patches are not
     cumulative, so E-Business Suite and Applications customers should
     refer to previous Critical Patch Updates to identify previous fixes
     they wish to apply.

   Patches for some platforms and components were not available when the
   Critical Patch Update was published on October 17, 2007. Please see
   MetaLink Note 360465.1 (login required) for more information.

   Known issues with Oracle patches are documented in the
   pre-installation notes and patch readme files. Please consult these
   documents specific to your system before applying patches.

Appendix A. Vendor Information

Oracle

   Please see Oracle Critical Patch Update - October 2007 and Critical
   Patch Updates and Security Alerts.

Appendix B. References

  * Critical Patch Update - October 2007 -
    <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html>
    
  * Critical Patch Updates and Security Alerts -
    <http://www.oracle.com/technology/deploy/security/alerts.htm>
    
  * Map of Public Vulnerability to Advisory/Alert -
    <http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
    
  * Oracle Database Security Checklist (PDF) -
    <http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf>
    
  * MetaLink Note 360465.1 (login required) -
    <https://metalink.oracle.com/metalink/plsql/f?p=200:37:386501049664454700::::p_database_id,p_id,p_template:Not,360465.1,0>
    
  * Details Oracle Critical Patch Update October 2007 -
    <http://www.red-database-security.com/advisory/oracle_cpu_oct_2007.html>

 _________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA07-290A.html>
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2007 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________

Revision History

   October 17, 2007: Initial release

 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRxZc1PRFkHkM87XOAQIyogf+PJ0RLVWBZMzR+Jn8pQ3398NbqIERMLPA
xqxrWbPAu0EChmguWg4eYUzfMMg6W0rbmVVgmilZsW8eL3UVeMjzX8hBVhyaQUXy
RXsKJIpTVhL3dgHr6z9mA+Y2VfQspYstAXtVAGjEvCvzuJJqoY/R5ZRitXuRgfGY
i1l1mt4rc/A2IoaanlJSJJtH6kxZ42dZWiGZCRdqemmBIUvL9kWY7jlgOh7Hifdc
U2zkCNioBLYFxk+cn9CKAvMlBOtbcsryRLPt5e32lCE7I4NSA87xM/4c8J86Weyw
y0prw11nwX3LXa7k96b5Kmb/bjDovgQ/O12SkRs9XS2+uHtvEbUXFw==
=1546
-----END PGP SIGNATURE-----

 

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.