ID: 3549
Date: 16/01/2008
Title: 3549 - Oracle Critical Patch Update Advisory - January 2008
Platform level affected:Operating System
Hardware components affected:Other
Specific operating systems components affected: Other
Net-enabled software: Enterprise Application
Security software:Other
Other software: Office Automation
Remediation Summary:Update your copy of the software with the download available from the supplier.
Vendors affected:Oracle
Applications affected:Oracle Database, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite Release, Oracle PeopleSoft Enterprise PeopleTools.
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Active
Potential Damage: Local execution/modification
Possible Duration: Open Ended
Availability of fix: Available
Type of fix: Patch
Source: Oracle
Reliability of source: Trusted
Source URL: http://www.oracle.com
Abstract: Oracle Critical Patch Update - 26 new security fixes across all products
Oracle Critical Patch Update Advisory - January 2008
Description
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. Critical Patch Updates are cumulative, except as noted below, but each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible. This Critical Patch Update contains 26 new security fixes across all products.
Supported Products and Components Affected
Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in [square brackets] following the product versions. Please click on the link in [square brackets] or in the Patch Availability Table to access the documentation for those patches.
Oracle Configuration Manager (OCM) is included in this Critical Patch Update. OCM enables Oracle to provide superior, proactive support to our customers. For more information, go to
http://www.oracle.com/technology/documentation/ocm.html.
Category I
Product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support policy:
| • Oracle Database 11g, version 11.1.0.6 |
[ Database ] |
| • Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3 |
[ Database ] |
| • Oracle Database 10g, version 10.1.0.5 |
[ Database ] |
| • Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV |
[ Database ] |
| • Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.3.0 |
[ Application Server ] |
| • Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0 |
[ Application Server ] |
| • Oracle Application Server 10g (9.0.4), version 9.0.4.3 |
[ Application Server ] |
| • Oracle Collaboration Suite 10g, version 10.1.2 |
[ Collaboration Suite ] |
| • Oracle E-Business Suite Release 12, versions 12.0.0 - 12.0.3 |
[ E-Business Suite ] |
| • Oracle E-Business Suite Release 11i, versions 11.5.9 - 11.5.10 CU2 |
[ E-Business Suite ] |
| • Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.48, 8.49 |
[ PeopleSoft/JDE ] |
Category II
Products and components that are bundled with the products listed in Category I.
No products in this category are affected by the fixes included in this Critical Patch Update.
Category III
Products that are de-supported as a standalone installation but are supported when installed with the products listed in Category I:
| • Oracle Database 9i, version 9.0.1.5 FIPS+ |
[ Application Server ] |
| • Oracle Application Server 9i Release 1, version 1.0.2.2 |
[ E-Business Suite ] |
Patches for Category III products are only available when these products are installed as part of Category I products, and are tested solely on supported configurations and environments. Please refer to the documentation for each product for specific details concerning the support and availability of patches.
Category IV
Products that are supported only on selected platforms. Please consult the additional documentation for details.
No products in this category are affected by the fixes included in this Critical Patch Update.
Full advisory: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html
This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.
The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.
CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.
Wed, 16 Jan 2008 11:30:00 GMT
Domain affected: Technical