Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > April 2007 > Oracle Critical Patch Update Pre-Release Announcement - April 2007

April 2007

Oracle Critical Patch Update Pre-Release Announcement - April 2007

ID: 113
Ref: 055/2007
Date: 13 April 2007:15:12:34
Version: 1
Title: Oracle Critical Patch Update Pre-Release Announcement - April 2007
Abstract: This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for April 2007.
Vendors affected: Oracle
Operating systems affected: Oracle
Description

This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for April 2007 which will be released on Tuesday, 17 April 2007. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update advisory.

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. This Critical Patch Update contains 37 security fixes across all products. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products.

Vulnerabilities fixed by Critical Patch Updates are scored using the standard CVSS scoring (see 394486.1). The highest CVSS base score of vulnerabilities across all products is 7.0.


Supported Products Affected

Security vulnerabilities addressed by this Critical Patch Update affect the following products:

Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3 Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5 Oracle9i Database Release 2, versions 9.2.0.7, 9.2.0.8 Oracle Secure Enterprise Search 10g Release 1, version 10.1.8 Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0 Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.1 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0 Oracle Application Server 10g (9.0.4), version 9.0.4.3 Oracle10g Collaboration Suite Release 1, version 10.1.2 Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2 Oracle E-Business Suite Release 12, version 12.0.0 Oracle Enterprise Manager 9i Release 2, versions 9.2.0.7, 9.2.0.8 Oracle Enterprise Manager 9i, version 9.0.1.5 Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48 Oracle PeopleSoft Enterprise Human Capital Management version 8.9 JD Edwards EnterpriseOne Tools version 8.96 JD Edwards OneWorld Tools SP23 Oracle9i Database Release 1, versions 9.0.1.5, 9.0.1.5 FIPS Oracle9i Database Release 2, versions 9.2.0.5 Oracle Database 10g Release 2, version 10.2.0.1


Executive Summaries

Oracle Database Executive Summary

This Critical Patch Update contains 13 new security fixes for the Oracle Database. Additionally, 2 new security fixes for Oracle Enterprise Manager, 1 new security fix for Oracle Workflow Cartridge, and 1 new security fix for the Ultra Search component affect code bundled with the Oracle Database. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e. they may be exploited over a network without the need for a username and password. 2 of these fixes are applicable to Oracle Database client-only installations, i.e. installations that do not have the Oracle Database installed.

The highest CVSS base score of vulnerabilities affecting Oracle Database products is 7.0.

The Oracle Database components affected by vulnerabilities that are fixed in this Critical Patch Update are:

Advanced Queuing
Advanced Replication
Authentication
Change Data Capture (CDC)
Core RDBMS
Oracle Agent
Oracle Instant Client
Oracle Streams
Oracle Text
Oracle Workflow Cartridge
Rules Manager, Expression Filter
Ultra Search
Upgrade/Downgrade


Oracle Application Server Executive Summary

This Critical Patch Update contains 5 new security fixes for Oracle Application Server. There is also 1 Oracle Workflow Cartridge fix and 1 Oracle Secure Enterprise Search fix that affect Oracle Application Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e. they may be exploited over a network without the need for a username and password. No new fixes are applicable to client-only installations, i.e. installations that do not have Oracle Application Server installed.

Oracle Application Server products that are bundled with the Oracle Database are affected by Oracle Database vulnerabilities fixed in this CPU. Oracle Application Server 10g Release 2 (10.1.3.0.0) is not affected by Application Server specific vulnerabilities, but includes Oracle Database code that needs to be patched by applying the Oracle Application Server patch.

The highest CVSS base score of vulnerabilities affecting Oracle Application Server products is 4.2.

The Oracle Application Server components affected by vulnerabilities that are fixed in this Critical Patch Update are:

Oracle COREid Access
Oracle Discoverer
Oracle Portal
Oracle Wireless
Oracle Workflow Cartridge
Oracle WebCenter Suite - Secure Enterprise Search


Oracle Collaboration Suite Executive Summary

There is 1 new Oracle Collaboration Suite specific fix in this Critical Patch Update. There is also 1 Oracle Workflow Cartridge fix that affects Oracle Collaboration Suite. Neither are remotely exploitable without authentication.

Oracle Collaboration Suite bundles the Oracle Database. All Oracle Database fixes included in this CPU are applicable.

The highest CVSS base score of Oracle Application Server vulnerabilities affecting Oracle Collaboration Suite is 1.4.

Oracle E-Business Suite and Applications Executive Summary This Critical Patch Update contains 11 new security fixes for the Oracle E-Business Suite. 2 of these vulnerabilities may be remotely exploited without authentication, i.e. they may be exploited over a network without the need for a username and password.

Oracle E-Business Suite products include an Oracle Database which has vulnerabilities fixed in this CPU. These Oracle Database vulnerabilities should be patched (the documentation released with the Critical Patch Update will provide details).

Oracle Life Sciences Applications (previously known as Oracle Pharmaceutical Applications) includes Oracle Application Server components which should be patched (the documentation released with the Critical Patch Update will provide details).

The highest CVSS base score of vulnerabilities affecting E-Business Suite products is 4.2.

The Oracle E-Business Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

Oracle Application Object Library
Oracle Applications Manager
Oracle Common Applications
Oracle iProcurement
Oracle iStore
Oracle iSupport
Oracle Report Manager
Oracle Sales Online
Oracle Trade Management
Oracle Workflow Cartridge


Oracle Enterprise Manager Executive Summary

This Critical Patch Update contains 2 new security fixes for Oracle Enterprise Manager, both of which may be remotely exploitable without authentication, i.e. they may be exploited over a network without the need for a username and password.

Oracle Enterprise Manager includes Oracle Database and Oracle Application components which have vulnerabilities fixed in this CPU. These Oracle Database and Application Server vulnerabilities should be patched (the documentation released with the Critical Patch Update will provide details).

The highest CVSS base score of vulnerabilities affecting Enterprise Manager products is 2.3.

Only the Oracle Agent component of Oracle Enterprise Manager is affected by vulnerabilities that are fixed in this Critical Patch Update.

Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Executive Summary This Critical Patch Update contains 2 new security fixes for Oracle PeopleSoft Enterprise PeopleTools, 1 new security fix for PeopleSoft Enterprise Human Capital Management, and 1 new security fix for JD Edwards EnterpriseOne and JD Edwards OneWorld Tools. None of the underlying security vulnerabilities may be remotely exploitable without authentication, i.e. none may be exploited over a network without the need for a username and password.

The highest CVSS base score of vulnerabilities affecting Oracle PeopleSoft Enterprise products is 2.4.

The Oracle PeopleSoft Enterprise components affected by vulnerabilities that are fixed in this Critical Patch Update are:

JD Edwards HTML Server
PeopleSoft Enterprise Human Capital Management PeopleTools

Original Advisory:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html

______________________________________________________________________________
CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________
CPNI wishes to acknowledge the contributions of Oracle for the information contained in this advisory.
______________________________________________________________________________
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |