Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > April 2007 > Oracle Critical Patch Update - April 2007

April 2007

Oracle Critical Patch Update - April 2007

ID: 117
Ref: 059/2007
Date: 19 April 2007:11:08:36
Version: 1
Title: Oracle Critical Patch Update - April 2007
Abstract: A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required, because of interdependencies, by those security patches.
Vendors affected: Oracle
Operating systems affected: Oracle
This Oracle Critical Patch Update contains 36 new security fixes affecting the products listed below.

Supported Products and Components Affected:

. Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
. Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5
. Oracle9i Database Release 2, versions 9.2.0.7, 9.2.0.8
. Oracle Secure Enterprise Search 10g Release 1, version 10.1.6
. Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0
. Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.1 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
. Oracle Application Server 10g (9.0.4), version 9.0.4.3
. Oracle10g Collaboration Suite Release 1, version 10.1.2
. Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2
. Oracle E-Business Suite Release 12, version 12.0.0
. Oracle Enterprise Manager 9i Release 2, versions 9.2.0.7, 9.2.0.8
. Oracle Enterprise Manager 9i, version 9.0.1.5
. Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48
. Oracle PeopleSoft Enterprise Human Capital Management version 8.9
. JD Edwards EnterpriseOne Tools version 8.96
. JD Edwards OneWorld Tools SP23
. Oracle9i Database Release 1, versions 9.0.1.5, 9.0.1.5 FIPS
. Oracle9i Database Release 2, versions 9.2.0.5
. Oracle Database 10g Release 2, version 10.2.0.1


Mitigation

Due to the threat posed by a successful attack, Oracle strongly recommends that fixes are applied as soon as possible. Depending on your environment, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack.

For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends changes are tested on non-production systems. Neither approach should be considered a long term solution as neither corrects the underlying problem.


Full Advisory:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html

______________________________________________________________________________
CPNI values your feedback.

1. Which of the following most reflects the value of the advisory to you?
(Place an 'X' next to your choice)

Very useful:__ Useful:__ Not useful:__

2. If you did not find it useful, why not?


3. Any other comments? How could we improve our advisories?


Thank you for your contribution.
______________________________________________________________________________
CPNI wishes to acknowledge the contributions of Oracle for the information contained in this advisory.
______________________________________________________________________________
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |