• Home
  • Et Cetera

Infosecurity.US

ORACLE Slates 38 Patches… Alert The Media

By Marc Handelman on October 19th, 2009

Oracle

News, from last week, of Oracle Corporation’s (NasdaqGS: ORCL) slated critical security updates and bug fix patches for the Redwood Shores, CA based software giant’s database server and application server products. The list affected are a smorgasboard of the company’s offerings: Oracle Database 11g, version 11.1.0.7, Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, Oracle Database 10g, version 10.1.0.5, Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV, Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.4.0, 10.1.3.5.0, Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0, Oracle Business Intelligence Enterprise Edition, versions 10.1.3.4.0, 10.1.3.4.1, Oracle E-Business Suite Release 12, versions 12.0.6 and 12.1, Oracle E-Business Suite Release 11i, version 11.5.10.2, AutoVue, version 19.3, Agile Engineering Data Management (EDM), version 6.1, PeopleSoft PeopleTools & Enterprise Portal, version 8.49, PeopleSoft Enterprise HCM (TAM), versions 8.9 and 9.0, JD Edward Tools, version 8.98, Oracle WebLogic Server 10.0 through MP1 and 10.3, Oracle WebLogic Server 9.0 GA, 9.1 GA and 9.2 through 9.2 MP3, Oracle WebLogic Server 8.1 through 8.1 SP5, Oracle WebLogic Server 7.0 through 7.0 SP6, Oracle WebLogic Portal, versions 8.1 through 8.1 SP6, 9.2 through 9.2 MP3, 10.0 through 10.0MP1, 10.2 through 10.2MP1 and 10.3 through 10.3.1, Oracle JRockit R27.6.4 and earlier (JDK/JRE 6, 5, 1.4.2), Oracle Communications Order and Service Management, versions 2.8.0, 6.2.0, 6.3.0 and 6.3.1. More information, including release notes, and a short snippet form the news post, appears after the jump.

Oracle Critical Patch Update Pre-Release Announcement – October 2009

Description

This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for October 2009, which will be released on Tuesday, October 20, 2009.  While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. This Critical Patch Update contains 38 security vulnerability fixes across hundreds of Oracle products.  Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products.  Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.

Vulnerabilities fixed by Critical Patch Updates are scored using the standard CVSS 2.0 scoring (see Oracle’s Use of CVSS Scoring). The highest CVSS 2.0 base score for vulnerabilities in this Critical Patch Update is 10.0 for vulnerabilities affecting Oracle Core RDBMS, Oracle JRockit and Oracle Network Authentication.

Supported Products Affected

Security vulnerabilities addressed by this Critical Patch Update affect the following products:

• Oracle Database 11g, version 11.1.0.7
• Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
• Oracle Database 10g, version 10.1.0.5
• Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
• Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.4.0, 10.1.3.5.0
• Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0
• Oracle Business Intelligence Enterprise Edition, versions 10.1.3.4.0, 10.1.3.4.1
• Oracle E-Business Suite Release 12, versions 12.0.6 and 12.1
• Oracle E-Business Suite Release 11i, version 11.5.10.2
• AutoVue, version 19.3
• Agile Engineering Data Management (EDM), version 6.1
• PeopleSoft PeopleTools & Enterprise Portal, version 8.49
• PeopleSoft Enterprise HCM (TAM), versions 8.9 and 9.0
• JD Edward Tools, version 8.98
• Oracle WebLogic Server 10.0 through MP1 and 10.3
• Oracle WebLogic Server 9.0 GA, 9.1 GA and 9.2 through 9.2 MP3
• Oracle WebLogic Server 8.1 through 8.1 SP5
• Oracle WebLogic Server 7.0 through 7.0 SP6
• Oracle WebLogic Portal, versions 8.1 through 8.1 SP6, 9.2 through 9.2 MP3, 10.0 through 10.0MP1, 10.2 through 10.2MP1 and 10.3 through 10.3.1
• Oracle JRockit R27.6.4 and earlier (JDK/JRE 6, 5, 1.4.2)
• Oracle Communications Order and Service Management, versions 2.8.0, 6.2.0, 6.3.0 and 6.3.1

Executive Summaries

Oracle Database Executive Summary

This Critical Patch Update contains 16 new security vulnerability fixes for the Oracle Database. 6 of these vulnerabilities may be remotely exploited without authentication, i.e., may be exploited over a network without the need for a username and password.  1 of these fixes is applicable to Oracle Database client-only installations, i.e., installations that do not have the Oracle Database installed.

The highest CVSS base score of vulnerabilities affecting Oracle Database products is 10.0 for Windows versions of the product and 7.5 for all other platforms.

The Oracle Database components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Advanced Queuing
  • Application Express
  • Authentication
  • CORE RDBMS
  • Data Mining
  • Net Foundation Layer
  • Network Authentication
  • Oracle Spatial
  • Oracle Text
  • PL/SQL
  • RDBMS Data Pump
  • RDBMS Security
  • Workspace Manager

Oracle Application Server Executive Summary

This Critical Patch Update contains 3 new security fixes for the Oracle Application Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have an Oracle Application Server installed.

Oracle Application Server products that are bundled with the Oracle Database are affected by Oracle Database vulnerabilities fixed in this CPU.

The highest CVSS base score of vulnerabilities affecting Oracle Application Server products is 4.3.

The Oracle Application Server components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle Business Intelligence Enterprise Edition
  • Oracle Portal

Oracle E-Business Suite and Applications Executive Summary

This Critical Patch Update contains 8 new security fixes for the Oracle Applications Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes is applicable to client-only installations, i.e., installations that do not have an Oracle Applications installed.

Oracle E-Business Suite products use Oracle Database and Oracle Application Server products which have vulnerabilities fixed in this CPU. These vulnerabilities should be patched (the documentation released with the Critical Patch Update will provide details).

The highest CVSS base score of vulnerabilities affecting E-Business Suite products is 5.5.

The Oracle E-Business Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Agile Engineering Data Management (EDM)
  • AutoVue
  • Oracle Advanced Benefits
  • Oracle Application Object Library
  • Oracle Applications Framework
  • Oracle Applications Technology Stack

Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Executive Summary

This Critical Patch Update contains 4 new security fixes for the PeopleSoft and JD Edwards Suite. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password.

The highest CVSS base score of vulnerabilities affecting Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne products is 4.1.

The Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne components affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • JD Edwards Tools
  • PeopleSoft Enterprise HCM (TAM)
  • PeopleSoft PeopleTools & Enterprise Portal

Oracle BEA Products Executive Summary

This Critical Patch Update contains 6 new security fixes for the BEA Products Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

The highest CVSS base score of vulnerabilities affecting Oracle BEA Products is 10.0 in Oracle JRockit.

The Oracle BEA Products affected by vulnerabilities that are fixed in this Critical Patch Update are:

  • Oracle JRockit
  • Oracle WebLogic Portal
  • Oracle WebLogic Server

Oracle Industry Applications Products Executive Summary

This Critical Patch Update contains 1 new security fix for the Oracle Industry Applications Products Suite. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.

The CVSS base score of the vulnerability affecting Oracle Industry Applications Products is 4.9.

Oracle Industry Applications product affected by the vulnerability that is fixed in this Critical Patch Update is:

  • Oracle Communications Order and Service Management

From PCWorld’s Robert McMillan (of the IDG News Service): “38 Oracle Security Patches Coming Next Week“
“After a record-setting week of Microsoft and Adobe security patches, Oracle is gearing up for a major update of its own next week. Next Tuesday, the database vendor will release its quarterly Critical Patch Update, which “contains 38 security vulnerability fixes across hundreds of Oracle products,” according to an advance notification posted to Oracle’s Web site. As usual, Oracle’s most-patched product next week will be its flagship database, which will get 16 bug fixes. Six of these flaws may be exploitable over a network without any type of authentication, Oracle said. Also in the mix are eight fixes for the company’s E-Business Suite, three for Oracle Application Server and one for the Industry Applications Products Suite. Patches are also planned for Oracle’s BEA, PeopleSoft and JD Edwards software…”

Categories: Infosecurity, Oracle CPU, Oracle Corporation, Oracle Database Security, Oracle Enterprise Manager, Oracle Security, Software Patches
Tags: BEA PeopleSoft, J. D. Edwards, JRockit, Oracle Application Server, Oracle Corporation, Oracle Databases, Oracle E-Business Suite, Software Patches, Software Patching, WebLogic

Comments are closed.

« Lisa Benson: Hillary On The Menu Dilbert: Retirement Account »
  • Latest
  • Random
  • Bookmarks
  • Archives
  • Oracle Patches Critical WebLogic Flaw
  • Lisa Benson: Beanstalk
  • USB Electronic Key Impressioner – Open Sesame
  • Sherffius: Bacterial-Laden
  • Firefox Malware Extensions Discovered
  • Holbert: Trillion Dollar Stuck Pedal
  • But Wait, There’s More – 13 Critical Security Patches Queued For Microsoft’s PatchTuesday
  • Thach Bui: Monumental Upgrades
  • New, Critical Internet Explorer Vulnerability – Nearly All Versions Affected
  • Lisa Benson: Health Care Reform R.I.P.
  • Hacktivists Target Iran Regime
  • SUSE Security Announcement: IBM Java Version 5
  • Benson: Bi-Partisanship
  • ENISA: Security Risks Within Remote eHealth Monitoring & Treatment
  • Dinosaur Comics: He’s Back
  • Seattle 2.0 Awards Event Announced
  • Kaminsky’s DNS Flaw Exposed Early, Attackers Working Furiously
  • Wondermark: Cab Fare
  • US-CERT Releases Weekly Vulnerability Summary
  • IRS: Five Employees Charged With UNAX Tax Return Snooping
  • Apple
  • BSD
  • Closson
  • Darknet
  • Debian
  • Finnigan
  • ha.ckers
  • Hoff
  • Insecure
  • Krebs
  • Layer8
  • MSRC
  • Network Security Blog
  • NSA SEL
  • openSUSE
  • RedHat
  • SANS
  • Schneier
  • Security Eunoia
  • Securosis
  • Shimel
  • February 2010
  • January 2010
  • December 2009
  • November 2009
  • October 2009
  • September 2009
  • August 2009
  • July 2009
  • June 2009
  • May 2009
Subscribe

Featured Blog - Blogs.com SANS Security Reading Room KnotOriginal: fine art to hang on your body and walls Member - Security Bloggers Network

Dilbert

Sponsored Links

KnotOriginal

Featured Video

RSS Cryptography

  • Microscope-wielding boffins crack cordless phone crypto 2010/02/08
  • Making packet processing more efficient with network-optimized multicore designs: Part 2 2010/02/08
  • New Attack on Threefish 2010/02/07
  • So I deleted it without reading it. 2010/02/06
  • Kaspersky: Google hack takes spotlight from Russia 2010/02/05
  • IP Cores, Inc. Announces an Update of its Elliptic Curve Crypto Accelerator 2010/02/05
  • SMIC, SSHIC deliver smart card IC using 0.162 m EEPROM 2010/02/04
  • Revere Security Appoints Co-Inventor of Public-Key Cryptography... 2010/02/03
  • Data defenders: Researchers try to ward off increasingly sophisticated cyber attacks 2010/02/02
  • IP Cores Selects Phoenix Technologies for Israel 2010/02/02

RSS Security Bloggers Network

  • My Blackhat DC Paper, Slides, and Video are available 2010/02/08 IBM Internet Security Systems Frequency X Blog
  • Is Your BlackBerry Spying On You? 2010/02/08 spinman
  • The 800-lb Dragon’s APTitude 2010/02/08 Bill Wildprett
  • Wrapping insecure web apps with Apache 2010/02/08 Asmodian X
  • Oracle Patches Critical WebLogic Flaw 2010/02/08 Marc Handelman
  • Lisa Benson: Beanstalk 2010/02/08 Marc Handelman
  • Week 5 in Review 2010/02/08 glenn
  • Google Street View Car Gets GPSed by F.A.T. Pranksters 2010/02/08 Devin McDonald

RSS SANS ISC

  • Oracle has an unscheduled security alert and patch for CVE-2010-0073. The issue affects WebLogic Server and is remotely exploitable. Details and patch are here http://www.oracle.com/technology/deploy/security/alerts/alert-cve-2010-0073.html, (Tue, Feb 9th) 2010/02/09
  • When is a 0day not a 0day? Samba symlink bad default config, (Tue, Feb 9th) 2010/02/09
  • When is a 0day not a 0day? Fake OpenSSh exploit, again. , (Mon, Feb 8th) 2010/02/08
  • Mandiant Mtrends Report, (Sun, Feb 7th) 2010/02/07
  • LANDesk Management Gateway Vulnerability, (Sat, Feb 6th) 2010/02/06
  • tweaked ISC layout. Please submit screen shot and browser details if things don't look right., (Sat, Feb 6th) 2010/02/06
  • Oracle WebLogic Server Security Alert, (Sat, Feb 6th) 2010/02/06
  • New version of Andreas Schuster's Evtx Parser released http://computer.forensikblog.de/en/2010/02/evtx_parser_1_0_2.html, (Sat, Feb 6th) 2010/02/06
  • Memory Analysis - time to move beyond XP, (Fri, Feb 5th) 2010/02/06

RSS Oracle

  • Oracle to Acquire AmberPoint 2010/02/09
  • Bookmarkable page with parameters 2010/02/09
  • 32-bit to 64-bit database migration tips: OLAP upgrade 2010/02/08
  • ADF Coding Ninja 2010/02/08
  • Case Study: Swedish Rail Operator SJ Increases Revenue and Customer Satisfaction Using CRM 2010/02/08
  • Random Things: Volume #13 2010/02/08
  • v-Commerce? 2010/02/08

RSS MySQL

  • A deep look at MySQL 5.5 partitioning enhancements 2009/12/24
  • Sun "Tech Days" Conference World Tour Kicks Off in Brazil 2009/12/07
  • Tino Rachui: Using MySQL Cluster in Sun's Virtual Desktop Infrastructure 2009/11/10
  • MySQL Database Analytics with InfiniDB from Calpont – Part 2 2009/10/28
  • MySQL Database Analytics with InfiniDB from Calpont – Part 1 2009/10/27
  • What's New in the MySQL Enterprise Fall 2009 Release? - Interview with Mark Matthews and Andy Bang 2009/09/08
  • Introducing the MySQL Librarian 2009/07/14

RSS Linux

  • Oracle Drops Sun's Commitment To Accessibility - Slashdot 2010/02/09
  • LinuxCon Puts Out Call for Papers Ahead of Summer Event - OStatic (blog) 2010/02/09
  • How To Reverse Engineer A Motherboard BIOS - Benchmark Reviews 2010/02/09
  • Oracle Patches Dangerous WebLogic Server Flaw - eWeek 2010/02/09
  • Unix ENGINEER - TRADING - SYDNEY CBD! - Australian Techworld 2010/02/09

RSS MAC OSX

  • Anti-DRM Protest Against The iPad Grows 2010/02/08 Eli Milchman
  • Amazon to Hike Ebook Pricing as iPad Ships 2010/02/08 Ed Sutherland
  • Daily Deals: iPhone Acces. Bundle, External Superdrive, App Store Freebies 2010/02/08 Ed Sutherland
  • Mock Up Your iPad Ideas With IA’s Omnigraffle Template 2010/02/08 Giles Turnbull
  • The inevitable DIY iPad papercraft mockup 2010/02/08 John Brownlee
  • Apple to app devs: don’t use Core Location “primarily” for advertising 2010/02/08 John Brownlee
  • Report: Carriers to Subsidized iPads for 2-Year 3G Contracts 2010/02/08 Ed Sutherland

RSS Microsoft

  • February 2010 Bulletin Release Advance Notification 2010/02/04 MSRCTEAM
  • Security Advisory 980088 Released 2010/02/03 MSRCTEAM
  • January 2010 Out-of-Band Security Bulletin Webcast 2010/01/22 MSRCTEAM
  • Bulletin MS10-002 Released 2010/01/21 MSRCTEAM
  • Security Advisory 979682 Released 2010/01/21 MSRCTEAM
  • Advance Notification for Out-of-Band Bulletin Release 2010/01/20 MSRCTEAM
  • Security Advisory 979352 – Going out of Band 2010/01/19 MSRCTEAM

RSS Network

  • Europe lagging behind on fibre broadband adoption 2010/02/08
  • LG NAS N4B1 review 2010/02/08
  • VoIP patent under review by Patent Office 2010/02/08
  • YouTube now supports IPv6 2010/02/08
  • Where do web giants stand on IPv6? 2010/02/05
  • Intel details vPro for Core i5, i7 processors 2010/02/05
  • Microsoft IE still popular, researcher says 2010/02/05

Daily Posts

February 2010
S M T W T F S
« Jan    
 123456
78910111213
14151617181920
21222324252627
28  
Creative Commons License
The Infosecurity.US Blog is licensed under a Creative Commons Attribution-Share Alike 3.0 United States License.

Find the best blogs at Blogs.com.

Creative Commons Attribution-Share Alike 3.0 U.S. License ©2010 Infosecurity.US

Subscribe