ORACLE Slates 38 Patches… Alert The Media
News, from last week, of Oracle Corporation’s (NasdaqGS: ORCL) slated critical security updates and bug fix patches for the Redwood Shores, CA based software giant’s database server and application server products. The list affected are a smorgasboard of the company’s offerings: Oracle Database 11g, version 11.1.0.7, Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, Oracle Database 10g, version 10.1.0.5, Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV, Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.4.0, 10.1.3.5.0, Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0, Oracle Business Intelligence Enterprise Edition, versions 10.1.3.4.0, 10.1.3.4.1, Oracle E-Business Suite Release 12, versions 12.0.6 and 12.1, Oracle E-Business Suite Release 11i, version 11.5.10.2, AutoVue, version 19.3, Agile Engineering Data Management (EDM), version 6.1, PeopleSoft PeopleTools & Enterprise Portal, version 8.49, PeopleSoft Enterprise HCM (TAM), versions 8.9 and 9.0, JD Edward Tools, version 8.98, Oracle WebLogic Server 10.0 through MP1 and 10.3, Oracle WebLogic Server 9.0 GA, 9.1 GA and 9.2 through 9.2 MP3, Oracle WebLogic Server 8.1 through 8.1 SP5, Oracle WebLogic Server 7.0 through 7.0 SP6, Oracle WebLogic Portal, versions 8.1 through 8.1 SP6, 9.2 through 9.2 MP3, 10.0 through 10.0MP1, 10.2 through 10.2MP1 and 10.3 through 10.3.1, Oracle JRockit R27.6.4 and earlier (JDK/JRE 6, 5, 1.4.2), Oracle Communications Order and Service Management, versions 2.8.0, 6.2.0, 6.3.0 and 6.3.1. More information, including release notes, and a short snippet form the news post, appears after the jump.
Oracle Critical Patch Update Pre-Release Announcement – October 2009
Description
This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for October 2009, which will be released on Tuesday, October 20, 2009. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update Advisory.
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. This Critical Patch Update contains 38 security vulnerability fixes across hundreds of Oracle products. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products. Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Critical Patch Update fixes as soon as possible.
Vulnerabilities fixed by Critical Patch Updates are scored using the standard CVSS 2.0 scoring (see Oracle’s Use of CVSS Scoring). The highest CVSS 2.0 base score for vulnerabilities in this Critical Patch Update is 10.0 for vulnerabilities affecting Oracle Core RDBMS, Oracle JRockit and Oracle Network Authentication.
Supported Products Affected
Security vulnerabilities addressed by this Critical Patch Update affect the following products:
| • Oracle Database 11g, version 11.1.0.7 |
| • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4 |
| • Oracle Database 10g, version 10.1.0.5 |
| • Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV |
| • Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.4.0, 10.1.3.5.0 |
| • Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0 |
| • Oracle Business Intelligence Enterprise Edition, versions 10.1.3.4.0, 10.1.3.4.1 |
| • Oracle E-Business Suite Release 12, versions 12.0.6 and 12.1 |
| • Oracle E-Business Suite Release 11i, version 11.5.10.2 |
| • AutoVue, version 19.3 |
| • Agile Engineering Data Management (EDM), version 6.1 |
| • PeopleSoft PeopleTools & Enterprise Portal, version 8.49 |
| • PeopleSoft Enterprise HCM (TAM), versions 8.9 and 9.0 |
| • JD Edward Tools, version 8.98 |
| • Oracle WebLogic Server 10.0 through MP1 and 10.3 |
| • Oracle WebLogic Server 9.0 GA, 9.1 GA and 9.2 through 9.2 MP3 |
| • Oracle WebLogic Server 8.1 through 8.1 SP5 |
| • Oracle WebLogic Server 7.0 through 7.0 SP6 |
| • Oracle WebLogic Portal, versions 8.1 through 8.1 SP6, 9.2 through 9.2 MP3, 10.0 through 10.0MP1, 10.2 through 10.2MP1 and 10.3 through 10.3.1 |
| • Oracle JRockit R27.6.4 and earlier (JDK/JRE 6, 5, 1.4.2) |
| • Oracle Communications Order and Service Management, versions 2.8.0, 6.2.0, 6.3.0 and 6.3.1 |
Executive Summaries
Oracle Database Executive Summary
This Critical Patch Update contains 16 new security vulnerability fixes for the Oracle Database. 6 of these vulnerabilities may be remotely exploited without authentication, i.e., may be exploited over a network without the need for a username and password. 1 of these fixes is applicable to Oracle Database client-only installations, i.e., installations that do not have the Oracle Database installed.
The highest CVSS base score of vulnerabilities affecting Oracle Database products is 10.0 for Windows versions of the product and 7.5 for all other platforms.
The Oracle Database components affected by vulnerabilities that are fixed in this Critical Patch Update are:
- Advanced Queuing
- Application Express
- Authentication
- CORE RDBMS
- Data Mining
- Net Foundation Layer
- Network Authentication
- Oracle Spatial
- Oracle Text
- PL/SQL
- RDBMS Data Pump
- RDBMS Security
- Workspace Manager
Oracle Application Server Executive Summary
This Critical Patch Update contains 3 new security fixes for the Oracle Application Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have an Oracle Application Server installed.
Oracle Application Server products that are bundled with the Oracle Database are affected by Oracle Database vulnerabilities fixed in this CPU.
The highest CVSS base score of vulnerabilities affecting Oracle Application Server products is 4.3.
The Oracle Application Server components affected by vulnerabilities that are fixed in this Critical Patch Update are:
- Oracle Business Intelligence Enterprise Edition
- Oracle Portal
Oracle E-Business Suite and Applications Executive Summary
This Critical Patch Update contains 8 new security fixes for the Oracle Applications Suite. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes is applicable to client-only installations, i.e., installations that do not have an Oracle Applications installed.
Oracle E-Business Suite products use Oracle Database and Oracle Application Server products which have vulnerabilities fixed in this CPU. These vulnerabilities should be patched (the documentation released with the Critical Patch Update will provide details).
The highest CVSS base score of vulnerabilities affecting E-Business Suite products is 5.5.
The Oracle E-Business Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:
- Agile Engineering Data Management (EDM)
- AutoVue
- Oracle Advanced Benefits
- Oracle Application Object Library
- Oracle Applications Framework
- Oracle Applications Technology Stack
Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Executive Summary
This Critical Patch Update contains 4 new security fixes for the PeopleSoft and JD Edwards Suite. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password.
The highest CVSS base score of vulnerabilities affecting Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne products is 4.1.
The Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne components affected by vulnerabilities that are fixed in this Critical Patch Update are:
- JD Edwards Tools
- PeopleSoft Enterprise HCM (TAM)
- PeopleSoft PeopleTools & Enterprise Portal
Oracle BEA Products Executive Summary
This Critical Patch Update contains 6 new security fixes for the BEA Products Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
The highest CVSS base score of vulnerabilities affecting Oracle BEA Products is 10.0 in Oracle JRockit.
The Oracle BEA Products affected by vulnerabilities that are fixed in this Critical Patch Update are:
- Oracle JRockit
- Oracle WebLogic Portal
- Oracle WebLogic Server
Oracle Industry Applications Products Executive Summary
This Critical Patch Update contains 1 new security fix for the Oracle Industry Applications Products Suite. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.
The CVSS base score of the vulnerability affecting Oracle Industry Applications Products is 4.9.
Oracle Industry Applications product affected by the vulnerability that is fixed in this Critical Patch Update is:
- Oracle Communications Order and Service Management
From PCWorld’s Robert McMillan (of the IDG News Service): “38 Oracle Security Patches Coming Next Week“
“After a record-setting week of Microsoft and Adobe security patches, Oracle is gearing up for a major update of its own next week. Next Tuesday, the database vendor will release its quarterly Critical Patch Update, which “contains 38 security vulnerability fixes across hundreds of Oracle products,” according to an advance notification posted to Oracle’s Web site. As usual, Oracle’s most-patched product next week will be its flagship database, which will get 16 bug fixes. Six of these flaws may be exploitable over a network without any type of authentication, Oracle said. Also in the mix are eight fixes for the company’s E-Business Suite, three for Oracle Application Server and one for the Industry Applications Products Suite. Patches are also planned for Oracle’s BEA, PeopleSoft and JD Edwards software…”
