Date: 20 October 2009
References: ESB-2012.0841 ESB-2010.0485 ASB-2010.0168 ESB-2010.0677 ESB-2012.0544 ESB-2013.0566
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2009.1109
Oracle Critical Patch Update Advisory - October 2009
21 October 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database 11g
Oracle Database 10g
Oracle Database 9i
Oracle Application Server 10g
Oracle Business Intelligence Enterprise Edition
Oracle E-Business Suite Release 12
Oracle E-Business Suite Release 11i
AutoVue, version 19.3
Agile Engineering Data Management (EDM)
PeopleSoft PeopleTools & Enterprise Portal
PeopleSoft Enterprise HCM (TAM)
JDEdward Tools, version 8.98
Oracle WebLogic Server
Oracle WebLogic Portal
Oracle JRockit
Oracle Communications Order and Service Management
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2009-3409 CVE-2009-3408 CVE-2009-3407
CVE-2009-3406 CVE-2009-3405 CVE-2009-3404
CVE-2009-3403 CVE-2009-3402 CVE-2009-3401
CVE-2009-3400 CVE-2009-3399 CVE-2009-3397
CVE-2009-3396 CVE-2009-3395 CVE-2009-3393
CVE-2009-3392 CVE-2009-2676 CVE-2009-2675
CVE-2009-2674 CVE-2009-2673 CVE-2009-2672
CVE-2009-2671 CVE-2009-2670 CVE-2009-2625
CVE-2009-2002 CVE-2009-2001 CVE-2009-2000
CVE-2009-1999 CVE-2009-1998 CVE-2009-1997
CVE-2009-1995 CVE-2009-1994 CVE-2009-1993
CVE-2009-1992 CVE-2009-1991 CVE-2009-1990
CVE-2009-1985 CVE-2009-1979 CVE-2009-1972
CVE-2009-1971 CVE-2009-1965 CVE-2009-1964
CVE-2009-1018 CVE-2009-1007 CVE-2009-0217
Member content until: Friday, November 20 2009
OVERVIEW
Oracle have published information regarding the October 2009
Critical Patch Update which contains 38 security fixes affecting
multiple Oracle products [1].
IMPACT
Specific impacts have not been published by Oracle at this time
however the following information regarding CVSS 2.0 scoring and
affected products is available from the Oracle site. [1]
The highest CVSS 2.0 base score of vulnerabilities across all
products is 10.0 (These vulnerabilities affect the Oracle Database
and the BEA Product Suite).
Oracle have also stated that 20 of these vulnerabilities are
remotely exploitable with no user authentication required. [1]
The following products are reported by Oracle as vulnerable:
- Oracle Database 11g, version 11.1.0.7
- Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
- Oracle Database 10g, version 10.1.0.5
- Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
- Oracle Application Server 10g Release 3 (10.1.3), versions
10.1.3.4.0, 10.1.3.5.0
- Oracle Application Server 10g Release 2 (10.1.2), version
10.1.2.3.0
- Oracle Business Intelligence Enterprise Edition, versions
10.1.3.4.0, 10.1.3.4.1
- Oracle E-Business Suite Release 12, versions 12.0.6, 12.1
- Oracle E-Business Suite Release 11i, version 11.5.10.2
- AutoVue, version 19.3
- Agile Engineering Data Management (EDM), version 6.1
- PeopleSoft PeopleTools & Enterprise Portal, version 8.49
- PeopleSoft Enterprise HCM (TAM), versions 8.9 and 9.0
- JDEdward Tools, version 8.98
- Oracle WebLogic Server 10.0 through MP1 and 10.3
- Oracle WebLogic Server 9.0 GA, 9.1 GA and 9.2 through 9.2 MP3
- Oracle WebLogic Server 8.1 through 8.1 SP5
- Oracle WebLogic Portal, versions 8.1 through 8.1 SP6, 9.2 through
9.2 MP3, 10.0 through 10.0MP1, 10.2 through 10.2MP1 and 10.3
through 10.3.1
- Oracle JRockit R27.6.4 and earlier (JDK/JRE 6, 5, 1.4.2)
- Oracle Communications Order and Service Management, versions
2.8.0, 6.2.0, 6.3.0 and 6.3.1
MITIGATION
Due to the threat posed by a successful attack, Oracle strongly
recommends that customers apply fixes as soon as possible. [1]
REFERENCES
[1] Oracle Critical Patch Update Advisory - October 2009
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFK3kJcNVH5XJJInbgRAhNTAJ9Y5/g3RZit+ucx/LICpNn30CupBgCcDjyv
UMgKM8VhqTxxc6BI2NslqRA=
=ouh7
-----END PGP SIGNATURE-----
|