Date: 14 April 2010
References: ESB-2010.0359 ESB-2010.0360 ESB-2010.0362 ESB-2010.0363 ESB-2010.0489 ESB-2010.0490
Related Files:
ASB-2010.0100
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2010.0100.2
Oracle Critical Patch Update Pre-release Announcement for April 2010
14 April 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database 11g, 10g and 9i
Oracle Application Server 10gR2
Oracle Identity Management 10g
Oracle Collaboration Suite 10g
Oracle E-Business Suite Release 12 and 11i
Oracle Transportation Manager
Oracle Agile - Engineering Data Management
PeopleSoft Enterprise PeopleTools
Oracle Communications Unified Inventory Management
Oracle Clinical Remote Data Capture Option
Oracle Thesaurus Management System
Oracle Retail Markdown Optimization
Oracle Retail Place In-Season
Oracle Retail Plan In-Season
Oracle Sun Products Suite
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Solaris
Impact/Access: Unknown/Unspecified -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2010-0086 CVE-2010-0851 CVE-2010-0852
CVE-2010-0853 CVE-2010-0854 CVE-2010-0855
CVE-2010-0856 CVE-2010-0857 CVE-2010-0858
CVE-2010-0859 CVE-2010-0860 CVE-2010-0861
CVE-2010-0862 CVE-2010-0863 CVE-2010-0864
CVE-2010-0865 CVE-2010-0866 CVE-2010-0867
CVE-2010-0868 CVE-2010-0869 CVE-2010-0870
CVE-2010-0871 CVE-2010-0872 CVE-2010-0874
CVE-2010-0875 CVE-2010-0876 CVE-2010-0877
CVE-2010-0878 CVE-2010-0879 CVE-2010-0880
CVE-2010-0882 CVE-2010-0883 CVE-2010-0884
CVE-2010-0885 CVE-2010-0888 CVE-2010-0889
CVE-2010-0890 CVE-2010-0893 CVE-2010-0894
CVE-2010-0895 CVE-2010-0896 CVE-2010-0897
Member content until: Thursday, May 13 2010
Revision History: April 14 2010: Added CVE references
April 13 2010: Initial Release
OVERVIEW
Oracle have published information regarding the April 2010 Critical
Patch Update which will contain 47 security fixes affecting hundreds
of Oracle products [1].
IMPACT
Specific impacts have not been published by Oracle at this time
however the following information regarding CVSS 2.0 scoring and
affected products is available from the Oracle site [1]:
"The highest CVSS 2.0 base score for vulnerabilities in this Critical
Patch Update is 10.0 for a vulnerability affecting Sun Ray Server
Software for Solaris."
Oracle have also stated that 28 of these vulnerabilities are
remotely exploitable with no user authentication required. [1]
The following products are reported by Oracle as vulnerable:
Oracle Database 11g, version 11.1.0.7, 11.2.0.1
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
Oracle Database 10g, version 10.1.0.5
Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
Oracle Application Server 10gR2, version 10.1.2.3.0
Oracle Identity Management 10g, version 10.1.4.0.1 and 10.1.4.3
Oracle Collaboration Suite 10g, version 10.1.2.4
Oracle E-Business Suite Release 12,
versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2
Oracle E-Business Suite Release 11i, versions 11.5.10, 11.5.10.2
Oracle Transportation Manager,
versions 5.5.05.07, 5.5.06.00, 6.0.03
Oracle Agile - Engineering Data Management, Version 6.1.1.0
PeopleSoft Enterprise PeopleTools, versions 8.49 and 8.50
Oracle Communications Unified Inventory Management version 7.1
Oracle Clinical Remote Data Capture Option 4.5.3, 4.6
Oracle Thesaurus Management System 4.5.2, 4.6, 4.6.1
Oracle Retail Markdown Optimization version 13.1
Oracle Retail Place In-Season version 12.2
Oracle Retail Plan In-Season version 12.2
Oracle Sun Products Suite
MITIGATION
Administrators responsible for vulnerable products are advised to
apply these patches as soon as practical after release.
REFERENCES
[1] Oracle Critical Patch Update Pre-Release Announcement - April 2010
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFLxUUW/iFOrG6YcBERAir7AKCGgfh/xKFv8GpJwRHvsRHvVKSDegCg1CBo
7EQSJXgMxTBNh2yMNDGV2Zw=
=/yaT
-----END PGP SIGNATURE-----
|