-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2010.0168
             Oracle Critical Patch Update Advisory - July 2010
                               14 July 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Database 11g, 10g, 9i
                      Oracle TimesTen In-Memory Database
                      Oracle Secure Backup
                      Oracle Application Server
                      Oracle Identity Management 10g
                      Oracle WebLogic Server 11g, 10g, 10, 9, 8.1, 7
                      Oracle JRockit R28, R27
                      Oracle Business Process Management
                      Oracle Enterprise Manager Grid Control 10g
                      Oracle E-Business Suite Release 12, 11i
                      Oracle Transportation Manager
                      PeopleSoft Enterprise Campus Solutions
                      PeopleSoft Enterprise PeopleTools
                      PeopleSoft Enterprise CRM
                      PeopleSoft Enterprise FSCM
                      PeopleSoft Enterprise HCM
                      Oracle Sun Product Suite
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
                      Solaris
Impact/Access:        Unknown/Unspecified -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2010-2403 CVE-2010-2402 CVE-2010-2401
                      CVE-2010-2400 CVE-2010-2399 CVE-2010-2398
                      CVE-2010-2397 CVE-2010-2394 CVE-2010-2393
                      CVE-2010-2392 CVE-2010-2386 CVE-2010-2385
                      CVE-2010-2384 CVE-2010-2383 CVE-2010-2382
                      CVE-2010-2381 CVE-2010-2380 CVE-2010-2379
                      CVE-2010-2378 CVE-2010-2377 CVE-2010-2376
                      CVE-2010-2375 CVE-2010-2374 CVE-2010-2373
                      CVE-2010-2372 CVE-2010-2371 CVE-2010-2370
                      CVE-2010-0916 CVE-2010-0915 CVE-2010-0914
                      CVE-2010-0913 CVE-2010-0912 CVE-2010-0911
                      CVE-2010-0910 CVE-2010-0909 CVE-2010-0908
                      CVE-2010-0907 CVE-2010-0906 CVE-2010-0905
                      CVE-2010-0904 CVE-2010-0903 CVE-2010-0902
                      CVE-2010-0901 CVE-2010-0900 CVE-2010-0899
                      CVE-2010-0898 CVE-2010-0892 CVE-2010-0873
                      CVE-2010-0849 CVE-2010-0848 CVE-2010-0847
                      CVE-2010-0846 CVE-2010-0844 CVE-2010-0843
                      CVE-2010-0842 CVE-2010-0841 CVE-2010-0840
                      CVE-2010-0839 CVE-2010-0838 CVE-2010-0837
                      CVE-2010-0836 CVE-2010-0835 CVE-2010-0095
                      CVE-2010-0094 CVE-2010-0092 CVE-2010-0091
                      CVE-2010-0088 CVE-2010-0087 CVE-2010-0085
                      CVE-2010-0084 CVE-2010-0083 CVE-2010-0081
                      CVE-2009-3764 CVE-2009-3763 CVE-2009-3762
                      CVE-2009-3555 CVE-2009-0217 CVE-2008-4247
Member content until: Friday, August 13 2010
Reference:            ASB-2010.0132
                      ASB-2010.0122
                      ASB-2010.0112
                      ASB-2010.0093.2
                      ASB-2010.0073
                      ASB-2010.0046
                      ASB-2009.1156
                      ASB-2009.1143
                      ASB-2009.1125.2
                      ASB-2009.1109
                      ASB-2009.1013

OVERVIEW

        Oracle have published information regarding the July 2010 Critical
        Patch Update which will contain 59 security fixes affecting many
        Oracle products [1].


IMPACT

        Specific impacts have not been published by Oracle at this time 
        however information regarding CVSS 2.0 scoring and affected products
        is available from the Oracle site. [1]
        
        The following software is affected:
        
            * Oracle Database 11g Release 2, version 11.2.0.1
            * Oracle Database 11g Release 1, version 11.1.0.7
            * Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
            * Oracle Database 10g, version 10.1.0.5
            * Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
            * Oracle TimesTen In-Memory Database, versions 7.0.5.1.0, 7.0.5.2.0, 7.0.5.3.0, 7.0.5.4.0
            * Oracle Secure Backup version 10.3.0.1
            * Oracle Application Server, 10gR2, version 10.1.2.3.0
            * Oracle Identity Management 10g, version 10.1.4.0.1
            * Oracle WebLogic Server 11gR1 releases (10.3.1, 10.3.2 and 10.3.3)
            * Oracle WebLogic Server 10gR3 release (10.3.0)
            * Oracle WebLogic Server 10.0 through MP2
            * Oracle WebLogic Server 9.0, 9.1, 9.2 through MP3
            * Oracle WebLogic Server 8.1 through SP6
            * Oracle WebLogic Server 7.0 through SP7
            * Oracle JRockit R28.0.0 and earlier (JDK/JRE 5 and 6)
            * Oracle JRockit R27.6.6 and earlier (JDK/JRE 1.4.2, 5 and 6)
            * Oracle Business Process Management, versions 5.7.3, 6.0.5, 10.3.1, 10.3.2
            * Oracle Enterprise Manager Grid Control 10g Release 5, version 10.2.0.5
            * Oracle Enterprise Manager Grid Control 10g Release 1, version 10.1.0.6
            * Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2
            * Oracle E-Business Suite Release 11i, versions 11.5.10, 11.5.10.2
            * Oracle Transportation Manager, Versions: 5.5.05.07, 5.5.06.00, 6.0.03
            * PeopleSoft Enterprise Campus Solutions, version 9.0
            * PeopleSoft Enterprise CRM, versions 9.0 and 9.1
            * PeopleSoft Enterprise FSCM, versions 8.9, 9.0 and 9.1
            * PeopleSoft Enterprise HCM, versions 8.9, 9.0 and 9.1
            * PeopleSoft Enterprise PeopleTools, versions 8.49 and 8.50
            * Oracle Sun Product Suite


MITIGATION

        Administrators responsible for vulnerable products are advised to 
        apply these patches as soon as practical.


REFERENCES

        [1] Oracle Critical Patch Update Advisory - July 2010
            http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2010.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFMPQq7/iFOrG6YcBERAsTkAKC+7UZcd0xGw+yFjr52y5KnXkM80ACbBxWW
NYECxDgR/QbEcZW6yp5Quvw=
=+mp0
-----END PGP SIGNATURE-----