Date: 21 April 2011
References: ESB-2011.0498 ESB-2011.0526 ESB-2011.0647 ESB-2011.0761 ESB-2011.1084 ESB-2011.1090.4 ESB-2011.1177 ESB-2012.0108 ESB-2012.0336 ESB-2012.0340
ESB-2012.0423 ESB-2012.0474 ESB-2012.1005 ESB-2013.0498
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2011.0031
Oracle Critical Patch Update Advisory - April 2011
21 April 2011
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database 11g
Oracle Database 10g
Oracle Fusion Middleware 11g
Oracle Application Server 10g
Oracle Identity Management 10g
Oracle JRockit
Oracle Outside In Technology
Oracle WebLogic Server
Oracle E-Business Suite Release 12
Oracle E-Business Suite Release 11i
Oracle Agile Technology Platform
Oracle PeopleSoft Enterprise
Oracle JD Edwards
Oracle Siebel CRM Core
Oracle InForm
Oracle Sun Product Suite
Oracle Open Office
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Reduced Security -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2011-0861 CVE-2011-0860 CVE-2011-0859
CVE-2011-0858 CVE-2011-0857 CVE-2011-0856
CVE-2011-0855 CVE-2011-0854 CVE-2011-0853
CVE-2011-0851 CVE-2011-0850 CVE-2011-0849
CVE-2011-0847 CVE-2011-0846 CVE-2011-0844
CVE-2011-0843 CVE-2011-0841 CVE-2011-0840
CVE-2011-0839 CVE-2011-0837 CVE-2011-0836
CVE-2011-0834 CVE-2011-0833 CVE-2011-0829
CVE-2011-0828 CVE-2011-0827 CVE-2011-0826
CVE-2011-0825 CVE-2011-0824 CVE-2011-0823
CVE-2011-0821 CVE-2011-0820 CVE-2011-0819
CVE-2011-0818 CVE-2011-0813 CVE-2011-0812
CVE-2011-0810 CVE-2011-0809 CVE-2011-0808
CVE-2011-0807 CVE-2011-0806 CVE-2011-0805
CVE-2011-0804 CVE-2011-0803 CVE-2011-0801
CVE-2011-0800 CVE-2011-0799 CVE-2011-0798
CVE-2011-0797 CVE-2011-0796 CVE-2011-0795
CVE-2011-0794 CVE-2011-0793 CVE-2011-0792
CVE-2011-0791 CVE-2011-0790 CVE-2011-0789
CVE-2011-0787 CVE-2011-0785 CVE-2011-0412
CVE-2011-0411 CVE-2010-4643 CVE-2010-4476
CVE-2010-4473 CVE-2010-4472 CVE-2010-4471
CVE-2010-4470 CVE-2010-4468 CVE-2010-4465
CVE-2010-4462 CVE-2010-4454 CVE-2010-4452
CVE-2010-4450 CVE-2010-4448 CVE-2010-4253
CVE-2010-3689 CVE-2010-3454 CVE-2010-3453
CVE-2010-3452 CVE-2010-3451 CVE-2010-3450
CVE-2009-3555
Member content until: Saturday, May 21 2011
OVERVIEW
Oracle has released updates which correct vulnerabilities in their
products. [1]
IMPACT
Specific impacts have not been published by Oracle at this time
however the following information regarding CVSS 2.0 scoring and
affected products is available from the Oracle site [1]. Several
products have a CVSS score of 10, the highest possible schore.
Oracle states, "this Critical Patch Update contains 73 new security
fixes across all product families listed below." [1]
The following products are affected:
Oracle Database 11g Release 2, versions 11.2.0.1, 11.2.0.2
Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
Oracle Database 10g Release 1, version 10.1.0.5
Oracle Fusion Middleware 11g Release 1, versions 11.1.1.2.0, 11.1.1.3.0, 11.1.1.4.0
Oracle Application Server 10g Release 3, version 10.1.3.5.0
Oracle Application Server 10g Release 2, version 10.1.2.3.0
Oracle Identity Management 10g, versions 10.1.4.0.1, 10.1.4.3
Oracle JRockit, versions R27.6.8 and earlier (JDK/JRE 1.4.2, 5, 6), R28.1.1 and earlier (JDK/JRE 5, 6)
Oracle Outside In Technology, versions 8.3.2.0, 8.3.5.0
Oracle WebLogic Server, versions 8.1.6, 9.2.3, 9.2.4, 10.0.2, 11gR1 (10.3.2, 10.3.3, 10.3.4)
Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle Agile Technology Platform, versions 9.3.0.2, 9.3.1
Oracle PeopleSoft Enterprise CRM, version 8.9
Oracle PeopleSoft Enterprise ELS, versions 9.0, 9.1
Oracle PeopleSoft Enterprise HRMS, versions 9.0, 9.1
Oracle PeopleSoft Enterprise Portal, versions 8.8, 8.9, 9.0, 9.1
Oracle PeopleSoft Enterprise People Tools, versions 8.49, 8.50, 8.51
Oracle JD Edwards OneWorld Tools, version 24.1.x
Oracle JD Edwards EnterpriseOne Tools, version 8.98.x
Oracle Siebel CRM Core, versions 7.8.2, 8.0.0, 8.1.1
Oracle InForm, versions 4.5, 4.6, 5.0
Oracle Sun Product Suite
Oracle Open Office, version 3 and StarOffice/StarSuite, versions 7, 8
MITIGATION
Links to the appropriate patches are available at the Oracle website[1].
REFERENCES
[1] Oracle Critical Patch Update Advisory - April 2011
http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: https://www.auscert.org.au/1967
iD8DBQFNr8dc/iFOrG6YcBERAqgnAKCh/N15nwi64BsEiH3zNvdyi0G93gCgxMSq
FgNEx3VXDxOE8Ubi+kyvZOc=
=clFP
-----END PGP SIGNATURE-----
|