AusCERT - ASB-2011.0059 - ALERT [Win][UNIX/Linux] Oracle Products: Reduced security

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
ASB-2011.0059 - ALERT [Win][UNIX/Linux] Oracle Products: Reduced security - Remote/unauthenticated
Date: 20 July 2011
References: ASB-2010.0222.2 ASB-2011.0047 ESB-2011.0805 ESB-2011.1090.4 ESB-2012.0108

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2011.0059
Oracle has released updates which correct vulnerabilities in their products
                               20 July 2011

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Database 11g
                      Oracle Database 10g
                      Oracle Secure Backup
                      Oracle Fusion Middleware 11g
                      Oracle Application Server 10g
                      Oracle Business Intelligence Enterprise Edition
                      Oracle Identity Management 10g
                      Oracle JRockit
                      Oracle Outside In Technology
                      Oracle Enterprise Manager 10g Grid Control
                      Oracle Enterprise Manager 11g Grid Control
                      Oracle E-Business Suite Release 12
                      Oracle E-Business Suite Release 11i
                      Oracle Agile Technology Platform
                      Oracle PeopleSoft Enterprise FIN
                      Oracle PeopleSoft Enterprise FMS
                      Oracle PeopleSoft Enterprise FSCM
                      Oracle PeopleSoft Enterprise HRMS
                      Oracle PeopleSoft Enterprise SCM
                      Oracle PeopleSoft Enterprise PeopleTools
                      Oracle Sun Product Suite
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Reduced Security -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2011-2267 CVE-2011-2264 CVE-2011-2261
                      CVE-2011-2257 CVE-2011-2253 CVE-2011-2252
                      CVE-2011-2251 CVE-2011-2248 CVE-2011-2244
                      CVE-2011-2243 CVE-2011-2242 CVE-2011-2241
                      CVE-2011-2240 CVE-2011-2239 CVE-2011-2238
                      CVE-2011-2232 CVE-2011-2231 CVE-2011-2230
                      CVE-2011-0884 CVE-2011-0883 CVE-2011-0882
                      CVE-2011-0882 CVE-2011-0881 CVE-2011-0880
                      CVE-2011-0879 CVE-2011-0877 CVE-2011-0876
                      CVE-2011-0876 CVE-2011-0875 CVE-2011-0873
                      CVE-2011-0870 CVE-2011-0852 CVE-2011-0848
                      CVE-2011-0845 CVE-2011-0838 CVE-2011-0835
                      CVE-2011-0832 CVE-2011-0831 CVE-2011-0830
                      CVE-2011-0822 CVE-2011-0816 CVE-2011-0811
                      CVE-2010-1321  
Member content until: Friday, August 19 2011
Reference:            ASB-2011.0047
                      ASB-2010.0222.2

OVERVIEW

        Oracle has released updates which correct vulnerabilities in their
        products. [1]


IMPACT

        Specific impacts have not been published by Oracle at this time 
        however the following information regarding CVSS 2.0 scoring and 
        affected products is available from the Oracle site [1]. Several
        products have a CVSS score of 10, the highest possible score.
                
        Oracle states, "this Critical Patch Update contains 78 new security 
        fixes across all product families listed below." [1]
        
        The following products are affected:
        
        Oracle Database 11g Release 2, versions 11.2.0.1, 11.2.0.2
        Oracle Database 11g Release 1, version 11.1.0.7
        Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
        Oracle Database 10g Release 1, version 10.1.0.5
        Oracle Secure Backup, version 10.3.0.3
        Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
        Oracle Application Server 10g Release 3, version 10.1.3.5.0
        Oracle Application Server 10g Release 2, version 10.1.2.3.0
        Oracle Business Intelligence Enterprise Edition, versions 10.1.3.4.1, 11.1.1.3
        Oracle Identity Management 10g, versions 10.1.4.0.1, 10.1.4.3
        Oracle JRockit, versions R27.6.9 and earlier (JDK/JRE 1.4.2, 5, 6), R28.1.3 and earlier (JDK/JRE 5, 6)
        Oracle Outside In Technology, versions 8.3.2.0, 8.3.5.0
        Oracle Enterprise Manager 10g Grid Control Release 1, version 10.1.0.6
        Oracle Enterprise Manager 10g Grid Control Release 2, version 10.2.0.5
        Oracle Enterprise Manager 11g Grid Control Release 1, version 11.1.0.1
        Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3
        Oracle E-Business Suite Release 11i, version 11.5.10.2
        Oracle Agile Technology Platform, versions 9.3.0.3, 9.3.1.1
        Oracle PeopleSoft Enterprise FIN, version 9.0, 9.1
        Oracle PeopleSoft Enterprise FMS, versions 9.0, 9.1
        Oracle PeopleSoft Enterprise FSCM, versions 9.0, 9.1
        Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1
        Oracle PeopleSoft Enterprise SCM, versions 9.0, 9.1
        Oracle PeopleSoft Enterprise PeopleTools, versions 8.49, 8.50, 8.51
        Oracle Sun Product Suite


MITIGATION

        Links to the appropriate patches are available at the Oracle 
        website. [1]


REFERENCES

        [1] Oracle Critical Patch Update Advisory - July 2011
            http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBTiZaWu4yVqjM2NGpAQKkfA/+PcvLOUdQOiEG9ZPo0ublUojzRL0cTEtu
X6NA5S47mvH/1mIlrtKpWHoeFLxB2EvOFPsV5vICPo+gOcED7D7lxGYDTKiLct3q
DSvnNMCThetrFI/KFDcXyyd+4AkYsFKaIHQvRlgIvf8dl5Q3dg8gRgGpaVSRO2aU
vgnba05Wb7CLPiwndR0teKkw+dMnt++KgBYmtBZgnmk3DJs+hFksgxy+pXStyr+p
LjfiCUkl15VS0WVOH5MSiuKg6Zw0JsZNpBwaWHSKhNaWBaNkw6tjAWTmynTjAR1T
F35wigTEGuTfmKwYCRkv8wu3H4Fa9YXykC1Zm0+XWbW5ZFkG927Q01UyD967Rk7L
QG4JfMQCrzEDeTZfb/7FFOHt/SZnxJDrHT+kGrZ8EiYlUYLXNvI8nGBq67Wf4I9C
Qe8YVf+5Yz1Y0U/EEpmnvumPhKgfk0mvQIPqF3HYHVJF3UQ4Sauyvs8OFwhL4vf1
3qZTPuscSgoIeeSp+fOhD+CaUlItYIkZqbwQylpG45oTFv36bEO55MzXr+RIuQDl
S/UD63dD7nW2JzjdUtVvb7FFhZPUHfoHv6oUsGixRqkq7Bz6K6VZh3PkvY2tFRWG
oggkPb8dlXkiKPB+wUJByNhk5ElXPvtYmnr93Js4deC1n71VEj226iSbpAwpM8Ue
KNEopUoFj3g=
=6T9Z
-----END PGP SIGNATURE-----