-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2007.0117 -- AUSCERT ALERT
                             [Win][UNIX/Linux]
  Oracle Critical Patch Update Pre-Release Announcement for October 2007
                              19 October 2007

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Oracle Database 10g
                      Oracle Database 9i
                      Oracle Application Server 10g
                      Oracle Collaboration Suite 10g
                      Oracle E-Business Suite Release 11i and 12
                      Oracle Enterprise Manager Database Control 10g
                      Oracle Enterprise Manager Grid Control 10g
                      Oracle PeopleSoft Enterprise PeopleTools
                      Oracle PeopleSoft Enterprise Human Capital Management
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2007-5504 CVE-2007-5505 CVE-2007-5506
                      CVE-2007-5507 CVE-2007-5508 CVE-2007-5509
                      CVE-2007-5510 CVE-2007-5511 CVE-2007-5512
                      CVE-2007-5513 CVE-2007-5514 CVE-2007-5515
                      CVE-2007-5516 CVE-2007-5517 CVE-2007-5518
Member content until: Tuesday, November 13 2007

Original Bulletin:  
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html

Revision History:     October 19 2007: Added CVEs
                      October 16 2007: Initial Release


OVERVIEW:
        
        Oracle have release information regarding patches for 51 
        vulnerabilities in "hundreds" of Oracle Products.


IMPACT: 

        Oracle have released the following information [1] regarding the 
        impact of these vulnerabilities:

         o Oracle Database: "This Critical Patch Update contains 27 new 
           security fixes for the Oracle Database. 5 of these vulnerabilities 
           may be remotely exploitable without authentication... None of 
           these fixes are applicable to Oracle Database client-only 
           installations..."

         o Oracle Application Server: "This Critical Patch Update contains 11 
           new security fixes for Oracle Application Server. 7 of these 
           vulnerabilities may be remotely exploitable without 
           authentication... No new fixes are applicable for client-only 
           installations..."

         o Oracle E-Business Suite and Applications: "This Critical Patch 
           Update contains 8 new security fixes for the Oracle E-Business 
           Suite. 1 of these vulnerabilities may be remotely exploited 
           without authentication..."

         o Oracle Enterprise Manager: "This Critical Patch Update contains 2 
           new Oracle Enterprise Manager fixes. Both of these vulnerabilities 
           may be remotely exploited without authentication..."

         o Oracle PeopleSoft Enterprise: "This Critical Patch Update contains 
           3 new security fixes for Oracle PeopleSoft Enterprise products.
           None of the security vulnerabilities affecting Oracle PeopleSoft 
           Enterprise products may be remotely exploitable without 
           authentication..."


MITIGATION:

        Install the patches included in the Critical Patch Update to correct
        these vulnerabilities. The Critical Patch Update is scheduled for 
        release on Tuesday 16th October (US time).


REFERENCES:

        1. Oracle Critical Patch Update Pre-Release Announcement - October 2007
           http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBRxfewSh9+71yA2DNAQItoAP/dFaDJoMN9cjbvmcmQ/YSNXRE0u6OKW1L
Y1oJS/4dgVuvYdG9KL3ZrC/V0WdZqMVImW+vOgJzBrgX5Cy7o6WlFo1ZEpBpugR5
FfgKn/9KycHeiiuyRSieH7upbb82PajXoBfQ1JxcP2XNDnbelkc96lBflbYMHArS
IRl43gVUf6A=
=gLpr
-----END PGP SIGNATURE-----