Date: 13 January 2009
References: AU-2009.0004
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2009.0001 -- AUSCERT ALERT
[Win][UNIX/Linux]
Oracle Critical Patch Update Pre-Release Notification
14 January 2009
===========================================================================
AusCERT Alert Summary
---------------------
Product: Oracle Database 11g
Oracle Database 10g
Oracle Database 9i
Oracle Secure Backup
Oracle TimesTen In-Memory Database
Oracle Application Server
Oracle Collaboration Suite 10g
Oracle E-Business Suite
Oracle Enterprise Manager Grid Control 10g
PeopleSoft Enterprise HRMS
JD Edwards Tools
Oracle WebLogic Server
Oracle WebLogic Portal
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Access: Remote/Unauthenticated
CVE Names: CVE-2008-2623 CVE-2008-3973 CVE-2008-3974
CVE-2008-3978 CVE-2008-3979 CVE-2008-3981
CVE-2008-3997 CVE-2008-3999 CVE-2008-4006
CVE-2008-4007 CVE-2008-4014 CVE-2008-4015
CVE-2008-4016 CVE-2008-4017 CVE-2008-5436
CVE-2008-5437 CVE-2008-5438 CVE-2008-5439
CVE-2008-5440 CVE-2008-5441 CVE-2008-5442
CVE-2008-5443 CVE-2008-5444 CVE-2008-5445
CVE-2008-5446 CVE-2008-5447 CVE-2008-5448
CVE-2008-5449 CVE-2008-5450 CVE-2008-5451
CVE-2008-5452 CVE-2008-5454 CVE-2008-5455
CVE-2008-5456 CVE-2008-5457 CVE-2008-5458
CVE-2008-5459 CVE-2008-5460 CVE-2008-5461
CVE-2008-5462 CVE-2008-5463
Member content until: Wednesday, February 11 2009
Revision History: January 14 2009: Added CVE References
January 13 2009: Initial Release
OVERVIEW:
Oracle have published information regarding the January 2009 Critical
Patch Update which will contain 41 security fixes affecting hundreds
of Oracle products [1].
IMPACT:
Specific impacts have not been published by Oracle at this time
however the following information regarding CVSS 2.0 scoring and
affected products is available from the Oracle site [1]:
"The highest CVSS 2.0 base score of vulnerabilities across all
products is 10.0 (These vulnerabilities affect Oracle Secure Backup
and WebLogic Server Plugin for Apache, Sun and IIS Web servers)."
Oracle have also stated that 17 of these vulnerabilities are
remotely exploitable with no user authentication required. [1]
The following products are reported by Oracle as vulnerable:
Oracle Database 11g, version 11.1.0.6
Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
Oracle Database 10g, version 10.1.0.5
Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
Oracle Secure Backup version 10.2.0.2, 10.2.0.3
Oracle Secure Backup version 10.1.0.1, 10.1.0.2, 10.1.0.3
Oracle TimesTen In-Memory Database version 7.0.5.1.0, 7.0.5.2.0,
7.0.5.3.0, 7.0.5.4.0
Oracle Application Server 10g Release 3 (10.1.3), version 10.1.3.3.0
Oracle Application Server 10g Release 2 (10.1.2), versions
10.1.2.2.0, 10.1.2.3.0
Oracle Collaboration Suite 10g, version 10.1.2
Oracle E-Business Suite Release 12, version 12.0.6
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle Enterprise Manager Grid Control 10g Release 4, version
10.2.0.4
PeopleSoft Enterprise HRMS versions 8.9, 9.0 and 9.1
JD Edwards Tools version 8.97
Oracle WebLogic Server (formerly BEA WebLogic Server) 10.0 released
through MP1, 10.3 GA
Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0 GA, 9.1 GA,
9.2 released through MP3
Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 released
through SP6
Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0 released
through SP7
Oracle WebLogic Portal (formerly BEA WebLogic Portal) 10.0 released
through MP1, 10.2 GA, 10.3 GA
Oracle WebLogic Portal (formerly BEA WebLogic Portal) 9.2 released
through MP3
Oracle WebLogic Portal (formerly BEA WebLogic Portal) 8.1 released
through SP6
MITIGATION:
Administrators responsible for vulnerable products are advised to
apply these patches as soon as practical after release.
REFERENCES:
[1] Oracle Critical Patch Update Pre-Release Announcement -
January 2009
http://www.oracle.com/technology/deplot/security/critical-patch-updates/cpujan2009.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSW0vsSh9+71yA2DNAQIpWwP/SZBKmsB9lK/vKtMktZdT7lp4HNrvMdgq
kX/lBE5jxC21XCOfh4nqVpJql/UiRRiI1+JKh9ss3IGfip0prLTe87oL3uUdddLY
u6RKSvKt6jrB/BguzllOVEm44O+uR0p38j2EgO8d0fy3Zn2BD2PIzeYYLo/VdmTG
gOzIS8dFtzc=
=sNqn
-----END PGP SIGNATURE-----
|