Date: 22 April 2009
References: ESB-2009.0472
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2009.0027 -- AUSCERT ALERT
[Win][UNIX/Linux]
Oracle Critical Patch Update Pre-release Announcement for April 2009
22 April 2009
===========================================================================
AusCERT Alert Summary
---------------------
Product: Oracle Database 11g
Oracle Database 10g
Oracle Database 9i
Oracle Audit Vault
Oracle Application Server 10g
Oracle Outside In SDK HTML Export
Oracle XML Publisher
Oracle BI Publisher
Oracle E-Business Suite
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Oracle WebLogic Server
Oracle WebLogic Portal
Oracle Data Service Integrator
Oracle AquaLogic Data Services Platform
Oracle JRockit
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Access: Remote/Unauthenticated
CVE Names: CVE-2009-0972 CVE-2009-0973 CVE-2009-0974
CVE-2009-0975 CVE-2009-0976 CVE-2009-0977
CVE-2009-0978 CVE-2009-0979 CVE-2009-0980
CVE-2009-0981 CVE-2009-0982 CVE-2009-0983
CVE-2009-0984 CVE-2009-0985 CVE-2009-0986
CVE-2009-0988 CVE-2009-0989 CVE-2009-0990
CVE-2009-0991 CVE-2009-0992 CVE-2009-0993
CVE-2009-0994 CVE-2009-0995 CVE-2009-0996
CVE-2009-0997 CVE-2009-0998 CVE-2009-0999
CVE-2009-1000 CVE-2009-1001 CVE-2009-1002
CVE-2009-1003 CVE-2009-1004 CVE-2009-1005
CVE-2009-1006 CVE-2009-1008 CVE-2009-1009
CVE-2009-1010 CVE-2009-1011 CVE-2009-1012
CVE-2009-1013 CVE-2009-1014 CVE-2009-1016
CVE-2009-1017
Member content until: Wednesday, April 15 2009
Comment: Public exploit code now available for some of these vulnerabilities
Revision History: April 22 2009: Updated Comment
April 16 2009: Added CVE References
April 14 2009: Initial Release
OVERVIEW:
Oracle have published information regarding the April 2009 Critical
Patch Update which will contain 43 security fixes affecting hundreds
of Oracle products [1].
IMPACT:
Specific impacts have not been published by Oracle at this time
however the following information regarding CVSS 2.0 scoring and
affected products is available from the Oracle site [1]:
"The highest CVSS 2.0 base score of vulnerabilities across all
products is 10.0 (These vulnerabilities affect Oracle JRockit and
Oracle WebLogic Server)."
Oracle have also stated that 15 of these vulnerabilities are
remotely exploitable with no user authentication required. [1]
The following products are reported by Oracle as vulnerable:
Oracle Database 11g, version 11.1.0.6, 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
Oracle Database 10g, version 10.1.0.5
Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
Oracle Audit Vault, version 10.2.3
Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0
Oracle Outside In SDK HTML Export 8.2.2, 8.3.0
Oracle XML Publisher 5.6.2, 10.1.3.2, 10.1.3.2.1
Oracle BI Publisher 10.1.3.3.0 10.1.3.3.1, 10.1.3.3.2, 10.1.3.3.3,
10.1.3.4
Oracle E-Business Suite Release 12, version 12.0.6
Oracle E-Business Suite Release 11i, version 11.5.10.2
PeopleSoft Enterprise PeopleTools versions: 8.49
PeopleSoft Enterprise HRMS versions: 8.9 and 9.0
Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0 GA, 9.1 GA,
9.2 through 9.2 MP3
Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 through 8.1
SP6
Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0 through 7.0
SP7
Oracle WebLogic Portal (formerly BEA WebLogic Portal) 10.0 through
10.0 MP1, 10.2 GA, 10.3 GA
Oracle Data Service Integrator 10.3.0 and Oracle AquaLogic Data
Services Platform 3.2, 3.0.1, 3.0
Oracle JRockit R27.6.2 and earlier (JDK/JRE 6, 5, 1.4.2
MITIGATION:
Administrators responsible for vulnerable products are advised to
apply these patches as soon as practical after release.
REFERENCES:
[1] Oracle Critical Patch Update Pre-Release Announcement -
April 2009
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFJ7pQ6NVH5XJJInbgRAiowAJ41DVngQqGVwBim5m+RzD6hvWv/mQCfV0Wy
gO5zNhLTw8+SxxHYHpREIxo=
=9/NQ
-----END PGP SIGNATURE-----
|