copyright
|
disclaimer
|
privacy
|
contact
HOME
About
AusCERT
Membership
Contact Us
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
Login »
Become a member »
Home
»
Security Bul...
»
By Operating...
»
UNIX (all)
»
BSD (all)
» AL-2009.0027 -- [Win][UNIX/Linux] -- Oracle Critical...
AL-2009.0027 -- [Win][UNIX/Linux] -- Oracle Critical Patch Update Pre-release Announcement for April 2009
Date:
22 April 2009
References
:
ESB-2009.0472
Click here for printable version
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== A U S C E R T A L E R T AL-2009.0027 -- AUSCERT ALERT [Win][UNIX/Linux] Oracle Critical Patch Update Pre-release Announcement for April 2009 22 April 2009 =========================================================================== AusCERT Alert Summary --------------------- Product: Oracle Database 11g Oracle Database 10g Oracle Database 9i Oracle Audit Vault Oracle Application Server 10g Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server Oracle WebLogic Portal Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit Operating System: UNIX variants (UNIX, Linux, OSX) Windows Access: Remote/Unauthenticated CVE Names: CVE-2009-0972 CVE-2009-0973 CVE-2009-0974 CVE-2009-0975 CVE-2009-0976 CVE-2009-0977 CVE-2009-0978 CVE-2009-0979 CVE-2009-0980 CVE-2009-0981 CVE-2009-0982 CVE-2009-0983 CVE-2009-0984 CVE-2009-0985 CVE-2009-0986 CVE-2009-0988 CVE-2009-0989 CVE-2009-0990 CVE-2009-0991 CVE-2009-0992 CVE-2009-0993 CVE-2009-0994 CVE-2009-0995 CVE-2009-0996 CVE-2009-0997 CVE-2009-0998 CVE-2009-0999 CVE-2009-1000 CVE-2009-1001 CVE-2009-1002 CVE-2009-1003 CVE-2009-1004 CVE-2009-1005 CVE-2009-1006 CVE-2009-1008 CVE-2009-1009 CVE-2009-1010 CVE-2009-1011 CVE-2009-1012 CVE-2009-1013 CVE-2009-1014 CVE-2009-1016 CVE-2009-1017 Member content until: Wednesday, April 15 2009 Comment: Public exploit code now available for some of these vulnerabilities Revision History: April 22 2009: Updated Comment April 16 2009: Added CVE References April 14 2009: Initial Release OVERVIEW: Oracle have published information regarding the April 2009 Critical Patch Update which will contain 43 security fixes affecting hundreds of Oracle products [1]. IMPACT: Specific impacts have not been published by Oracle at this time however the following information regarding CVSS 2.0 scoring and affected products is available from the Oracle site [1]: "The highest CVSS 2.0 base score of vulnerabilities across all products is 10.0 (These vulnerabilities affect Oracle JRockit and Oracle WebLogic Server)." Oracle have also stated that 15 of these vulnerabilities are remotely exploitable with no user authentication required. [1] The following products are reported by Oracle as vulnerable: Oracle Database 11g, version 11.1.0.6, 11.1.0.7 Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4 Oracle Database 10g, version 10.1.0.5 Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV Oracle Audit Vault, version 10.2.3 Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0 Oracle Outside In SDK HTML Export 8.2.2, 8.3.0 Oracle XML Publisher 5.6.2, 10.1.3.2, 10.1.3.2.1 Oracle BI Publisher 10.1.3.3.0 10.1.3.3.1, 10.1.3.3.2, 10.1.3.3.3, 10.1.3.4 Oracle E-Business Suite Release 12, version 12.0.6 Oracle E-Business Suite Release 11i, version 11.5.10.2 PeopleSoft Enterprise PeopleTools versions: 8.49 PeopleSoft Enterprise HRMS versions: 8.9 and 9.0 Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0 GA, 9.1 GA, 9.2 through 9.2 MP3 Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 through 8.1 SP6 Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0 through 7.0 SP7 Oracle WebLogic Portal (formerly BEA WebLogic Portal) 10.0 through 10.0 MP1, 10.2 GA, 10.3 GA Oracle Data Service Integrator 10.3.0 and Oracle AquaLogic Data Services Platform 3.2, 3.0.1, 3.0 Oracle JRockit R27.6.2 and earlier (JDK/JRE 6, 5, 1.4.2 MITIGATION: Administrators responsible for vulnerable products are advised to apply these patches as soon as practical after release. REFERENCES: [1] Oracle Critical Patch Update Pre-Release Announcement - April 2009 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. If you believe that your computer system has been compromised or attacked in any way, we encourage you to let us know by completing the secure National IT Incident Reporting Form at: http://www.auscert.org.au/render.html?it=3192 =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFJ7pQ6NVH5XJJInbgRAiowAJ41DVngQqGVwBim5m+RzD6hvWv/mQCfV0Wy gO5zNhLTw8+SxxHYHpREIxo= =9/NQ -----END PGP SIGNATURE-----
Comments? Click here
http://www.auscert.org.au/render.html?cid=37&it=10800