AusCERT - AL-2008.0008 -- [Win][UNIX/Linux] -- Oracle Critical Patch Update

HOME
About AusCERT
Membership
PKI Services
Training
Publications
Sec. Bulletins
Conferences
News & Media
Services
Web Log
Site Map
Site Help
Member login
AL-2008.0008 -- [Win][UNIX/Linux] -- Oracle Critical Patch Update - 26 vulnerabilities in Oracle
Date: 22 January 2008
References: ESB-2008.0066

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2008.0008 -- AUSCERT ALERT
                             [Win][UNIX/Linux]
        Oracle Critical Patch Update - 26 vulnerabilities in Oracle
                              22 January 2008

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Oracle Database 11g, version 11.1.0.6
                      Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
                      Oracle Database 10g, version 10.1.0.5
                      Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
                      Oracle Database 9i, version 9.0.1.5 FIPS+
                      Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.3.0
                      Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
                      Oracle Application Server 10g (9.0.4), version 9.0.4.3
                      Oracle Application Server 9i Release 1, version 1.0.2.2
                      Oracle Collaboration Suite 10g, version 10.1.2
                      Oracle E-Business Suite Release 12, versions 12.0.0 - 12.0.3
                      Oracle E-Business Suite Release 11i, versions 11.5.9 - 11.5.10 CU2
                      Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.48, 8.49
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact:               Execute Arbitrary Code/Commands
                      Denial of Service
                      Modify Arbitrary Files
                      Inappropriate Access
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-0349 CVE-2008-0348 CVE-2008-0347
                      CVE-2008-0346 CVE-2008-0345 CVE-2008-0344
                      CVE-2008-0343 CVE-2008-0342 CVE-2008-0341
                      CVE-2008-0340 CVE-2008-0339
Member content until: Wednesday, February 13 2008

Revision History:     January 22 2008: Added 11 CVE numbers
                      January 16 2008: Initial Release


OVERVIEW:

        Oracle has released a Critical Patch Update for January 2008 which
        fixes 26 security vulnerabilities. [1]

        Five vulnerabilities in Oracle Application Servers may be exploited
        by a remote unauthenticated attacker.

        Three vulnerabilities in Oracle E-Business Suite may be exploited
        by a remote unauthenticated attacker.

        One vulnerability in PeopleSoft and JD Edwards applications may 
        be exploited by a remote unauthenticated attacker.

        Vulnerabilities affect the following components:

            -  8 for Oracle Database
            -  6 for Oracle Application Server
            -  1 for Oracle Collaboration Suite
            -  7 for Oracle E-Business Suite applications
            -  4 for PeopleSoft and JD Edwards applications        
       

IMPACT:

       Full details of each of the 26 vulnerabilities and their impacts 
       have not yet been made public. 

       The Oracle advisory [1] gives broad indication only of the impact 
       of each vulnerability, with information on the access permissions 
       required by an attacker to exploit them.


MITIGATIONS:

       Oracle has released patches fixing these vulnerabilities. [1]


REFERENCES:

       [1] Oracle Critical Patch Update Advisory - January 2008 
           http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html


AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBR5VtOih9+71yA2DNAQJ/mQP/XFcicYVXFk4nOHEeDCybgr+aye/CTs+X
kRsOa/kIvNdlA1VbmYv4PCeSkQye1UDKOujE1/eyZVlHxtyS8Fjk03iBcgC/9Jin
RcX4/CdmnKb+hfeK3a1G0cNU8oGibkSCMj7MidV8RkvdaVDDyMYAjjSmEalj7B0Q
sNyCXFmG5AE=
=LcSg
-----END PGP SIGNATURE-----