Date: 16 June 2008
References: ESB-2008.0405
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2008.0047 -- AUSCERT ALERT
[Win][UNIX/Linux]
Oracle Critical Patch Update Pre-Release Notification
16 June 2008
===========================================================================
AusCERT Alert Summary
---------------------
Product: Oracle Database 11g
Oracle Database 10g Release 2
Oracle Database 10g
Oracle Database 9i Release 2
Oracle Application Server 10g Release 3 (10.1.3)
Oracle Application Server 10g Release 2 (10.1.2)
Oracle Application Server 10g (9.0.4)
Oracle Collaboration Suite 10g
Oracle E-Business Suite Release 12
Oracle E-Business Suite Release 11i
Oracle PeopleSoft Enterprise PeopleTools
Oracle PeopleSoft Enterprise HCM
Oracle Siebel SimBuilder
Publisher: Oracle
Operating System: UNIX variants (UNIX, Linux, OSX)
Windows
Access: Remote/Unauthenticated
CVE Names: CVE-2008-1830 CVE-2008-1829 CVE-2008-1828
CVE-2008-1827 CVE-2008-1826 CVE-2008-1825
CVE-2008-1824 CVE-2008-1823 CVE-2008-1822
CVE-2008-1821 CVE-2008-1820 CVE-2008-1819
CVE-2008-1818 CVE-2008-1817 CVE-2008-1816
CVE-2008-1815 CVE-2008-1814 CVE-2008-1813
CVE-2008-1812 CVE-2008-1811
Original Bulletin:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html
Comment: If you downloaded the patch for Application Server HP-UX PA-RISC
10.1.2.0.2 (Patch 6867338), you will need to re-download and
re-apply the latest patch as a bug has been reported by Oracle in
the original patch.
"Reports failures reported when reports jobs are sent to the server.
Errors reported include REP-52251: Cannot get output of job ID XX
REP-51026: No output for job."
Oracle have published information regarding the April 2008 Critical
Patch Update which will contain 41 security fixes affecting hundreds
of Oracle products.
Revision History: June 16 2008: Added comment about new patch for HP-UX
April 18 2008: CVE Added
April 18 2008: CVE Added
April 14 2008: Initial Release
OVERVIEW:
Oracle have published information regarding the April 2008 Critical
Patch Update which will contain 41 security fixes affecting hundreds
of Oracle products [1].
IMPACT:
Specific impacts have not been published by Oracle at this time however
the following information regarding CVSS 2.0 scoring and affected
products is available from the Oracle site [1]:
"The highest CVSS 2.0 base score of vulnerabilities across all products
is 6.6 for servers and 9.3 for Application Server clients."
Oracle have also stated that 16 of these vulnerabilities are remotely
exploitable with no user authentication required. [1]
The following products are reported by Oracle as vulnerable:
* Oracle Database 11g, version 11.1.0.6
* Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
* Oracle Database 10g, version 10.1.0.5
* Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
* Oracle Application Server 10g Release 3 (10.1.3), versions
10.1.3.1.0, 10.1.3.3.0
* Oracle Application Server 10g Release 2 (10.1.2), versions
10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
* Oracle Application Server 10g (9.0.4), version 9.0.4.3
* Oracle Collaboration Suite 10g, version 10.1.2
* Oracle E-Business Suite Release 12, versions 12.0.0 - 12.0.4
* Oracle E-Business Suite Release 11i, versions 11.5.9 - 11.5.10 CU2
* Oracle PeopleSoft Enterprise PeopleTools versions 8.22.19, 8.48.16,
8.49.09
* Oracle PeopleSoft Enterprise HCM versions 8.8 SP1, 8.9, 9.0
* Oracle Siebel SimBuilder versions 7.8.2, 7.8.5
MITIGATION:
Administrators responsible for vulnerable products are advised to apply
these patches as soon as practical after release.
REFERENCES:
[1] Oracle Critical Patch Update Pre-Release Announcement - April 2008
http://www.oracle.com/technology/deplot/security/critical-patch-updates/cpuapr2008.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBSFXdOCh9+71yA2DNAQKxrgP/QWONgjVnu2frnixKr0xGIKbT7My6ObsF
6I197E0zSMEv8ZqAIEMelvoCY904wd0EyQ7/IunpzJJRmNpbYk9j9mBqn0Qm+EJL
SC4jgAyfQw+amueKXHl9AUqzywpeDSF6EUg6w2lm850leXLGqF5qn8kyp7bV8lJk
ZD1C+UoW+Hs=
=SRFO
-----END PGP SIGNATURE-----
|