copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » UNIX (all) » Solaris » AL-2008.0106 -- [Win][UNIX/Linux] -- Oracle Critical...
 

AL-2008.0106 -- [Win][UNIX/Linux] -- Oracle Critical Patch Update Advisory - October 2008
Date: 15 October 2008

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
A  U  S  C  E  R  T                                           A  L  E  R  T

                       AL-2008.0106 -- AUSCERT ALERT
                             [Win][UNIX/Linux]
           Oracle Critical Patch Update Advisory - October 2008
                              15 October 2008

===========================================================================

        AusCERT Alert Summary
        ---------------------

Product:              Oracle Database 11g
                      Oracle Database 10g
                      Oracle Database 9i
                      Oracle Application Server 10g
                      Oracle E-Business Suite Release 12
                      Oracle E-Business Suite Release 11i
                      Oracle PeopleSoft Enterprise PeopleTools
                      Oracle PeopleSoft Enterprise Portal
                      Oracle JD Edwards EnterpriseOne Tools
                      Oracle WebLogic Server 6 to 10
                      Oracle Workshop for WebLogic 8 to 10
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
Impact:               Execute Arbitrary Code/Commands
Access:               Remote/Unauthenticated
CVE Names:            CVE-2008-4013 CVE-2008-4012 CVE-2008-4011
                      CVE-2008-4010 CVE-2008-4009 CVE-2008-4008
                      CVE-2008-4005 CVE-2008-4004 CVE-2008-4003
                      CVE-2008-4002 CVE-2008-4001 CVE-2008-4000
                      CVE-2008-3998 CVE-2008-3996 CVE-2008-3995
                      CVE-2008-3994 CVE-2008-3993 CVE-2008-3992
                      CVE-2008-3991 CVE-2008-3990 CVE-2008-3989
                      CVE-2008-3988 CVE-2008-3987 CVE-2008-3986
                      CVE-2008-3985 CVE-2008-3984 CVE-2008-3983
                      CVE-2008-3982 CVE-2008-3980 CVE-2008-3977
                      CVE-2008-3976 CVE-2008-3975 CVE-2008-3257
                      CVE-2008-2625 CVE-2008-2624 CVE-2008-2619
                      CVE-2008-2588
Member content until: Wednesday, November 12 2008

OVERVIEW

	Oracle have published information regarding the October 2008 Critical
	Patch Update which will contain 37 security fixes affecting a range
	of Oracle products [1].


IMPACT

	Specific impacts have not been published by Oracle at this time 
	however the following information regarding CVSS 2.0 scoring and 
	affected products is available from the Oracle site [1]:

	The highest CVSS 2.0 base score of vulnerabilities across all
	products is 6.4 for servers, 6.5 for database and 10.0 for BEA
	Software.

	Oracle have also stated that 12 of these vulnerabilities are 
	remotely exploitable with no user authentication required. [1]

	The following products and components are reported by Oracle as
	vulnerable:

	 - Oracle Database 11g, version 11.1.0.6
	 - Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3,
	   10.2.0.4
	 - Oracle Database 10g, version 10.1.0.5
	 - Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
	 - Oracle Application Server 10g Release 3 (10.1.3), versions
	   10.1.3.3.0,10.1.3.4.0
	 - Oracle Application Server 10g Release 2 (10.1.2), versions
	   10.1.2.2.0, 10.1.2.3.0
	 - Oracle Application Server 10g (9.0.4), version 9.0.4.3
	 - Oracle E-Business Suite Release 12, version 12.0.4
	 - Oracle E-Business Suite Release 11i, version 11.5.10.2
	 - Oracle PeopleSoft Enterprise PeopleTools versions 8.48.18,
	   8.49.14
	 - Oracle PeopleSoft Enterprise Portal versions 8.9, 9.0
	 - Oracle JD Edwards EnterpriseOne Tools versions 8.97, 8.98
	 - Oracle WebLogic Server (formerly BEA WebLogic Server) 10.0
	   released through MP1, 10.3 GA
	 - Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0 GA,
	   9.1 GA, 9.2 released through MP3
	 - Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1
	   released through SP6
	 - Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0
	   released through SP7
	 - Oracle WebLogic Server (formerly BEA WebLogic Server) 6.1
	   released through SP7
	 - Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop)
	   10.0 released through MP1, 10.2 GA, 10.3 GA
	 - Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop)
	   9.0, 9.1, 9.2 released through MP3
	 - Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop)
	   8.1 released through SP6

	 - Oracle Database
		 - Oracle Data Mining
		 - Oracle OLAP
		 - Change Data Capture
		 - Oracle Spatial
		 - Workspace Manager
		 - Upgrade
		 - Oracle Application Express
		 - Core RDBMS
		 - Oracle OLAP
	 - Oracle Application Server
		 - Oracle Portal
		 - Oracle Reports Developer
		 - Oracle JDeveloper
		 - Oracle Discoverer Administrator
		 - Oracle Discoverer Desktop
	 - Oracle E-Business Suite
		 - Oracle Applications Technology Stack
		 - iSupplier Portal
		 - Oracle iStore
		 - Oracle Reports Developer
		 - Oracle Applications Framework
	 - Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne
		 - PeopleTools
		 - PeopleSoft Enterprise Portal
		 - JDE EnterpriseOne Business Service Server
	 - BEA Product Suite
		 - WebLogic Server Plugins for Apache
		 - WebLogic Server
		 - WebLogic Workshop


MITIGATION

	Administrators responsible for vulnerable products are advised to
	apply these patches as soon as practical.


REFERENCES

        [1] Oracle Critical Patch Update Advisory - October 2008
            http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBSPWQpSh9+71yA2DNAQIbLgP9FqfDS9RrzGNqdQ2mQTUq+xfm+Fx3RssZ
KAvHegccMPHw/SyeOE6KN9nVTPHjhxzHVFSK3tMhgAD1dZCtZkB1w7ANmu4Ea6LS
irn35ixz2/xCIMyNew5qhE6IPyfbDKRq+otIJzsbYyNZiNlM/DmdM27axetGJlry
xAIf/baCb6k=
=KtfZ
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=33&it=9975