copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
Search this site

On this site

 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login


ASB-2011.0059 - ALERT [Win][UNIX/Linux] Oracle Products: Reduced security - Remote/unauthenticated

Date: 20 July 2011
References: ASB-2010.0222.2  ASB-2011.0047  ESB-2011.0805  ESB-2011.1090.4  ESB-2012.0108  ESB-2013.1179  

Click here for printable version
Click here for PGP verifiable version
Hash: SHA1

                         AUSCERT Security Bulletin

Oracle has released updates which correct vulnerabilities in their products
                               20 July 2011


        AusCERT Security Bulletin Summary

Product:              Oracle Database 11g
                      Oracle Database 10g
                      Oracle Secure Backup
                      Oracle Fusion Middleware 11g
                      Oracle Application Server 10g
                      Oracle Business Intelligence Enterprise Edition
                      Oracle Identity Management 10g
                      Oracle JRockit
                      Oracle Outside In Technology
                      Oracle Enterprise Manager 10g Grid Control
                      Oracle Enterprise Manager 11g Grid Control
                      Oracle E-Business Suite Release 12
                      Oracle E-Business Suite Release 11i
                      Oracle Agile Technology Platform
                      Oracle PeopleSoft Enterprise FIN
                      Oracle PeopleSoft Enterprise FMS
                      Oracle PeopleSoft Enterprise FSCM
                      Oracle PeopleSoft Enterprise HRMS
                      Oracle PeopleSoft Enterprise SCM
                      Oracle PeopleSoft Enterprise PeopleTools
                      Oracle Sun Product Suite
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Reduced Security -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2011-2267 CVE-2011-2264 CVE-2011-2261
                      CVE-2011-2257 CVE-2011-2253 CVE-2011-2252
                      CVE-2011-2251 CVE-2011-2248 CVE-2011-2244
                      CVE-2011-2243 CVE-2011-2242 CVE-2011-2241
                      CVE-2011-2240 CVE-2011-2239 CVE-2011-2238
                      CVE-2011-2232 CVE-2011-2231 CVE-2011-2230
                      CVE-2011-0884 CVE-2011-0883 CVE-2011-0882
                      CVE-2011-0882 CVE-2011-0881 CVE-2011-0880
                      CVE-2011-0879 CVE-2011-0877 CVE-2011-0876
                      CVE-2011-0876 CVE-2011-0875 CVE-2011-0873
                      CVE-2011-0870 CVE-2011-0852 CVE-2011-0848
                      CVE-2011-0845 CVE-2011-0838 CVE-2011-0835
                      CVE-2011-0832 CVE-2011-0831 CVE-2011-0830
                      CVE-2011-0822 CVE-2011-0816 CVE-2011-0811
Member content until: Friday, August 19 2011
Reference:            ASB-2011.0047


        Oracle has released updates which correct vulnerabilities in their
        products. [1]


        Specific impacts have not been published by Oracle at this time 
        however the following information regarding CVSS 2.0 scoring and 
        affected products is available from the Oracle site [1]. Several
        products have a CVSS score of 10, the highest possible score.
        Oracle states, "this Critical Patch Update contains 78 new security 
        fixes across all product families listed below." [1]
        The following products are affected:
        Oracle Database 11g Release 2, versions,
        Oracle Database 11g Release 1, version
        Oracle Database 10g Release 2, versions,,
        Oracle Database 10g Release 1, version
        Oracle Secure Backup, version
        Oracle Fusion Middleware 11g Release 1, versions,,
        Oracle Application Server 10g Release 3, version
        Oracle Application Server 10g Release 2, version
        Oracle Business Intelligence Enterprise Edition, versions,
        Oracle Identity Management 10g, versions,
        Oracle JRockit, versions R27.6.9 and earlier (JDK/JRE 1.4.2, 5, 6), R28.1.3 and earlier (JDK/JRE 5, 6)
        Oracle Outside In Technology, versions,
        Oracle Enterprise Manager 10g Grid Control Release 1, version
        Oracle Enterprise Manager 10g Grid Control Release 2, version
        Oracle Enterprise Manager 11g Grid Control Release 1, version
        Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3
        Oracle E-Business Suite Release 11i, version
        Oracle Agile Technology Platform, versions,
        Oracle PeopleSoft Enterprise FIN, version 9.0, 9.1
        Oracle PeopleSoft Enterprise FMS, versions 9.0, 9.1
        Oracle PeopleSoft Enterprise FSCM, versions 9.0, 9.1
        Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1
        Oracle PeopleSoft Enterprise SCM, versions 9.0, 9.1
        Oracle PeopleSoft Enterprise PeopleTools, versions 8.49, 8.50, 8.51
        Oracle Sun Product Suite


        Links to the appropriate patches are available at the Oracle 
        website. [1]


        [1] Oracle Critical Patch Update Advisory - July 2011

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email:
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.