Privacy and Legal Notice
TECHNICAL BULLETIN
T-255: Oracle Critical Patch Update Advisory
October 21, 2009 14:00 GMT
|
| PROBLEM: |
A Critical Patch Update is a collection of patches for multiple
security vulnerabilities. It also includes non-security fixes that are
required (because of interdependencies) by those security patches. |
| PLATFORM: |
Oracle Database 11g, version 11.1.0.7, Oracle Database 10g Release 2,
versions 10.2.0.3, 10.2.0.4, Oracle Database 10g, version 10.1.0.5,
Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV, Oracle
Application Server 10g Release 3 (10.1.3), versions 10.1.3.4.0,
10.1.3.5.0, Oracle Application Server 10g Release 2 (10.1.2), version
10.1.2.3.0, Oracle Business Intelligence Enterprise Edition, versions
10.1.3.4.0, 10.1.3.4.1, Oracle E-Business Suite Release 12, versions
12.0.6, 12.1, Oracle E-Business Suite Release 11i, version 11.5.10.2,
AutoVue, version 19.3, Agile Engineering Data Management (EDM), version
6.1, PeopleSoft PeopleTools & Enterprise Portal, version 8.49,
PeopleSoft Enterprise HCM (TAM), versions 8.9 and 9.0, JDEdward Tools,
version 8.98, Oracle WebLogic Server 10.0 through MP1 and 10.3, Oracle
WebLogic Server 9.0 GA, 9.1 GA and 9.2 through 9.2 MP3, Oracle WebLogic
Server 8.1 through 8.1 SP5, Oracle WebLogic Server 7.0 through 7.0 SP6,
Oracle WebLogic Portal, versions 8.1 through 8.1 SP6, 9.2 through 9.2
MP3, 10.0 through 10.0MP1, 10.2 through 10.2MP1 and 10.3 through
10.3.1, Oracle JRockit R27.6.4 and earlier (JDK/JRE 6, 5, 1.4.2),
Oracle Communications Order and Service Management, versions 2.8.0,
6.2.0, 6.3.0 and 6.3.1 |
| ABSTRACT: |
Due to the threat posed by a successful attack, it is strongly
recommended that customers apply fixes as soon as possible. This
Critical Patch Update contains 38 new security fixes across all
products. |
|
| LINKS: |
|
| DOE-CIRC BULLETIN: |
http://www.doecirc.energy.gov/bulletins/t-255.shtml
|
| OTHER LINKS: |
Security Tracker
http://securitytracker.com/alerts/2009/Oct/1023062.html
Oracle
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html
|
| CVE: |
CVE-2009-1992,
CVE-2009-1979,
CVE-2009-1985,
CVE-2009-1007,
CVE-2009-1994,
CVE-2009-2001,
CVE-2009-1993,
CVE-2009-1018,
CVE-2009-1964,
CVE-2009-1965,
CVE-2009-1997,
CVE-2009-2000,
CVE-2009-1995,
CVE-2009-1991,
CVE-2009-1971,
CVE-2009-1972,
CVE-2009-1999,
CVE-2009-3407,
CVE-2009-1990,
CVE-2009-3400,
CVE-2009-3392,
CVE-2009-3408,
CVE-2009-3395,
CVE-2009-3393,
CVE-2009-3397,
CVE-2009-3402,
CVE-2009-3401,
CVE-2009-3405,
CVE-2009-3404,
CVE-2009-3409,
CVE-2009-3406,
CVE-2009-3403,
CVE-2009-0217,
CVE-2009-2625,
CVE-2009-2002,
CVE-2009-3396,
CVE-2009-3399,
CVE-2009-1998
|
|
| IMPACT ASSESSMENT: |
This risk is high. A remote authenticated user can modify data on the target application. |
|
Discussion:
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches.
- Oracle Database Executive Summary
This Critical Patch Update contains 16 new security fixes for the Oracle Database Server Suite divided as follows: 15 new security fixes for the Oracle Database Server. 6 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 1 of these fixes is applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.
1 new security fix for Oracle Application Express. This vulnerability may not be remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.
These vulnerabilities are tracked in the following CVE numbers:
CVE-2009-1992, CVE-2009-1979, CVE-2009-1985, CVE-2009-1007, CVE-2009-1994, CVE-2009-2001, CVE-2009-1993, CVE-2009-1018, CVE-2009-1964, CVE-2009-1965, CVE-2009-1997, CVE-2009-2000, CVE-2009-1995, CVE-2009-1991, CVE-2009-1971, CVE-2009-1972
- Oracle Application Server Executive Summary
This Critical Patch Update contains 3 new security fixes for the Oracle Application Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Application Server installed.
These vulnerabilities are tracked in the following CVE numbers:
CVE-2009-1999, CVE-2009-3407, CVE-2009-1990
- Oracle E-Business Suite and Applications Executive Summary
This Critical Patch Update contains 8 new security fixes for Oracle Applications. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Applications installed.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Fusion middleware versions being used. Oracle Database and Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix, but since vulnerabilities affecting these versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2009 Critical Patch Update to the Oracle Database and Fusion Middleware components of Oracle E-Business Suite.
These vulnerabilities are tracked in the following CVE numbers:
CVE-2009-3400, CVE-2009-3392, CVE-2009-3408, CVE-2009-3395, CVE-2009-3393, CVE-2009-3397, CVE-2009-3402, CVE-2009-3401
- Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Executive Summary
This Critical Patch Update contains 4 new security fixes for the Oracle PeopleSoft and JDEdwards Suite. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password.
These vulnerabilities are tracked in the following CVE numbers:
CVE-2009-3405, CVE-2009-3404, CVE-2009-3409, CVE-2009-3406
- BEA Products Executive Summary
This Critical Patch Update contains 6 new security fixes for the Oracle BEA Products Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
The BEA Critical Patch Update patches have become cumulative with the introduction of the October 2009 Critical Patch Update. The BEA October 2009 Critical Patch Update patches include security fixes from July 2009 Critical Patch Update. The BEA Web Logic Server patches are cumulative at sub-component level (e.g. WLS console, Web application are sub-components).
These vulnerabilities are tracked in the following CVE numbers:
CVE-2009-3403, CVE-2009-0217, CVE-2009-2625, CVE-2009-2002, CVE-2009-3396, CVE-2009-3399
- Oracle Industry Applications Product Suite Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle Industry Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.
This vulnerability is tracked in the following CVE number:
CVE-2009-1998
DOE-CIRC services are available to DOE, DOE Contractors, and the NIH.
DOE-CIRC can be contacted at:
Voice: 866-941-2472
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov
UCRL-MI-119788