-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                               ASB-2009.1013
             Oracle Critical Patch Update Advisory - July 2009
                               15 July 2009

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Database 11g
                      Oracle Database 10g
                      Oracle Database 9i
                      Oracle Application Server 10g
                      Oracle Identity Management 10g
                      Oracle E-Business Suite Release 12
                      Oracle E-Business Suite Release 11i
                      Oracle Enterprise Manager Database Control 11
                      Oracle Enterprise Manager Grid Control 10g
                      PeopleSoft Enterprise PeopleTools
                      PeopleSoft Enterprise HRMS
                      Siebel Highly Interactive Client
                      Oracle WebLogic Server
                      Oracle Complex Event Processing
                      WebLogic Event Server 2.0
                      Oracle JRockit
Operating System:     Windows
                      UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution:           Patch
CVE Names:            CVE-2009-0217 CVE-2009-0987 CVE-2009-1015
                      CVE-2009-1019 CVE-2009-1020 CVE-2009-1021
                      CVE-2009-1094 CVE-2009-1523 CVE-2009-1963
                      CVE-2009-1966 CVE-2009-1967 CVE-2009-1968
                      CVE-2009-1969 CVE-2009-1970 CVE-2009-1973
                      CVE-2009-1974 CVE-2009-1975 CVE-2009-1976
                      CVE-2009-1977 CVE-2009-1978 CVE-2009-1980
                      CVE-2009-1981 CVE-2009-1982 CVE-2009-1983
                      CVE-2009-1984 CVE-2009-1986 CVE-2009-1987
                      CVE-2009-1988 CVE-2009-1989 
Member content until: Friday, August 14 2009

OVERVIEW

        Oracle have published information regarding the July 2009 
        Critical Patch Update which contains 30 security fixes affecting 
        hundreds of Oracle products [1].


IMPACT

        Specific impacts have not been published by Oracle at this time 
        however the following information regarding CVSS 2.0 scoring and 
        affected products is available from the Oracle site [1]:
        
        The highest CVSS 2.0 base score of vulnerabilities across all 
        products is 10.0 (These vulnerabilities affect Oracle Secure Backup 
        and JRockit).
        
        Oracle have also stated that 15 of these vulnerabilities are 
        remotely exploitable with no user authentication required. [1]
            
        The following products are reported by Oracle as vulnerable:
        
         - Oracle Database 11g, version 11.1.0.6, 11.1.0.7
         - Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
         - Oracle Database 10g, version 10.1.0.5
         - Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
         - Oracle Application Server 10g Release 2 (10.1.2), version 
           10.1.2.3.0
         - Oracle Application Server 10g Release 3 (10.1.3), versions 
           10.1.3.3.0, 10.1.3.4.0
         - Oracle Identity Management 10g, version 10.1.4.0.1, 10.1.4.2.0, 
           10.1.4.3.0
         - Oracle E-Business Suite Release 12, version 12.1
         - Oracle E-Business Suite Release 12, version 12.0.6
         - Oracle E-Business Suite Release 11i, version 11.5.10.2
         - Oracle Enterprise Manager Database Control 11, version 11.1.0.6, 
           11.1.0.7
         - Oracle Enterprise Manager Grid Control 10g Release 4, version 
           10.2.0.4
         - PeopleSoft Enterprise PeopleTools versions: 8.49
         - PeopleSoft Enterprise HRMS versions: 8.9 and 9.0
         - Siebel Highly Interactive Client versions: 7.5.3, 7.7.2, 7.8, 
           8.0, 8.1
         - Oracle WebLogic Server 10.3, 10.0MP1
         - Oracle WebLogic Server 9.0 GA, 9.1 GA, 9.2 through 9.2 MP3
         - Oracle WebLogic Server 8.1 through 8.1 SP6
         - Oracle WebLogic Server 7.0 through 7.0 SP7
         - Oracle Complex Event Processing 10.3 and WebLogic Event Server 
           2.0
         - Oracle JRockit R27.6.3 and earlier (JDK/JRE 6, 5, 1.4.2)


MITIGATION

        Administrators responsible for vulnerable products are advised to 
        apply these patches as soon as is practical.


REFERENCES

        [1] Oracle Critical Patch Update Advisory - July 2009
            http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFKXTecNVH5XJJInbgRAu8XAJ0YmGZ6OJ5KBOAZq19MiPl1Iv05GQCdHyxA
D1F63K6hrLe8CWmfj1SLQQo=
=GSwm
-----END PGP SIGNATURE-----