Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2009.1013
Oracle Critical Patch Update Advisory - July 2009
15 July 2009
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database 11g
Oracle Database 10g
Oracle Database 9i
Oracle Application Server 10g
Oracle Identity Management 10g
Oracle E-Business Suite Release 12
Oracle E-Business Suite Release 11i
Oracle Enterprise Manager Database Control 11
Oracle Enterprise Manager Grid Control 10g
PeopleSoft Enterprise PeopleTools
PeopleSoft Enterprise HRMS
Siebel Highly Interactive Client
Oracle WebLogic Server
Oracle Complex Event Processing
WebLogic Event Server 2.0
Oracle JRockit
Operating System: Windows
UNIX variants (UNIX, Linux, OSX)
Impact/Access: Execute Arbitrary Code/Commands -- Remote/Unauthenticated
Resolution: Patch
CVE Names: CVE-2009-0217 CVE-2009-0987 CVE-2009-1015
CVE-2009-1019 CVE-2009-1020 CVE-2009-1021
CVE-2009-1094 CVE-2009-1523 CVE-2009-1963
CVE-2009-1966 CVE-2009-1967 CVE-2009-1968
CVE-2009-1969 CVE-2009-1970 CVE-2009-1973
CVE-2009-1974 CVE-2009-1975 CVE-2009-1976
CVE-2009-1977 CVE-2009-1978 CVE-2009-1980
CVE-2009-1981 CVE-2009-1982 CVE-2009-1983
CVE-2009-1984 CVE-2009-1986 CVE-2009-1987
CVE-2009-1988 CVE-2009-1989
Member content until: Friday, August 14 2009
OVERVIEW
Oracle have published information regarding the July 2009
Critical Patch Update which contains 30 security fixes affecting
hundreds of Oracle products [1].
IMPACT
Specific impacts have not been published by Oracle at this time
however the following information regarding CVSS 2.0 scoring and
affected products is available from the Oracle site [1]:
The highest CVSS 2.0 base score of vulnerabilities across all
products is 10.0 (These vulnerabilities affect Oracle Secure Backup
and JRockit).
Oracle have also stated that 15 of these vulnerabilities are
remotely exploitable with no user authentication required. [1]
The following products are reported by Oracle as vulnerable:
- Oracle Database 11g, version 11.1.0.6, 11.1.0.7
- Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
- Oracle Database 10g, version 10.1.0.5
- Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
- Oracle Application Server 10g Release 2 (10.1.2), version
10.1.2.3.0
- Oracle Application Server 10g Release 3 (10.1.3), versions
10.1.3.3.0, 10.1.3.4.0
- Oracle Identity Management 10g, version 10.1.4.0.1, 10.1.4.2.0,
10.1.4.3.0
- Oracle E-Business Suite Release 12, version 12.1
- Oracle E-Business Suite Release 12, version 12.0.6
- Oracle E-Business Suite Release 11i, version 11.5.10.2
- Oracle Enterprise Manager Database Control 11, version 11.1.0.6,
11.1.0.7
- Oracle Enterprise Manager Grid Control 10g Release 4, version
10.2.0.4
- PeopleSoft Enterprise PeopleTools versions: 8.49
- PeopleSoft Enterprise HRMS versions: 8.9 and 9.0
- Siebel Highly Interactive Client versions: 7.5.3, 7.7.2, 7.8,
8.0, 8.1
- Oracle WebLogic Server 10.3, 10.0MP1
- Oracle WebLogic Server 9.0 GA, 9.1 GA, 9.2 through 9.2 MP3
- Oracle WebLogic Server 8.1 through 8.1 SP6
- Oracle WebLogic Server 7.0 through 7.0 SP7
- Oracle Complex Event Processing 10.3 and WebLogic Event Server
2.0
- Oracle JRockit R27.6.3 and earlier (JDK/JRE 6, 5, 1.4.2)
MITIGATION
Administrators responsible for vulnerable products are advised to
apply these patches as soon as is practical.
REFERENCES
[1] Oracle Critical Patch Update Advisory - July 2009
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFKXTecNVH5XJJInbgRAu8XAJ0YmGZ6OJ5KBOAZq19MiPl1Iv05GQCdHyxA
D1F63K6hrLe8CWmfj1SLQQo=
=GSwm
-----END PGP SIGNATURE-----