-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

===========================================================================
                         AUSCERT Security Bulletin

                              ASB-2010.0100.2
   Oracle Critical Patch Update Pre-release Announcement for April 2010
                               14 April 2010

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:              Oracle Database 11g, 10g and 9i
                      Oracle Application Server 10gR2
                      Oracle Identity Management 10g
                      Oracle Collaboration Suite 10g
                      Oracle E-Business Suite Release 12 and 11i
                      Oracle Transportation Manager
                      Oracle Agile - Engineering Data Management
                      PeopleSoft Enterprise PeopleTools
                      Oracle Communications Unified Inventory Management
                      Oracle Clinical Remote Data Capture Option
                      Oracle Thesaurus Management System
                      Oracle Retail Markdown Optimization
                      Oracle Retail Place In-Season
                      Oracle Retail Plan In-Season
                      Oracle Sun Products Suite
Operating System:     UNIX variants (UNIX, Linux, OSX)
                      Windows
                      Solaris
Impact/Access:        Unknown/Unspecified -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2010-0086 CVE-2010-0851 CVE-2010-0852
                      CVE-2010-0853 CVE-2010-0854 CVE-2010-0855
                      CVE-2010-0856 CVE-2010-0857 CVE-2010-0858
                      CVE-2010-0859 CVE-2010-0860 CVE-2010-0861
                      CVE-2010-0862 CVE-2010-0863 CVE-2010-0864
                      CVE-2010-0865 CVE-2010-0866 CVE-2010-0867
                      CVE-2010-0868 CVE-2010-0869 CVE-2010-0870
                      CVE-2010-0871 CVE-2010-0872 CVE-2010-0874
                      CVE-2010-0875 CVE-2010-0876 CVE-2010-0877
                      CVE-2010-0878 CVE-2010-0879 CVE-2010-0880
                      CVE-2010-0882 CVE-2010-0883 CVE-2010-0884
                      CVE-2010-0885 CVE-2010-0888 CVE-2010-0889
                      CVE-2010-0890 CVE-2010-0893 CVE-2010-0894
                      CVE-2010-0895 CVE-2010-0896 CVE-2010-0897
Member content until: Thursday, May 13 2010

Revision History:     April 14 2010: Added CVE references
                      April 13 2010: Initial Release

OVERVIEW

        Oracle have published information regarding the April 2010 Critical
        Patch Update which will contain 47 security fixes affecting hundreds
        of Oracle products [1].


IMPACT

        Specific impacts have not been published by Oracle at this time 
        however the following information regarding CVSS 2.0 scoring and 
        affected products is available from the Oracle site [1]:
                
        "The highest CVSS 2.0 base score for vulnerabilities in this Critical
        Patch Update is 10.0 for a vulnerability affecting Sun Ray Server
        Software for Solaris."
                
        Oracle have also stated that 28 of these vulnerabilities are 
        remotely exploitable with no user authentication required. [1]
                    
        The following products are reported by Oracle as vulnerable:
                
        Oracle Database 11g, version 11.1.0.7, 11.2.0.1
        Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
        Oracle Database 10g, version 10.1.0.5
        Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
        Oracle Application Server 10gR2, version 10.1.2.3.0
        Oracle Identity Management 10g, version 10.1.4.0.1 and 10.1.4.3
        Oracle Collaboration Suite 10g, version 10.1.2.4
        Oracle E-Business Suite Release 12,
          versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2
        Oracle E-Business Suite Release 11i, versions 11.5.10, 11.5.10.2
        Oracle Transportation Manager,
          versions 5.5.05.07, 5.5.06.00, 6.0.03
        Oracle Agile - Engineering Data Management, Version 6.1.1.0
        PeopleSoft Enterprise PeopleTools, versions 8.49 and 8.50
        Oracle Communications Unified Inventory Management version 7.1
        Oracle Clinical Remote Data Capture Option 4.5.3, 4.6
        Oracle Thesaurus Management System 4.5.2, 4.6, 4.6.1
        Oracle Retail Markdown Optimization version 13.1
        Oracle Retail Place In-Season version 12.2
        Oracle Retail Plan In-Season version 12.2
        Oracle Sun Products Suite


MITIGATION

        Administrators responsible for vulnerable products are advised to 
        apply these patches as soon as practical after release.


REFERENCES

        [1] Oracle Critical Patch Update Pre-Release Announcement - April 2010
            http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iD8DBQFLxUUW/iFOrG6YcBERAir7AKCGgfh/xKFv8GpJwRHvsRHvVKSDegCg1CBo
7EQSJXgMxTBNh2yMNDGV2Zw=
=/yaT
-----END PGP SIGNATURE-----