Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2010.0222.2 Oracle Critical Patch Update Advisory - October 2010 13 October 2010 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Oracle Database 11g, 10g, 9i Oracle Fusion Middleware, 11gR1 Oracle Application Server, 10gR3, 10gR2 Oracle BI Publisher Oracle Identity Management 10g Oracle E-Business Suite Release 12, 11i Agile PLM Oracle Transportation Management PeopleSoft Enterprise CRM PeopleSoft Enterprise FMS PeopleSoft Enterprise HCM PeopleSoft Enterprise SCM PeopleSoft Enterprise EPM PeopleSoft Enterprise Campus Solutions PeopleSoft Enterprise PeopleTools Siebel Core Primavera P6 Enterprise Project Portfolio Management Oracle Sun Product Suite Operating System: UNIX variants (UNIX, Linux, OSX) Solaris Windows Impact/Access: Unknown/Unspecified -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2010-3585 CVE-2010-3584 CVE-2010-3583 CVE-2010-3582 CVE-2010-3581 CVE-2010-3580 CVE-2010-3579 CVE-2010-3578 CVE-2010-3577 CVE-2010-3576 CVE-2010-3575 CVE-2010-3564 CVE-2010-3547 CVE-2010-3546 CVE-2010-3545 CVE-2010-3544 CVE-2010-3542 CVE-2010-3540 CVE-2010-3539 CVE-2010-3538 CVE-2010-3537 CVE-2010-3536 CVE-2010-3535 CVE-2010-3534 CVE-2010-3533 CVE-2010-3532 CVE-2010-3531 CVE-2010-3530 CVE-2010-3529 CVE-2010-3528 CVE-2010-3527 CVE-2010-3526 CVE-2010-3525 CVE-2010-3524 CVE-2010-3523 CVE-2010-3522 CVE-2010-3521 CVE-2010-3520 CVE-2010-3519 CVE-2010-3518 CVE-2010-3517 CVE-2010-3516 CVE-2010-3515 CVE-2010-3514 CVE-2010-3513 CVE-2010-3512 CVE-2010-3511 CVE-2010-3509 CVE-2010-3508 CVE-2010-3507 CVE-2010-3506 CVE-2010-3504 CVE-2010-3503 CVE-2010-3501 CVE-2010-2419 CVE-2010-2418 CVE-2010-2417 CVE-2010-2416 CVE-2010-2415 CVE-2010-2414 CVE-2010-2413 CVE-2010-2412 CVE-2010-2411 CVE-2010-2410 CVE-2010-2409 CVE-2010-2408 CVE-2010-2407 CVE-2010-2404 CVE-2010-2396 CVE-2010-2395 CVE-2010-2391 CVE-2010-2390 CVE-2010-2389 CVE-2010-2388 CVE-2010-1321 CVE-2010-0395 CVE-2009-3555 CVE-2009-3302 CVE-2009-3301 CVE-2009-2950 CVE-2009-2949 Member content until: Thursday, November 11 2010 Reference: ASB-2010.0225 ASB-2010.0168 Revision History: October 13 2010: Oracle has updated the advisory with a threat matrix and CVEs October 12 2010: Initial Release OVERVIEW Oracle have published information regarding the October 2010 Critical Patch Update which contains 81 security fixes affecting many Oracle products [1]. IMPACT Oracle has provided a matrix of specific impacts for affected products on the Oracle site. [1] "The highest CVSS 2.0 Base Score for vulnerabilities in this Critical Patch Update is 10.0 for vulnerability affecting Solaris Scheduler." Oracle have also stated that 30 of these vulnerabilities are remotely exploitable with no user authentication required. [1] The following products are reported by Oracle as vulnerable: * Oracle Database 11g Release 2, version 11.2.0.1 * Oracle Database 11g Release 1, version 11.1.0.7 * Oracle Database 10g Release 2, versions 10.2.0.3 and 10.2.0.4 * Oracle Database 10g, Release 1, version 10.1.0.5 * Oracle Fusion Middleware, 11gR1, versions 11.1.1.1.0 and 11.1.1.2.0 * Oracle Application Server, 10gR3, version 10.1.3.5.0 * Oracle Application Server, 10gR2, version 10.1.2.3.0 * Oracle BI Publisher, versions 10.1.3.3.2, 10.1.3.4.0 and 10.1.3.4.1 * Oracle Identity Management 10g, versions 10.1.4.0.1 and 10.1.4.3 * Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2 * Oracle E-Business Suite Release 11i, versions 11.5.10 and 11.5.10.2 * Agile PLM, version 9.3.0.0 * Oracle Transportation Management, versions 5.5, 6.0, and 6.1 * PeopleSoft Enterprise CRM, FMS, HCM and SCM (Supply Chain), versions 8.9, 9.0 and 9.1 * PeopleSoft Enterprise EPM, Campus Solutions, versions 8.9 and 9.0 * PeopleSoft Enterprise PeopleTools, versions 8.49 and 8.50 * Siebel Core, versions 7.7, 7.8, 8.0 and 8.1 * Primavera P6 Enterprise Project Portfolio Management, versions 6.21.3.0 and 7.0.1.0 * Oracle Sun Product Suite MITIGATION Administrators responsible for vulnerable products are advised to apply these patches as soon as is practical. REFERENCES [1] Oracle Critical Patch Update Advisory - October 2010 http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iD8DBQFMtRPA/iFOrG6YcBERAodpAJ9jvpz91LiBOTN+lLFPZUf8Xs1tiwCeNqyz 900UQUB7YH7wxB0SuGAiF3M= =6n2N -----END PGP SIGNATURE-----