Hash: SHA1

                         AUSCERT Security Bulletin

           Oracle Critical Patch Update Advisory - October 2010
                              13 October 2010


        AusCERT Security Bulletin Summary

Product:              Oracle Database 11g, 10g, 9i
                      Oracle Fusion Middleware, 11gR1
                      Oracle Application Server, 10gR3, 10gR2
                      Oracle BI Publisher
                      Oracle Identity Management 10g
                      Oracle E-Business Suite Release 12, 11i
                      Agile PLM
                      Oracle Transportation Management
                      PeopleSoft Enterprise CRM
                      PeopleSoft Enterprise FMS
                      PeopleSoft Enterprise HCM
                      PeopleSoft Enterprise SCM
                      PeopleSoft Enterprise EPM
                      PeopleSoft Enterprise Campus Solutions
                      PeopleSoft Enterprise PeopleTools
                      Siebel Core
                      Primavera P6 Enterprise Project Portfolio Management
                      Oracle Sun Product Suite
Operating System:     UNIX variants (UNIX, Linux, OSX)
Impact/Access:        Unknown/Unspecified -- Remote/Unauthenticated
Resolution:           Patch/Upgrade
CVE Names:            CVE-2010-3585 CVE-2010-3584 CVE-2010-3583
                      CVE-2010-3582 CVE-2010-3581 CVE-2010-3580
                      CVE-2010-3579 CVE-2010-3578 CVE-2010-3577
                      CVE-2010-3576 CVE-2010-3575 CVE-2010-3564
                      CVE-2010-3547 CVE-2010-3546 CVE-2010-3545
                      CVE-2010-3544 CVE-2010-3542 CVE-2010-3540
                      CVE-2010-3539 CVE-2010-3538 CVE-2010-3537
                      CVE-2010-3536 CVE-2010-3535 CVE-2010-3534
                      CVE-2010-3533 CVE-2010-3532 CVE-2010-3531
                      CVE-2010-3530 CVE-2010-3529 CVE-2010-3528
                      CVE-2010-3527 CVE-2010-3526 CVE-2010-3525
                      CVE-2010-3524 CVE-2010-3523 CVE-2010-3522
                      CVE-2010-3521 CVE-2010-3520 CVE-2010-3519
                      CVE-2010-3518 CVE-2010-3517 CVE-2010-3516
                      CVE-2010-3515 CVE-2010-3514 CVE-2010-3513
                      CVE-2010-3512 CVE-2010-3511 CVE-2010-3509
                      CVE-2010-3508 CVE-2010-3507 CVE-2010-3506
                      CVE-2010-3504 CVE-2010-3503 CVE-2010-3501
                      CVE-2010-2419 CVE-2010-2418 CVE-2010-2417
                      CVE-2010-2416 CVE-2010-2415 CVE-2010-2414
                      CVE-2010-2413 CVE-2010-2412 CVE-2010-2411
                      CVE-2010-2410 CVE-2010-2409 CVE-2010-2408
                      CVE-2010-2407 CVE-2010-2404 CVE-2010-2396
                      CVE-2010-2395 CVE-2010-2391 CVE-2010-2390
                      CVE-2010-2389 CVE-2010-2388 CVE-2010-1321
                      CVE-2010-0395 CVE-2009-3555 CVE-2009-3302
                      CVE-2009-3301 CVE-2009-2950 CVE-2009-2949
Member content until: Thursday, November 11 2010
Reference:            ASB-2010.0225

Revision History:     October 13 2010: Oracle has updated the advisory with a threat matrix and CVEs
                      October 12 2010: Initial Release


        Oracle have published information regarding the October 2010 Critical
        Patch Update which contains 81 security fixes affecting many
        Oracle products [1].


        Oracle has provided a matrix of specific impacts for affected products
        on the Oracle site. [1]
        "The highest CVSS 2.0 Base Score for vulnerabilities in this Critical
        Patch Update is 10.0 for vulnerability affecting Solaris Scheduler."
        Oracle have also stated that 30 of these vulnerabilities are remotely
        exploitable with no user authentication required. [1]
        The following products are reported by Oracle as vulnerable:
            * Oracle Database 11g Release 2, version
            * Oracle Database 11g Release 1, version
            * Oracle Database 10g Release 2, versions and
            * Oracle Database 10g, Release 1, version
            * Oracle Fusion Middleware, 11gR1, versions and
            * Oracle Application Server, 10gR3, version
            * Oracle Application Server, 10gR2, version
            * Oracle BI Publisher, versions, and
            * Oracle Identity Management 10g, versions and
            * Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2
            * Oracle E-Business Suite Release 11i, versions 11.5.10 and
            * Agile PLM, version
            * Oracle Transportation Management, versions 5.5, 6.0, and 6.1
            * PeopleSoft Enterprise CRM, FMS, HCM and SCM (Supply Chain), versions 8.9, 9.0 and 9.1
            * PeopleSoft Enterprise EPM, Campus Solutions, versions 8.9 and 9.0
            * PeopleSoft Enterprise PeopleTools, versions 8.49 and 8.50
            * Siebel Core, versions 7.7, 7.8, 8.0 and 8.1
            * Primavera P6 Enterprise Project Portfolio Management, versions and
            * Oracle Sun Product Suite


        Administrators responsible for vulnerable products are advised to 
        apply these patches as soon as is practical.


        [1] Oracle Critical Patch Update Advisory - October 2010

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

Australian Computer Emergency Response Team
The University of Queensland
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours 
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967