Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT Security Bulletin
ASB-2010.0222.2
Oracle Critical Patch Update Advisory - October 2010
13 October 2010
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle Database 11g, 10g, 9i
Oracle Fusion Middleware, 11gR1
Oracle Application Server, 10gR3, 10gR2
Oracle BI Publisher
Oracle Identity Management 10g
Oracle E-Business Suite Release 12, 11i
Agile PLM
Oracle Transportation Management
PeopleSoft Enterprise CRM
PeopleSoft Enterprise FMS
PeopleSoft Enterprise HCM
PeopleSoft Enterprise SCM
PeopleSoft Enterprise EPM
PeopleSoft Enterprise Campus Solutions
PeopleSoft Enterprise PeopleTools
Siebel Core
Primavera P6 Enterprise Project Portfolio Management
Oracle Sun Product Suite
Operating System: UNIX variants (UNIX, Linux, OSX)
Solaris
Windows
Impact/Access: Unknown/Unspecified -- Remote/Unauthenticated
Resolution: Patch/Upgrade
CVE Names: CVE-2010-3585 CVE-2010-3584 CVE-2010-3583
CVE-2010-3582 CVE-2010-3581 CVE-2010-3580
CVE-2010-3579 CVE-2010-3578 CVE-2010-3577
CVE-2010-3576 CVE-2010-3575 CVE-2010-3564
CVE-2010-3547 CVE-2010-3546 CVE-2010-3545
CVE-2010-3544 CVE-2010-3542 CVE-2010-3540
CVE-2010-3539 CVE-2010-3538 CVE-2010-3537
CVE-2010-3536 CVE-2010-3535 CVE-2010-3534
CVE-2010-3533 CVE-2010-3532 CVE-2010-3531
CVE-2010-3530 CVE-2010-3529 CVE-2010-3528
CVE-2010-3527 CVE-2010-3526 CVE-2010-3525
CVE-2010-3524 CVE-2010-3523 CVE-2010-3522
CVE-2010-3521 CVE-2010-3520 CVE-2010-3519
CVE-2010-3518 CVE-2010-3517 CVE-2010-3516
CVE-2010-3515 CVE-2010-3514 CVE-2010-3513
CVE-2010-3512 CVE-2010-3511 CVE-2010-3509
CVE-2010-3508 CVE-2010-3507 CVE-2010-3506
CVE-2010-3504 CVE-2010-3503 CVE-2010-3501
CVE-2010-2419 CVE-2010-2418 CVE-2010-2417
CVE-2010-2416 CVE-2010-2415 CVE-2010-2414
CVE-2010-2413 CVE-2010-2412 CVE-2010-2411
CVE-2010-2410 CVE-2010-2409 CVE-2010-2408
CVE-2010-2407 CVE-2010-2404 CVE-2010-2396
CVE-2010-2395 CVE-2010-2391 CVE-2010-2390
CVE-2010-2389 CVE-2010-2388 CVE-2010-1321
CVE-2010-0395 CVE-2009-3555 CVE-2009-3302
CVE-2009-3301 CVE-2009-2950 CVE-2009-2949
Member content until: Thursday, November 11 2010
Reference: ASB-2010.0225
ASB-2010.0168
Revision History: October 13 2010: Oracle has updated the advisory with a threat matrix and CVEs
October 12 2010: Initial Release
OVERVIEW
Oracle have published information regarding the October 2010 Critical
Patch Update which contains 81 security fixes affecting many
Oracle products [1].
IMPACT
Oracle has provided a matrix of specific impacts for affected products
on the Oracle site. [1]
"The highest CVSS 2.0 Base Score for vulnerabilities in this Critical
Patch Update is 10.0 for vulnerability affecting Solaris Scheduler."
Oracle have also stated that 30 of these vulnerabilities are remotely
exploitable with no user authentication required. [1]
The following products are reported by Oracle as vulnerable:
* Oracle Database 11g Release 2, version 11.2.0.1
* Oracle Database 11g Release 1, version 11.1.0.7
* Oracle Database 10g Release 2, versions 10.2.0.3 and 10.2.0.4
* Oracle Database 10g, Release 1, version 10.1.0.5
* Oracle Fusion Middleware, 11gR1, versions 11.1.1.1.0 and 11.1.1.2.0
* Oracle Application Server, 10gR3, version 10.1.3.5.0
* Oracle Application Server, 10gR2, version 10.1.2.3.0
* Oracle BI Publisher, versions 10.1.3.3.2, 10.1.3.4.0 and 10.1.3.4.1
* Oracle Identity Management 10g, versions 10.1.4.0.1 and 10.1.4.3
* Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2
* Oracle E-Business Suite Release 11i, versions 11.5.10 and 11.5.10.2
* Agile PLM, version 9.3.0.0
* Oracle Transportation Management, versions 5.5, 6.0, and 6.1
* PeopleSoft Enterprise CRM, FMS, HCM and SCM (Supply Chain), versions 8.9, 9.0 and 9.1
* PeopleSoft Enterprise EPM, Campus Solutions, versions 8.9 and 9.0
* PeopleSoft Enterprise PeopleTools, versions 8.49 and 8.50
* Siebel Core, versions 7.7, 7.8, 8.0 and 8.1
* Primavera P6 Enterprise Project Portfolio Management, versions 6.21.3.0 and 7.0.1.0
* Oracle Sun Product Suite
MITIGATION
Administrators responsible for vulnerable products are advised to
apply these patches as soon as is practical.
REFERENCES
[1] Oracle Critical Patch Update Advisory - October 2010
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iD8DBQFMtRPA/iFOrG6YcBERAodpAJ9jvpz91LiBOTN+lLFPZUf8Xs1tiwCeNqyz
900UQUB7YH7wxB0SuGAiF3M=
=6n2N
-----END PGP SIGNATURE-----