Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0482 -- [Win][Linux]
Oracle Products Contain Multiple Vulnerabilities
20 July 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Oracle10g Database
Oracle9i Database
Oracle8i Database
Oracle Enterprise Manager 10g Grid Control
Oracle Application Server 10g
Oracle Collaboration Suite 10g
Oracle9i Collaboration Suite
Oracle E-Business Suite Release 11i
Oracle E-Business Suite Release 11.0
Oracle Pharmaceutical Applications
JD Edwards EnterpriseOne, OneWorld Tools
Oracle PeopleSoft Enterprise Portal Solutions
Publisher: US-CERT
Operating System: Windows
Linux variants
Impact: Execute Arbitrary Code/Commands
Read-only Data Access
Denial of Service
Access: Remote/Unauthenticated
Original Bulletin: http://www.us-cert.gov/cas/techalerts/TA06-200A.html
- --------------------------BEGIN INCLUDED TEXT--------------------
- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
National Cyber Alert System
Technical Cyber Security Alert TA06-200A
Oracle Products Contain Multiple Vulnerabilities
Original release date: July 19, 2006
Last revised: --
Source: US-CERT
Systems Affected
* Oracle10g Database
* Oracle9i Database
* Oracle8i Database
* Oracle Enterprise Manager 10g Grid Control
* Oracle Application Server 10g
* Oracle Collaboration Suite 10g
* Oracle9i Collaboration Suite
* Oracle E-Business Suite Release 11i
* Oracle E-Business Suite Release 11.0
* Oracle Pharmaceutical Applications
* JD Edwards EnterpriseOne, OneWorld Tools
* Oracle PeopleSoft Enterprise Portal Solutions
For more information regarding affected product versions, please see
the Oracle Critical Patch Update - July 2006.
Overview
Oracle products and components are affected by multiple
vulnerabilities. The impacts of these vulnerabilities include remote
execution of arbitrary code, information disclosure, and denial of
service.
I. Description
Oracle has released Critical Patch Update - July 2006. This update
addresses numerous vulnerabilities in different Oracle products and
components.
The Critical Patch Update provides information about affected
components, access and authorization required, and the impact of the
vulnerabilities on data confidentiality, integrity, and availability.
MetaLink customers should refer to MetaLink Note 293956.1 (login
required) for more information on terms used in the Critical Patch
Update.
According to Oracle, four of the vulnerabilities corrected in the
Oracle Critical Patch Update - July 2006 affect Oracle Database
client-only installations.
We believe that the Oracle Database vulnerability identified as Oracle
Vuln# DB06 in the Oracle Critical Patch Update corresponds to US-CERT
Vulnerability Note VU#932124, which includes further details as well
as workarounds. In most cases, Oracle does not associate Vuln#
identifiers (e.g., DB01) with other available information. As more
details about vulnerabilities and remediation strategies become
available, we will update the individual
vulnerability notes.
II. Impact
The impact of these vulnerabilities varies depending on the product,
component, and configuration of the system. Potential consequences
include the execution of arbitrary code or commands, information
disclosure, and denial of service. Vulnerable components may be
available to unauthenticated, remote attackers. An attacker who
compromises an Oracle database may be able to gain access to sensitive
information.
III. Solution
Apply a patch from Oracle
Apply the appropriate patches or upgrade as specified in the Oracle
Critical Patch Update - April 2006. Note that this Critical Patch
Update only lists newly corrected issues. Updates to patches for
previously known issues are not listed.
As noted in the update, some patches are cumulative, others are not:
The Oracle Database, Oracle Application Server, Oracle Enterprise
Manager Grid Control, Oracle Collaboration Suite, JD Edwards
EnterpriseOne and OneWorld Tools, and PeopleSoft Enterprise Portal
Applications patches in the Updates are cumulative; each successive
Critical Patch Update contains the fixes from the previous Critical
Patch Updates.
Oracle E-Business Suite and Applications patches are not
cumulative, so E-Business Suite and Applications customers should
refer to previous Critical Patch Updates to identify previous fixes
they want to apply.
Patches for some platforms and components were not available when the
Critical Patch Update was published on July 18, 2006. Please see
MetaLink Note 372930.1 (login required) for more information.
Appendix A. References
* US-CERT Vulnerability Note VU#932124 -
<http://www.kb.cert.org/vuls/id/932124>
* US-CERT Vulnerability Notes Related to Critical Patch Update -
July 2006 -
<http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_july
_2006>
* Critical Patch Update - July 2006 -
<http://www.oracle.com/technology/deploy/security/pdf/cpujul2006.h
tml>
* Critical Patch Updates and Security Alerts -
<http://www.oracle.com/technology/deploy/security/alerts.htm>
* Oracle Database Security Checklist (PDF) -
<http://www.oracle.com/technology/deploy/security/pdf/twp_security
_checklist_db_database.pdf>
* MetaLink Note 293956.1 (login required) -
<http://metalink.oracle.com/metalink/plsql/showdoc?db=Not&id=29395
6.1>
* MetaLink Note 372930.1 (login required) -
<http://metalink.oracle.com/metalink/plsql/showdoc?db=Not&id=37293
0.1>
* Details Oracle Critical Patch Update July 2006 -
<http://www.red-database-security.com/advisory/oracle_cpu_jul_2006
.html>
____________________________________________________________________
The most recent version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA06-200A.html>
____________________________________________________________________
Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA06-200A Feedback VU#932124" in the
subject.
____________________________________________________________________
For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________
Produced 2006 by US-CERT, a government organization.
Terms of use:
<http://www.us-cert.gov/legal.html>
____________________________________________________________________
Revision History
July 19, 2006: Initial release
- -----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iQEVAwUBRL6QWH0pj593lg50AQJZMggAlatBR7sK2XPCUHkRWSpfrg+oF6pnEf4V
bX9MZ0KD9JnLPur9kh4WvRtM+Jd5Qu3qAjlE7wVPZe2IzTJMYBFuEyeKtdLT4dio
tVZNbUgrgly9qH+7t5GcjL+mEYrgZY7ex8KSIckE6TXciqjffbvx3aSS28FaBJDK
t6MzMVs2GPOE6GQ1aVNaSBaAUqz78JR7SCa5Iv9/hSafulsyMYn82s9pPvPrKtuU
eCSCD/m4/XZNSthfjso2fOpo5WEABvxSpLYtJ6VkWWJgRxsiKIbw1yLLtVUM/Ky3
jaFrW+auc3DvFoORxbY052r//35VYBXYJu4U4y+dKTgz4wuYADz8fA==
=q9ES
- -----END PGP SIGNATURE-----
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRL7RNCh9+71yA2DNAQJINQQAgdqNZLq3fbFdLWzlBS5DFX/6OeVP0mQn
xy5MvU0d5yPX2SVQ4LgkrV462RJX1xQNhM7Zr6HbFUYIOIHUR4OXZqaWvs4zAcfh
FsIxi+c+SEEECRjiWxQrdgV1sspQwYMzO+ct4g99WtYQExc9xDdYpONY9QllknOL
ZsTi24QqXnY=
=s3pD
-----END PGP SIGNATURE-----