__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle Critical Patch Update - April 2005 [April 2005] April 14, 2005 19:00 GMT Number P-182 ______________________________________________________________________________ PROBLEM: A Critical Patch Update is a collection of patches for multiple security vulnerabilities. PLATFORM: * Oracle Database 1g 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.3.1, 10.1.0.4 (10.1.0.3.1 is supported for Oracle Application Server Only) * Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6 * Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.4 (9.0.1.5 FIPS) (all of which are supported for Oracle Application Server only) * Oracle8i Database Server Release 3, version 8.1.7.4 * Oracle Application Server 10g Release 2 (10.1.2) * Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1 * Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1 * Oracle9i Application Server Release 1, version 1.0.2.2 * Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2 * Oracle E-Business Suite and Applications Release 11i, versions 11.5.0 through 11.5.10 * Oracle E-Business Suite and Applications Release 11.0 * Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2, 10.1.0.3 * Oracle Enterprise Manager versions 9.0.4.0, 9.0.4.1 * PeopleSoft EnterpriseOne Applications, versions 8.9 SP2 and 8.93 * PeopleSoft OneWorldXe/ERP8 Applications, versions SP22 and higher DAMAGE: Specific details of each vulnerability are not available. However, they include vulnerabilities in authentication mechanisms and data access controls. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. Unauthenticated users may be able to access ASSESSMENT: portions of the database that are not permitted. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-182.shtml ORIGINAL BULLETIN: Oracle Critical Patch Update - April 2005 http://www.oracle.com/technology/deploy/security/alerts.htm ______________________________________________________________________________ [***** Start Oracle Critical Update - April 2005 *****] Critical Patch Update - April 2005 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. The Oracle Database Server, Enterprise Manager, and the Oracle Application Server patches in the Updates are cumulative; each successive Critical Patch Update contains the fixes from the previous Critical Patch Updates. Supported Products Affected The following supported product releases and versions are affected by the security vulnerabilities addressed by this Critical Patch Update: · Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.3.1, 10.1.0.4 (10.1.0.3.1 is supported for Oracle Application Server only) · Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6 · Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.4 (9.0.1.5 FIPS) (all of which are supported for Oracle Application Server only) · Oracle8i Database Server Release 3, version 8.1.7.4 · Oracle Application Server 10g Release 2 (10.1.2) · Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1 · Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1 · Oracle9i Application Server Release 1, version 1.0.2.2 · Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2 · Oracle E-Business Suite and Applications Release 11i, versions 11.5.0 through 11.5.10 · Oracle E-Business Suite and Applications Release 11.0 · Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2, 10.1.0.3 · Oracle Enterprise Manager versions 9.0.4.0, 9.0.4.1 · PeopleSoft EnterpriseOne Applications, versions 8.9 SP2 and 8.93 · PeopleSoft OneWorldXe/ERP8 Applications, versions SP22 and higher Unsupported Products Unsupported products, releases and versions have neither been tested for the presence of vulnerabilities addressed by this Critical Patch Update, nor patched, in accordance with section 4.3.3.3 of the Software Error Correction Support Policy (MetaLink Note 209768.1). However, it is likely that earlier patch set levels of the affected releases are affected by these vulnerabilities. Oracle Database Client-only installations The new database vulnerabilities addressed by this Critical Patch Update do not affect Oracle Database Client-only Critical Patch Update . April 2005 1 Oracle Corporation installations (installations that do not have the Oracle Database Server installed). Therefore, it is not necessary to apply this Critical Patch Update to client-only installations if a prior Critical Patch Update, or Alert 68, has already been applied to the client-only installations. Patch Availability and Risk Matrices For each Oracle product that is being administered, please consult the associated Pre-Installation Note for patch availability information and installation instructions. For an overview of all the documents related to this Critical Patch Update, please see the Oracle Critical Patch Update Documentation Map, MetaLink Note 304410.1. Product Risk Matrix Pre-Installation Note Oracle Database Server Appendix A - Oracle Database Server Risk Matrix Pre-Installation Note for the Oracle Database Server, MetaLink Note 30104 5 .1 Oracle Application Server Appendix B - Oracle Application Server Risk Matrix Pre-Installation Note for the Oracle Application Server, MetaLink Note 301046 .1 Oracle Collaboration Suite Appendix C - Oracle Collaboration Suite Risk Matrix Pre-Installation Note for the Oracle Collaboration Suite, MetaLink Note 301047 .1 Oracle E-Business and Applications Appendix D - Oracle E-Business Risk Matrix Pre-Installation Note for the Oracle E-Business Suite, MetaLink Note 301048.1 Oracle Enterprise Manager Grid Control Appendix E - Oracle Enterprise Manager Grid Control Risk Matrix Pre-Installation Note for the Oracle Enterprise Manager Grid Control, MetaLink Note 301049 .1 Oracle PeopleSoft Applications Appendix F - Oracle PeopleSoft Applications Risk Matrix PeopleSoft Advisory Risk Matrix Contents The risk matrices in this advisory list only the vulnerabilities that are new in this advisory. The Oracle Database Server, Enterprise Manager, and the Oracle Application Server patches for this Critical Patch Update are cumulative, and contain all the fixes from the previous Critical Patch Update. Risk matrices for these previous fixes can be found in the previous Critical Patch Update advisory. E-Business Suite patches are not cumulative, so E-Business Suite customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply. Oracle Collaboration Suite patches are not cumulative, so Oracle Collaboration Suite customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply. Critical Patch Update . April 2005 2 Oracle Corporation One vulnerability appearing in two Risk Matrices Several vulnerabilities addressed by this Critical Patch Update are in both the Database Server and Application Server products. The Risk Matrices show these shared vulnerabilities by specifying the Vuln #s from both matrices on a single vulnerability row. Risk Matrix Definitions MetaLink Note 293956.1 defines the terms used in the Risk Matrices. Risk Analysis and Blended Attacks Oracle has analyzed each potential vulnerability separately for risk of exploit and impact of exploit. Oracle has performed no analysis on the likelihood and impact of blended attacks (i.e. the exploitation of multiple vulnerabilities combined in a single attack). Policy Statement on Information Provided in Critical Patch Updates and Security Alerts Oracle Corporation conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the pre-installation notes, the readme files, and FAQs. Oracle does not provide advance notification on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code nor .proof-of-concept. code for vulnerabilities in our products. Critical Patch Update Availability for De-Supported Versions Critical Patch Updates are available for customers who have purchased Extended Maintenance Support (EMS). De-support Notices indicate whether EMS is available for a particular release and platform, as well as the specific period during which EMS will be available. Customers with valid licenses for product versions covered by Extended Support (ES) are entitled to download existing fixes; however, new issues that may arise from the application of patches are not covered under ES. Therefore, ES customers should have comprehensive plans to enable removal of any applied patch. Oracle will not provide Critical Patch Updates for product versions which are no longer covered under the Extended Maintenance Support plan. We recommend that customers upgrade to the latest supported version of Oracl eproducts in order to obtain Critical Patch Updates. Please review the "Extended Support" section within the Technical Support Policies for further guidelines regarding ES & EMS. Critical Patch Update . April 2005 3 Oracle Corporation References .. Critical Patch Update . April 2005 FAQ, MetaLink Note 301041.1 .. MetaLink Note 293956.1 defines the terms used in the Risk Matrix. .. Oracle Critical Patch Update Program General FAQ, MetaLink Note 290738.1 .. Oracle Critical Patch Update Documentation Map, MetaLink Note 304410.1 .. Security Alerts and Critical Patch Updates- Frequently Asked Questions, MetaLink Note 237007.1 Credits The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle.s attention: Esteban Martínez Fayó of Application Security, Inc., Stephen Kost of Integrigy, David Litchfield of NGSS Limited. Modification History 12-APR-05: Initial release, version 1 13-APR-05: Corrected link to the Oracle Critical Patch Update Documentation Map Critical Patch Update . April 2005 4 Oracle Corporation [***** End Oracle Critical Update - April 2005 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Oracle for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-170: Cisco Security Advisory: Vulnerabilities in Cisco IOS Secure Shell Server P-171: SGI Advanced Linux Environment 3 Security Update #33 P-172: SGI IRIX gr_osview File Overwrite Vulnerabilities P-173: Cumulative Security Update for Internet Explorer P-174: Vulnerability in Exchange Server P-175: Vulnerability in MSN Messenger (896597) P-176: Vulnerabilities in Microsoft Word (890169) P-177: Vulnerabilities in TCP-IP (893066) P-178: Vulnerability in Message Queuing (892944) P-179: Vulnerability in Windows Shell (893086) P-180: Vulnerabilities in Windows Kernel (890859) P-181: Cisco Products Vulnerable to DoS via Crafted ICMP Messages