__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle Critical Patch Update - July 2006 July 21, 2006 08:00 GMT Number Q-251 ______________________________________________________________________________ PROBLEM: This update fixes multiple security problems in Oracle. PLATFORM: Category I Product releases and versions that are covered by Error Correction Support (ECS) or Extended Maintenance Support (EMS): • Oracle Database 10g Release 2, versions 10.2.0.1, 10.2.0.2 [ Database ] • Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5 [ Database ] • Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7 [ Database ] • Oracle8i Database Release 3, version 8.1.7.4 [ Database ] • Oracle Enterprise Manager 10g Grid Control, version 10.2.0.1 [ Enterprise Manager ] • Oracle Application Server 10g Release 3, versions 10.1.3.0.0 [ Application Server ] • Oracle Application Server 10g Release 2, versions 10.1.2.0.0 - 10.1.2.0.2, 10.1.2.1.0 [ Application Server ] • Oracle Application Server 10g Release 1 {9.0.4), versions 9.0.4.2, 9.0.4.3 [ Application Server ] • Oracle Collaboration Suite 10g Release 1, version 10.1.2.0 [ Collaboration Suite ] • Oracle9i Collaboration Suite Release 2, version 9.0.4.2 [ Collaboration Suite ] • Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2 [ E-Business Suite ] • Oracle E-Business Suite Release 11.0 [ E-Business Suite ] • Oracle Pharmaceutical Applications versions 4.5.0 - 4.5.2 [ Pharmaceutical ] • Oracle PeopleSoft Enterprise Portal Solutions, Enterprise Portal, versions 8.4, 8.8, 8.9 [ PeopleSoft/JDE ] • Oracle PeopleSoft Enterprise Portal Solutions, Enterprise Portal with Enforcer Portal Pack, version 8.8 [ PeopleSoft/JDE ] • JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95, 8.96 [ PeopleSoft/JDE ] Category II Products and components that are bundled with the products listed in Category I: • Oracle Database 10g Release 1, version 10.1.0.4.2 [ Application Server ] • Oracle Application Server Portal, versions 10.1.4.0.0 [ Application Server ] • Oracle Developer Suite, versions 6i, 9.0.4.2 [ Developer Suite ] and [ E-Business Suite ] • Oracle Workflow, versions 11.5.1 through 11.5.9.5 [ E-Business Suite ] Category III Products that are de-supported as a standalone installation but are supported when installed with the products listed in Category I: • Oracle9i Database Release 1, versions 9.0.1.4 [ Collaboration Suite ] • Oracle9i Database Release 1, versions 9.0.1.5, 9.0.1.5 FIPS [ Application Server ] • Oracle8 Database Release 8.0.6, version 8.0.6.3 [ Application Server ] and [ E-Business Suite ] • Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1 [ Collaboration Suite ] • Oracle9i Application Server Release 1, version 1.0.2.2 [ E-Business Suite ] Patches for Category III products are only available when these products are installed as part of Category I products, and are tested solely on supported configurations and environments. Please refer to the documentation for each product for specific details concerning the support and availability of patches. Category IV Products that are supported only on selected platforms. Please consult the additional documentation for details. • Oracle Database 10g Release 1, version 10.1.0.3 [ Database ] • Oracle9i Database Release 2, version 9.2.0.5 [ Database ] • Oracle Application Server 10g Release 1 (9.0.4), version 9.0.4.1 [ Application Server ] DAMAGE: An untrusted, malicious server can cause the client to terminate if the client connects to the rogue server and may allow an untrusted, malicious server to cause the client to terminate, and additionally may allow the execution of arbitrary code on the client. SOLUTION: Upgrade to the appropriate version. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. This is an Oracle Critical Patch Update. ASSESSMENT: ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-251.shtml ORIGINAL BULLETIN: Oracle Critical Patch Update - July 2006 http://www.oracle.com/technology/deploy/security/critical -patch-updates/cpujul2006.html ______________________________________________________________________________ [****** START ORACLE BULLETIN HERE ******] Oracle Critical Patch Update - July 2006 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. Supported Products and Components Affected The security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in [square brackets] following the product versions. Please click on the link in the [square brackets] or in the Patch Availability Table to access the documentation for those patches. Category I Product releases and versions that are covered by Error Correction Support (ECS) or Extended Maintenance Support (EMS): • Oracle Database 10g Release 2, versions 10.2.0.1, 10.2.0.2 [ Database ] • Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5 [ Database ] • Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7 [ Database ] • Oracle8i Database Release 3, version 8.1.7.4 [ Database ] • Oracle Enterprise Manager 10g Grid Control, version 10.2.0.1 [ Enterprise Manager ] • Oracle Application Server 10g Release 3, versions 10.1.3.0.0 [ Application Server ] • Oracle Application Server 10g Release 2, versions 10.1.2.0.0 - 10.1.2.0.2, 10.1.2.1.0 [ Application Server ] • Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.2, 9.0.4.3 [ Application Server ] • Oracle Collaboration Suite 10g Release 1, version 10.1.2.0 [ Collaboration Suite ] • Oracle9i Collaboration Suite Release 2, version 9.0.4.2 [ Collaboration Suite ] • Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2 [ E-Business Suite ] • Oracle E-Business Suite Release 11.0 [ E-Business Suite ] • Oracle Pharmaceutical Applications versions 4.5.0 - 4.5.2 [ Pharmaceutical ] • Oracle PeopleSoft Enterprise Portal Solutions, Enterprise Portal, versions 8.4, 8.8, 8.9 [ PeopleSoft/JDE ] • Oracle PeopleSoft Enterprise Portal Solutions, Enterprise Portal with Enforcer Portal Pack, version 8.8 [ PeopleSoft/JDE ] • JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95, 8.96 [ PeopleSoft/JDE ] Category II Products and components that are bundled with the products listed in Category I: • Oracle Database 10g Release 1, version 10.1.0.4.2 [ Application Server ] • Oracle Application Server Portal, versions 10.1.4.0.0 [ Application Server ] • Oracle Developer Suite, versions 6i, 9.0.4.2 [ Developer Suite ] and [ E-Business Suite ] • Oracle Workflow, versions 11.5.1 through 11.5.9.5 [ E-Business Suite ] Category III Products that are de-supported as a standalone installation but are supported when installed with the products listed in Category I: • Oracle9i Database Release 1, versions 9.0.1.4 [ Collaboration Suite ] • Oracle9i Database Release 1, versions 9.0.1.5, 9.0.1.5 FIPS [ Application Server ] • Oracle8 Database Release 8.0.6, version 8.0.6.3 [ Application Server ] and [ E-Business Suite ] • Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1 [ Collaboration Suite ] • Oracle9i Application Server Release 1, version 1.0.2.2 [ E-Business Suite ] Patches for Category III products are only available when these products are installed as part of Category I products, and are tested solely on supported configurations and environments. Please refer to the documentation for each product for specific details concerning the support and availability of patches. Category IV Products that are supported only on selected platforms. Please consult the additional documentation for details. • Oracle Database 10g Release 1, version 10.1.0.3 [ Database ] • Oracle9i Database Release 2, version 9.2.0.5 [ Database ] • Oracle Application Server 10g Release 1 (9.0.4), version 9.0.4.1 [ Application Server ] Unsupported Products Unsupported products, releases and versions are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier patch sets of the affected releases are affected by these vulnerabilities. Supported products are patched in accordance with section 4.3.3.3 of the Software Error Correction Support Policy, MetaLink Note 209768.1. Oracle Database Client-only Installations There are four new database vulnerabilities addressed by this Critical Patch Update that affect Oracle Database Client-only installations (installations that do not have the Oracle Database installed). For three of these vulnerabilities, an untrusted, malicious server can cause the client to terminate if the client connects to the rogue server. The fourth vulnerability allows an untrusted, malicious server to cause the client to terminate, and additionally may allow the execution of arbitrary code on the client. A client may be exposed to these four vulnerabilities either by connecting directly to the malicious server, or through a database link. Client-side software in the middle tier is patched as part of the general middle tier patch and customers do not need to apply additional patches. If this is not the case it will be documented in the appropriate supplementary documentation. Patch Availability Table and Risk Matrices The Oracle Database, Oracle Application Server, Oracle Enterprise Manager Grid Control, Oracle Collaboration Suite, JD Edwards EnterpriseOne and OneWorld Tools, and PeopleSoft Enterprise Portal Applications patches in the Updates are cumulative; each successive Critical Patch Update contains the fixes from the previous Critical Patch Updates. Oracle E-Business Suite and Applications patches are not cumulative, so E-Business Suite and Applications customers should refer to previous Critical Patch Updates to identify previous fixes they want to apply. For each Oracle product that is being administered, please consult the additional documentation for patch availability information and installation instructions. For an overview of all the documents related to this Critical Patch Update, please refer to the Oracle Critical Patch Update July 2006 Documentation Map, MetaLink Note 372928.1. Product Risk Matrix Pointer to More Information Oracle Database Appendix A - Oracle Database Risk Matrix Critical Patch Update Availability for Oracle Server and Middleware Products, MetaLink Note 372930.1 Oracle Application Server Appendix B - Oracle Application Server Risk Matrix Critical Patch Update Availability for Oracle Server and Middleware Products, MetaLink Note 372930.1 Oracle Collaboration Suite Appendix C - Oracle Collaboration Suite Risk Matrix Critical Patch Update Availability for Oracle Server and Middleware Products, MetaLink Note 372930.1 Oracle E-Business Suite and Applications Appendix D - Oracle E-Business Suite and Applications Risk Matrix E-Business Suite Critical Patch Update Note, MetaLink Note 372931.1 Oracle Pharmaceutical Applications Appendix D - Oracle E-Business Suite and Applications Risk Matrix Oracle Pharmaceutical Applications Critical Patch Update Pre-installation Note, MetaLink Note 374060.1 Oracle Enterprise Manager Appendix E - Enterprise Manager Risk Matrix Critical Patch Update Availability for Oracle Server and Middleware Products, MetaLink Note 372930.1 Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Appendix F - Oracle PeopleSoft and JD Edwards Applications Risk Matrix Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Advisory Risk Matrix Contents The risk matrices list only security vulnerabilities, and only the security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous fixes can be found in previous Critical Patch Update advisories. One Vulnerability Appearing in Several Risk Matrices Several vulnerabilities addressed by this Critical Patch Update affect multiple products. The Risk Matrices show these shared vulnerabilities by using a distinct Vuln # identification for each of them in their row in the Risk Matrix. These rows are then duplicated into all appropriate risk matrices under a gray dividing line. Risk Matrix Definitions MetaLink Note 293956.1 defines the terms used in the Risk Matrices. Risk Analysis and Blended Attacks Oracle has analyzed each potential vulnerability separately for risk and impact of exploitation. Oracle has performed no analysis on the likelihood and impact of blended attacks (i.e. the exploitation of multiple vulnerabilities combined in a single attack). Policy Statement on Information Provided in Critical Patch Updates and Security Alerts Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Patch Availability Matrix, the readme files, and FAQs. Oracle does not provide advance notification on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code nor “proof-of-concept” code for vulnerabilities in our products. Critical Patch Update Availability for De-Supported Versions Critical Patch Updates are available for customers who have purchased Extended Maintenance Support (EMS) before the implementation of the Lifetime Support Policy. De-support Notices indicate whether EMS is available for a particular release and platform, as well as the specific period during which EMS will be available. Customers with valid licenses for product versions covered by Extended Support (ES), before the implementation of the Lifetime Support Policy, are entitled to download existing fixes; however, new issues that may arise from the application of patches are not covered under ES. Therefore, ES customers should have comprehensive plans to enable removal of any applied patch. Oracle will not provide Critical Patch Updates for product versions which are no longer covered under the Extended Maintenance Support plan or the Lifetime Support Policy. We recommend that customers upgrade to the latest supported version of Oracle products in order to obtain Critical Patch Updates. Please review the "Extended Support" section within the Technical Support Policies for further guidelines regarding ES and EMS. References Oracle Critical Patch Updates and Security Alerts Critical Patch Update - July 2006 Documentation Map, MetaLink Note 372928.1 Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions, MetaLink Note 360470.1 Risk Matrix term definitions, MetaLink Note 293956.1 Credits The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle's attention: Esteban Martinez Fayo of Application Security, Inc.; Dr. Christian Kleinewaechter and Swen Thuemmler of infinity3 GmbH; Alexander Kornbrust of Red Database Security GmbH; David Litchfield of Next Generation Security Software Ltd. Critical Patch Update Schedule Critical Patch Updates are released on the Tuesday closest to the 15th day of January, April, July and October. The next four dates are: 17 October 2006 16 January 2007 17 April 2007 17 July 2007 Modification History 2006-JUL-18 Initial release 2006-JUL-20 Changed "Access Required (Protocol)" for DB23 in the Database Risk Matrix Appendix A Oracle Database Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK (see note 293956.1) Earliest Supported Release Affected Last Affected Patch set (per S upported Release) Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact DB01 Change Data Capture (CDC) SQL (Oracle Net) Database (execute on sys.dbms_cdc_impdp) Easy Wide Easy Wide --- --- 10g 10.1.0.5 --- DB02 Core RDBMS SQL (Oracle Net) Database (select on nested tables) --- --- --- --- Easy Wide 9i 9.0.1.5, 9.2.0.6 --- DB03 Data Pump Metadata API SQL (Oracle Net) Database (execute on sys.kupw$worker) Easy Wide Easy Wide --- --- 10g 10.1.0.5 --- DB04 Web Distributed Authoring and Versioning (DAV) Network (HTTP) Database --- --- --- --- Easy Wide 9iR2 9.2.0.6, 10.1.0.4 --- DB05 Dictionary SQL (Oracle Net) Database (execute on sys.dbms_ddl) Difficult Wide Difficult Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.6 --- DB06 Export SQL (Oracle Net) Database (execute on sys.dbms_export_extension) Easy Wide Easy Wide --- --- 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DB07 InterMedia SQL (Oracle Net) Database (execute on ordsys.ordimgidxmethods) Difficult Wide Difficult Wide Easy Wide 9i 9.0.1.5, 9.2.0.6, 10.1.0.4 --- DB08 OCI SQL (Oracle Net) Database --- --- Easy Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DB09 OCI SQL (Oracle Net) None Difficult Wide Difficult Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DB10 OCI SQL (Oracle Net) None --- --- Easy Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DB11 OCI SQL (Oracle Net) None --- --- --- --- Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DB12 OCI SQL (Oracle Net) Database --- --- --- --- Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DB13 OCI SQL (Oracle Net) None --- --- --- --- Difficult Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DB14 OCI SQL (Oracle Net) Database Difficult Wide Difficult Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DB15 Oracle ODBC Driver SQL (Oracle Net) Database (call procedure with ref cursor) --- --- --- --- Easy Wide 10g 10.1.0.4 --- DB16 Query Rewrite/Summary Mgmt SQL (Oracle Net) Database (execute on sys.dbms_xrwmv) Easy Wide Easy Wide --- --- 9i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DB17 RPC SQL (Oracle Net) Database --- --- --- --- Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DB18 RPC SQL (Oracle Net) None --- --- --- --- Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DB19 RPC SQL (Oracle Net) None Difficult Wide Difficult Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DB20 Semantic Analysis SQL (Oracle Net) Database Easy Wide Easy Wide --- --- 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DB21 Statistics SQL (Oracle Net) Database (execute on sys.dbms_stats) Easy Wide Easy Wide --- --- 10g 10.1.0.5 --- DB22 Upgrade & Downgrade SQL (Oracle Net) Database (execute on sys.dbms_dbupgrade) Easy Wide Easy Wide --- --- 10g 10.1.0.5 --- DB23 XMLDB Network (HTTP) None --- --- --- --- Easy Wide 9iR2 9.2.0.6, 10.1.0.4 --- DBC01 OCI SQL (Oracle Net) None --- --- --- --- Easy Limited 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DBC02 RPC SQL (Oracle Net) None --- --- --- --- Easy Limited 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DBC03 RPC SQL (Oracle Net) None --- --- --- --- Easy Limited 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- DBC04 RPC SQL (Oracle Net) Database Difficult Limited Difficult Limited Easy Limited 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 --- Required Conditions, Oracle Database Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle Database Vulnerabilities There are no recommended workarounds for the Oracle Database vulnerabilities described in the Oracle Database Risk Matrix. Appendix B Oracle Application Server Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK (see note 293956.1) Earliest Supported Release Affected Last Affected Patch set Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact AS01 OC4J Network (HTTP) None Easy Limited --- --- --- --- 9.0.2.3 9.0.2.3 --- AS02 OC4J Network (HTTP) Valid Session Difficult Limited Difficult Limited --- --- 9.0.2.3 9.0.2.3, 9.0.3.1 --- AS03 OC4J Network (HTTP) None Easy Limited --- --- --- --- 9.0.2.3 9.0.2.3, 9.0.3.1, 9.0.4.2, 10.1.2.0.2, 10.1.2.1 --- AS04 OC4J Network (HTTP) None Easy Limited --- --- --- --- 9.0.2.3 9.0.2.3, 9.0.3.1, 10.1.2.0.0 --- AS05 OC4J Network (HTTP) None Easy Limited --- --- --- --- 9.0.2.3 9.0.2.3, 9.0.3.1, 9.0.4.2, 10.1.2.0.0 --- AS06 OC4J Network (HTTP) None Difficult Limited Difficult Limited --- --- 9.0.2.3 9.0.2.3, 9.0.3.1, 9.0.4.1 --- AS07 OC4J Network (HTTP) None --- --- --- --- Easy Wide 9.0.4.2 9.0.4.2, 10.1.2.0.0 --- AS08 OC4J Network (HTTP) None Easy Limited --- --- --- --- 9.0.2.3 9.0.2.3, 9.0.3.1, 9.0.4.2, 10.1.2.0.0 --- AS09 OC4J Network (HTTP) None Difficult Limited Difficult Limited --- --- 10.1.3.0 10.1.3.0 --- AS10 OC4J Network (HTTP) None Easy Wide --- --- --- --- 10.1.2.0.2 10.1.2.0.2, 10.1.2.1 --- Required Conditions, Oracle Application Server Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle Application Server Vulnerabilities There are no recommended workarounds for the Oracle Application Server vulnerabilities described in the Application Server Suite Risk Matrix. Appendix C Oracle Collaboration Suite Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK (see note 293956.1) Earliest Supported Release Affected Last Affected Patch set Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact OCS01 Calendar Network (HTTP) Valid Session Easy Limited --- --- --- --- 10.1.2 10.1.2 --- Required Conditions, Oracle Collaboration Suite Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle Collaboration Suite Vulnerabilities There are no recommended workarounds for the Oracle Collaboration Suite vulnerabilities described in the Oracle Collaboration Suite Risk Matrix. Appendix D Oracle E-Business Suite and Applications Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK (see note 293956.1) Earliest Supported Release Affected Last Affected Patch set Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact APPS01 Internet Expenses Network (HTTP) Valid Session Easy Limited Easy Limited --- --- 11.5.9 11.5.10CU2 --- APPS02 Oracle Application Object Library Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.5.7 11.5.10CU2 --- APPS03 Oracle Application Object Library Network (HTTP) Valid Session Easy Limited Easy Limited --- --- 11.5.7 11.5.9 --- APPS04 Oracle Application Object Library Network (HTTP) None Easy Limited --- --- --- --- 11.5.7 11.5.9 --- APPS05 Oracle Application Object Library Network (HTTP) None Difficult Limited Difficult Limited --- --- 11.5.10 11.5.10CU2 --- APPS06 Oracle Application Object Library Network (HTTP) Valid Session Easy Wide --- --- --- --- 11.5.7 11.5.10CU2 --- APPS07 Oracle Application Object Library Network (HTTP) Valid Session Difficult Limited Difficult Limited --- --- 11.5.7 11.5.10CU2 --- APPS08 Oracle Application Object Library Network (HTTP) Valid Session Easy Wide Easy Wide --- --- 11.5.7 11.5.10CU2 --- APPS09 Oracle Application Object Library Local OS Easy Wide Easy Wide --- --- 11.5.7 11.5.10CU2 --- APPS10 Oracle Application Object Library Network (HTTP) None Easy Limited --- --- --- --- 11.5.7 11.5.10CU2 --- APPS11 Oracle Applications Technology Stack Network (HTTP) Valid Session Difficult Wide Difficult Wide --- --- 11.5.7 11.5.10CU2 --- APPS12 Oracle Applications Technology Stack Network (HTTP) Valid Session Easy Wide Easy Wide --- --- 11.5.7 11.5.10CU2 --- APPS13 Oracle Applications Technology Stack Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.5.7 11.5.10CU2 --- APPS14 Oracle Call Center Technology Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.5.9 11.5.10CU2 --- APPS15 Oracle Common Applications Network (HTTP) Valid Session Easy Wide --- --- --- --- 11.5.7 11.5.10CU2 --- APPS16 Oracle Exchange Network (HTTP) None Easy Limited --- --- --- --- 6.2.3 6.2.4 --- APPS17 Oracle Exchange Network (HTTP) Valid Session Easy Limited --- --- --- --- 6.2.3 6.2.4 --- APPS18 Oracle Self-Service Web Applications Network (HTTP) None Easy Limited Easy Limited --- --- 11.5.7 11.5.10CU2 --- APPS19 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.5.7 11.5.10CU2 --- APPS20 Oracle XML Gateway Network (HTTP) Valid Session Difficult Wide Difficult Wide Easy Wide 11.5.7 11.5.9 --- Required Conditions, Oracle E-Business Suite and Applications Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, E-Business Suite Vulnerabilities There are no recommended workarounds for the Oracle E-Business Suite and Applications vulnerabilities described in the Oracle E-Business Suite and Applications Risk Matrix. Appendix E Oracle Enterprise Manager Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK (see note 293956.1) Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact EM01 CORE: Repository Network (HTTP) Valid EM User Account Easy Wide Easy Wide --- --- 9.0.1.0 9.0.1.0, 9.2.0.1 --- EM02 Enterprise Config Management Network (HTTP) Valid EM User Account Easy Wide Easy Wide --- --- 10.1.0.3 10.1.0.3 --- EM03 Oracle Management Service Network (HTTP) None Easy Wide --- --- --- --- 10.1.0.3 10.1.0.5, 10.2.0.1 --- EM04 Oracle Management Service Network (HTTP) None Easy Wide Easy Wide --- --- 10.1.0.3 10.1.0.5, 10.2.0.1 --- Required Conditions, Oracle Enterprise Manager Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Enterprise Manager Vulnerabilities There are no recommended workarounds for the Oracle Enterprise Manager vulnerabilities described in the Oracle Enterprise Manager Risk Matrix. Appendix F Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK (see note 293956.1) Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact PSE01 PeopleSoft Enterprise Portal Network Valid Session Easy Limited Easy Limited --- --- Enterprise Portal 8.4, 8.8, 8.9 8.4 Bundle #16 8.8 Bundle #10 8.9 Bundle #3 --- PSE02 PeopleSoft Enterprise Portal Network Valid Session Easy Limited Easy Limited --- --- Enterprise Portal 8.8 with Enforcer Portal Pack, Enterprise Portal 8.9 8.8 Bundle #10 8.9 Bundle #3 --- JDE01 JD Edwards HTML Server Network (HTTP) None Difficult Limited Difficult Limited --- --- OneWorld Tools EnterpriseOne Tools 8.95, 8.96 SP23_N1 8.95.M1 8.96.B1 --- Required Conditions, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Vulnerabilities There are no recommended workarounds for the listed vulnerabilities. [****** END ORACLE BULLETIN ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Oracle for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-241: Vulnerability in Microsoft Internet Information Services using Active Server Pages Q-242: Vulnerabilities in Microsoft Excel Q-243: Vulnerabilities in Microsoft Office Q-244: Vulnerabilities in Microsoft Office Filters Q-245: Multiple Cisco Unified CallManager Vulnerabilities Q-246: Cisco Router Web Setup Ships with Insecure Default IOS Configuration Q-247: vixie-cron Security Update Q-248: kernel-source-2.6.8 et.al. Q-249: Vulnerability in PowerPoint Q-250: Multiple Vulnerabilities in Cisco Security Monitoring, Analysis and Response System (CS-MARS)