Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.misc -> US-CERT Technical Cyber Security Alert TA05-292A

US-CERT Technical Cyber Security Alert TA05-292A

From: ynotssor <ynotssor_at_example.net>
Date: Wed, 19 Oct 2005 18:21:23 -0700
Message-ID: <3ro9p7Fkmd38U1@individual.net>


> Subj: US-CERT Technical Cyber Security Alert TA05-292A -- Oracle
> Products Contain Multiple Vulnerabilities Date: Wednesday, October 19,
2005 1:17 PM
> From: technical-alerts_at_us-cert.gov
> ----------------------------------------------------------------
> Oracle Products Contain Multiple Vulnerabilities
> Original release date: October 19, 2005
> Last revised: --
> Source: US-CERT
>
> Systems Affected
> * Oracle Database Server 10g
> * Oracle9i Database Server
> * Oracle8i Database Server
> * Oracle8 Database Server
> * Oracle Enterprise Manager 10g Grid Control
> * Oracle Enterprise Manager Application Server Control
> * Oracle Enterprise Manager 10g Database Control
> * Oracle Application Server 10g
> * Oracle9i Application Server
> * Oracle Collaboration Suite 10g
> * Oracle9i Collaboration Suite
> * Oracle E-Business Suite Release 11i
> * Oracle E-Business Suite Release 11.0
> * Oracle Clinical
> * JD Edwards EnterpriseOne, OneWorld XE
> * Oracle Developer Suite
> * Oracle Workflow
> For more information regarding affected product versions, please
> see the Oracle Critical Patch Update - October 2005.
>
> Overview
> Various Oracle products and components are affected by multiple
> vulnerabilities. The impacts of these vulnerabilities include
> unauthenticated, remote code execution, information disclosure, and
> denial of service.
>
> I. Description
> Oracle released a Critical Patch Update in October 2005. It
> addresses more than eighty vulnerabilities in different Oracle
> products and components.
> The Critical Patch Update provides information about affected
> components, access and authorization required, and the impact of
> the vulnerabilities on data confidentiality, integrity, and
> availability. For more information on terms used in the Critical
> Patch Update, Metalink customers should refer to MetaLink Note
> 293956.1. According to the Critical Patch Update: "The new database
> vulnerabilities addressed by this Critical Patch Update do not
> affect Oracle Database Client-only installations (installations
> that do not have the Oracle Database Server installed). Therefore,
> it is not necessary to apply this Critical Patch Update to
> client-only installations if a prior Critical Patch Update, or
> Alert 68, has already been applied to the client-only
> installations." US-CERT recommends that sites running Oracle
> review the Critical Patch Update, apply patches, and take other
> mitigating action as appropriate. US-CERT is tracking all of these
> issues under VU#210524. As further information becomes available,
> we will publish individual Vulnerability Notes.
> Note that according to public reports, the patches included in this
> update, as well as previous updates, may not adequately correct all
> security vulnerabilities.
>
> II. Impact
> The impact of these vulnerabilities varies depending on the
> product, component, and configuration of the system. Potential
> consequences include remote execution of arbitrary code or
> commands, information disclosure, and denial of service. An
> attacker who compromises an Oracle database may be able to gain
> access to sensitive information.
>
> III. Solution
> Apply a patch
> Apply the appropriate patches or upgrade as specified in the Oracle
> Critical Patch Update - October 2005. Note that this Critical Patch
> Update only lists newly corrected issues. Updates to patches for
> previously known issues are not listed.
> Workarounds
> It may be possible to mitigate some vulnerabilities by disabling or
> removing unnecessary components, restricting network access, and
> restricting access to temporary files.
> Oracle Critical Patch Update - October 2005 suggests disabling the
> PSQL Manager to mitigate a vulnerability in PeopleSoft Enterprise
> PeopleTools (PSE04).
>
> Appendix A. Vendor Information
> Oracle
> Please see Oracle Critical Patch Update - October 2005 and Critical
> Patch Updates and Security Alerts.
>
> Appendix B. References
> * Critical Patch Update - October 2005 -
> <http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.h
> tml>
> * Critical Patch Updates and Security Alerts -
> <http://www.oracle.com/technology/deploy/security/alerts.htm>
> * MetaLink Note 293956.1 -
> <http://metalink.oracle.com/metalink/plsql/showdoc?db=Not&id=29395
> 6.1>
> * US-CERT Vulnerability Note VU#210524 -
> <http://www.kb.cert.org/vuls/id/210524>
> * US-CERT Vulnerability Notes Related to Critical Patch Update -
> October 2005 -
> <http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_octo
> ber_2005>
> * Map of Public Vulnerability to Advisory/Alert -
> <http://www.oracle.com/technology/deploy/security/pdf/public_vuln_
> to_advisory_mapping.html>
> * SecurityFocus BugTraq -
> <http://www.securityfocus.com/archive/1/413827/30/0/threaded>
>
> _________________________________________________________________
> The most recent version of this document can be found at:
> <http://www.us-cert.gov/cas/techalerts/TA05-292A.html>
> _________________________________________________________________
> Feedback can be directed to US-CERT. Please send email to:
> <cert_at_cert.org> with "TA05-292A Feedback VU#210524" in the subject.
> _________________________________________________________________
> Revision History
> Oct 19, 2005: Initial release
> _________________________________________________________________
> Produced 2005 by US-CERT, a government organization.
>
> Terms of use
> <http://www.us-cert.gov/legal.html>
> _________________________________________________________________
> For instructions on subscribing to or unsubscribing from this
> mailing list, visit <http://www.us-cert.gov/cas/>.
Received on Wed Oct 19 2005 - 20:21:23 CDT

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US