Cert Security Alert

[cdnvic]

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1

Technical Cyber Security Alert TA05-117A

Oracle Products Contain Multiple Vulnerabilities

Original release date: April 27, 2005

Last revised: --

Source: US-CERT

Systems Affected

From the Oracle Critical Patch Update - April 2005:

* Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3,

10.1.0.3.1, 10.1.0.4 (10.1.0.3.1 is supported for Oracle

Application Server only)

* Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6

* Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5,

9.0.4 (9.0.1.5 FIPS) (all of which are supported for Oracle

Application Server only)

* Oracle8i Database Server Release 3, version 8.1.7.4

* Oracle Application Server 10g Release 2 (10.1.2)

* Oracle Application Server 10g (9.0.4), versions 9.0.4.0,

9.0.4.1

* Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1

* Oracle9i Application Server Release 1, version 1.0.2.2

* Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2

* Oracle E-Business Suite and Applications Release 11i, versions

11.5.0 through 11.5.10

* Oracle E-Business Suite and Applications Release 11.0

* Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2,

10.1.0.3

* Oracle Enterprise Manager versions 9.0.4.0, 9.0.4.1

* PeopleSoft EnterpriseOne Applications, versions 8.9 SP2 and 8.93

* PeopleSoft OneWorldXe/ERP8 Applications, versions SP22 and higher

Overview

Various Oracle products and components are affected by multiple

vulnerabilities. The impacts of these vulnerabilities include

unauthenticated, remote code execution, information disclosure, and

denial of service.

I. Description

Oracle released a Critical Patch Update in April that addresses

more than seventy vulnerabilities in different Oracle products and

components. The Critical Patch Update provides information about

which components are affected, what access and authorization are

required, and how data confidentiality, integrity, and availability

may be impacted.

US-CERT strongly recommends that sites running Oracle review the

Critical Patch Update, apply patches, and take other mitigating

action as appropriate.

Oracle HTTP Server is based on the Apache HTTP Server. According to

Oracle, the Critical Patch Update addresses a number of previously

disclosed Apache vulnerabilities. Oracle Database Client-only

installations are not affected.

US-CERT is tracking all of these issues under VU#948486. As further

information becomes available, we will publish individual

Vulnerability Notes.

II. Impact

The impacts of these vulnerabilities vary depending on product or

component and configuration. Potential consequences include remote

execution of arbitrary code or commands, information disclosure,

and denial of service. An attacker who compromises an Oracle

database may be able to gain access to sensitive information.

III. Solution

Apply a patch

Apply the appropriate patches or upgrade as specified in the Oracle

Critical Patch Update - April 2005. The update notes that some

Oracle patches are cumulative while others are not:

The Oracle Database Server, Enterprise Manager, and the Oracle

Application Server patches for this Critical Patch Update are

cumulative, and contain all the fixes from the previous Critical

Patch Update.

...

E-Business Suite patches are not cumulative, so E-Business Suite

customers should refer to previous Critical Patch Updates to

identify previous fixes they wish to apply.

Oracle Collaboration Suite patches are not cumulative, so Oracle

Collaboration Suite customers should refer to previous Critical

Patch Updates to identify previous fixes they wish to apply.

Workarounds

It may be possible to mitigate some vulnerabilities by disabling or

removing unnecessary components and restricting network access.

Revoking PUBLIC EXECUTE privileges from vulnerable stored

procedures may reduce the impact of SQL injection vulnerabilities

(VU#982109). For more specific workarounds please see the

individual Vulnerability Notes.

Oracle Critical Patch Update - April 2005 contains a workaround for a

vulnerability in PeopleSoft.

Appendix A. Vendor Information

Oracle

Please see Oracle Critical Patch Update - April 2005 and Critical

Patch Updates and Security Alerts.

Appendix B. References

* Critical Patch Update - April 2005 -

<http://www.oracle.com/technology/deploy/security/pdf/

cpuapr2005.pdf>

* Critical Patch Updates and Security Alerts -

<http://www.oracle.com/technology/deploy/security/alerts.htm>

* Map of Public Vulnerability to Advisory/Alert -

<http://www.oracle.com/technology/deploy/security/pdf/

public_vuln_to_advisory_mapping.html>

* Comments on Oracle Critical Patch Update April 2005 -

<http://www.red-database-security.com/wp/

comments_oracle_cpu_april_2005_us.pdf>

* NGSSoftware Oracle Database vulnerabilities -

<http://www.ngssoftware.com/advisories/oracle-03.txt>

* US-CERT Vulnerability Note VU#948486 -

<http://www.kb.cert.org/vuls/id/948486>

* US-CERT Vulnerability Note VU#982109 -

<http://www.kb.cert.org/vuls/id/982109>

_________________________________________________________________

Thanks to Alexander Kornbrust of Red-Database-Security GmbH.

Information used in this document came from Red-Database-Security and

Oracle. Oracle credits NGS Software Ltd., Integrigy, and Application

Security, Inc.

_________________________________________________________________

Feedback can be directed to the authors: Art Manion and Jeff Gennari.

Send mail to <[email protected]>.

Please include the Subject line "TA04-315A Feedback VU#948486".

_________________________________________________________________

Copyright 2005 Carnegie Mellon University.

Terms of use: <http://www.us-cert.gov/legal.html>

_________________________________________________________________

The most recent version of this document is available at:

<http://www.us-cert.gov/cas/techalerts/TA05-117A.html>

_________________________________________________________________

Revision History

April 27, 2005: Initial release

-----BEGIN PGP SIGNATURE-----

Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBQm/pwhhoSezw4YfQAQIouwgAhowi2o6QI66xpWVcyKDckKfJSlUKMoLt

vSHpL0J6vHJDGyrnllbVqcUhsYi78IPmvkOiZ0RbvgBtm9TR+zxO13CyQ6wWPoTl

dItgw4BDw/f1bzLthb7+2GvCzXqsG+ICWZegEzX31ma7tO0yb1sdGEt9kwgL64ik

njwJ/Bn7pG2b1EFQ1zurIOsOcINdUrThgk0BqNmGfRxRnIF7XXdEQUIC2Q0jAz4a

Qxx6rttfnCJp6LmVMyqLFDItn9QyBMQTIfiOKaGNnmu7oyk8jdZq+HoORaeYqbC8

ectngIs+FPKXEACRaAKi/F932fkD2BX5dS/IF1VkYw7tWX6M2I39Dw==

=5Mno

-----END PGP SIGNATURE-----