__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle Critical Patch Update [January 2005 Critical Patch Update] January 18, 2005 22:00 GMT Number P-100 ______________________________________________________________________________ PROBLEM: Oracle released a cumulative update (including all Oracle Security Alert #68 fixes) for multiple security vulnerabilities. PLATFORM: -Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3 and 10.1.0.3.1 (supported for Oracle Application Server only) -Oracle9i Database Server Release 2, versions 9.2.0.4, 9.2.0.5 and 9.2.0.6 -Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4 (9.0.1.5 FIPS) (supported for Oracle Application Server only) -Oracle8i Database Server Release 3, version 8.1.7.4 -Oracle8 Database Release 8.0.6, version 8.0.6.3 (supported for E-Business Suite only) -Oracle Application Server 10g Release 2 (10.1.2) -Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1 -Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1 -Oracle9i Application Server Release 1, version 1.0.2.2 -Oracle Collaboration Suite Release 2, version 9.0.4.2 -Oracle E-Business Suite and Applications Release 11i (11.5) -Oracle E-Business Suite and Applications Release 11.0 DAMAGE: Specific details of each vulnerability are not available. However, they include PL/SQL Injection vulnerabilities that allow low privileged users to gain DBA privileges and a buffer overflow vulnerability. SOLUTION: Install the update. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Possible execution of arbitrary code with ASSESSMENT: privileges of the "Oracle" user on Unix/Linux and "System" on Microsoft Windows. Could also lead to disclosure of sensitive information. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-100.shtml ORIGINAL BULLETIN: http://www.oracle.com/technology/deploy/security/pdf/ cpu-jan-2005_advisory.pdf ______________________________________________________________________________ [***** Start January 2005 Critical Patch Update *****] Critical Patch Update - January 2005 Description This Critical Patch Update is a cumulative update (including all Oracle Security Alert #68 fixes) containing fixes for multiple security vulnerabilities. In addition, it also contains non-security fixes that are required (because of interdependencies) by those security fixes. For more information about this new process, please see the Oracle Critical Patch Update Program General FAQ (MetaLink Note 290738.1). The Critical Patch Update introduces the Risk Matrix as a method to allow customers to gauge the severity of the vulnerabilities addressed. The matrix provides the following information: -The access required to exploit the vulnerability. If a network attack is possible, we will list the protocol used by the attack. The credentials and additional circumstances required to exploit the vulnerability. -The risk of the vulnerability being exploited. This is categorized by the risk to confidentiality (e.g.,privacy), integrity (e.g., information modification), and availability (e.g., service interruption). Each categorization indicates the ease with which the vulnerability can be exploited and the potential harm a successful attack can cause. The most serious vulnerabilities are Easy vulnerabilities that have a Wide impact. -The earliest supported release indicates the first product version, that is still supported, affected by the vulnerability and the last affected patchset indicates the last patchset for each supported release that is still affected by the vulnerability. As an example: -A customer is using Oracle Database 10g Release 1, version 10.1.0.2, and wishes to determine if they are affected by the DB06 vulnerability. In the Oracle Database Server Risk Matrix, the DB06 row shows '10g' in the Earliest Supported Release Affected column, and '10.1.0.3.1 (10g)' in the Last Affected Patch Set column. This means that all supported versions of 10g up to and including 10.1.0.3.1 are affected by the vulnerability. Therefore, this customer is affected. -The component that contained the vulnerability is listed. In many cases, a vulnerability can be exploited solely due to the component being present on the system, even if it is not used. The component information should not be used to determine if a system is vulnerable to a given attack. This information is provided to aid customer testing. -Finally, we will indicate if recommended workarounds are available, and if so, what they are. Workarounds that may adversely affect the operation of other Oracle products are not provided. MetaLink Note 293956.1 defines the terms used in the Risk Matrix. Please note: Oracle has analyzed each potential vulnerability separately for risk of exploit and impact of exploit. Oracle has performed no analysis on the likelihood and impact of blended attacks (i.e. the exploitation of multiple vulnerabilities combined in a single attack). Policy Statement on Information Provided in Critical Patch Updates and Security Alerts Oracle Corporation conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the severity of the CPU or Security Alert and the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the pre-installation notes, the readme files, and FAQs. Oracle does not provide advance notification on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code, nor "proof-of-conceptî code, for vulnerabilities in our products. Critical Patch Update Availability for De-Supported Versions Critical Patch Updates are available for customers who have purchased Extended Maintenance Support (EMS). De-support Notices indicate whether EMS is available for a particular release and platform, as well as the specific period during which EMS will be available. Customers with valid licenses for product versions covered by Extended Support (ES) are entitled to download existing fixes; however, new issues that may arise from the application of patches are not covered under ES. Therefore, ES customers should have comprehensive plans to enable backing out any patch application. Oracle will not provide Critical Patch Updates for product versions which are no longer covered under the Extended Maintenance Support plan. We recommend that customers upgrade to the latest supported version of Oracle products in order to obtain Critical Patch Updates. Please review the "Extended Support" section within the Technical Support Policies for further guidelines regarding ES & EMS. Supported Products Affected The following supported product releases and versions are affected by this Critical Patch Update: •Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3 and 10.1.0.3.1 (supported for Oracle Application Server only) •Oracle9i Database Server Release 2, versions 9.2.0.4, 9.2.0.5 and 9.2.0.6 •Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4 (9.0.1.5 FIPS) (supported for Oracle Application Server only) •Oracle8i Database Server Release 3, version 8.1.7.4 •Oracle8 Database Release 8.0.6, version 8.0.6.3 (supported for E-Business Suite only) •Oracle Application Server 10g Release 2 (10.1.2) •Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1 •Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1 •Oracle9i Application Server Release 1, version 1.0.2.2 •Oracle Collaboration Suite Release 2, version 9.0.4.2 •Oracle E-Business Suite and Applications Release 11i (11.5) •Oracle E-Business Suite and Applications Release 11.0 The new database vulnerabilities addressed by this Critical Patch Update do not affect Oracle Database Client-only installations (installations that do not have the Oracle Database Server installed). Since this Critical Patch Update includes all fixes from Security Alert 68, the client fixes in this Critical Patch Update are the same as Security Alert 68. If Security Alert 68 has not been applied to Client-only installations, Security Alert 68 or this Critical Patch Update must be installed on those installations in order to eliminate the security vulnerabilities described by Security Alert 68. Unsupported products, releases and versions have not been tested for the presence of these vulnerabilities, nor patched, in accordance with section 4.3.3.3 of the Software Error Correction Support Policy (MetaLink Note 209768.1). However, earlier patchset levels of the affected releases are most likely also affected by these vulnerabilities. Oracle Database Server Oracle Database Server Risk Matrix Please refer to Appendix A - Oracle Database Server Risk Matrix. Oracle Database Patch Availability Please see the Pre-Installation Note for the Oracle Database Server, MetaLink Note 293737.1 . Oracle Enterprise Manager Grid Control There are no new fixes for Oracle Enterprise Manager Grid Control in this Critical Patch Update. However, since this Critical Patch Update includes all fixes in Security Alert 68, the Oracle Enterprise Manager fixes in this Critical Patch Update are the same as Security Alert 68. Oracle Enterprise Manager Patch Availability Please see the Pre-Installation Note for the Oracle Enterprise Manager Grid Control, MetaLink Note 295108.1 . Oracle Application Server Oracle Application Server Risk Matrix Please refer to Appendix B - Oracle Application Server Risk Matrix. Oracle Application Server Patch Availability Please see the Pre-Installation Note for the Oracle Application Server, MetaLink Note 293738.1 Oracle Collaboration Suite Oracle Collaboration Suite Risk Matrix Please refer to Appendix C - Oracle Collaboration Suite Risk Matrix. Oracle Collaboration Suite Patch Availability Please see the Pre-Installation Note for the Oracle Collaboration Suite, MetaLink Note 293740.1 Oracle E-Business and Applications This Critical Patch Update contains security fixes for Oracle8 Database Release 8.0.6 version 8.0.6.3 released in revision 3 of Alert 68 on December 27th, 2004. All E-business customers must apply these patches. Oracle E-Business Risk Matrix Please refer to Appendix D - Oracle E-Business Risk Matrix. Oracle E-Business Patch Availability Please see the Pre-Installation Note for the Oracle E-Business Suite, MetaLink Note 293741.1. References _ Critical Patch Update ñ January 2005 FAQ, MetaLink Note 293955.1 _ Oracle Critical Patch Update Program General FAQ, MetaLink Note 290738.1 _ Oracle Critical Patch Update Documentation Tree, MetaLink Note 294914.1 _ Security Alerts and Critical Patch Updates- Frequently Asked Questions, MetaLink Note 237007.1 Credits The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle’s attention: Pete Finnigan, Alexander Kornbrust of Red Database Security, Stephen Kost of Integrigy, David Litchfield of NGSS Limited. Modification History 18-JAN-05: Initial release, version 1 FOR APPENDICES and Risk Matrices: see Critical Patch Update - January 2005 at http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf [***** End January 2005 Critical Patch Update *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Oracle for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-090: VIM Modeline Vulnerability P-091: 'tiff' Unsanitized Input Vulnerability P-092: kdelibs -- Unsanitised Input P-093: HTML Help ActiveX Control Cross Domain Vulnerability P-094: Microsoft Vulnerability in Cursor and Icon Format Handling P-095: Microsoft Vulnerability in the Indexing Service P-096: Sun SMC Default Configuration GUI Creates User Accounts with Blank Password Instead of Locked Accounts P-097: Debian Exim Buffer Overflow P-098: Updated Mozilla Packages Fix a Buffer Overflow P-099: Apple iTunes Buffer Overflow