__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle Critical Patch Update - October 2005 October 19, 2005 18:00 GMT Number Q-024 [REVISED 24 Oct 2005] [REVISED 20 Dec 2005] ______________________________________________________________________________ PROBLEM: Oracle has released patches for multiple security vulnerabilities. PLATFORM: Category I Product releases and versions that are covered by Error Correction Support (ECS) or Extended Maintenance Support (EMS): Oracle Database Server 10g Release 1, versions 10.1.0.3, 10.1.0.4 Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6, 9.2.0.7 Oracle8i Database Server Release 3, version 8.1.7.4 Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4 Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2 Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2 Oracle Collaboration Suite 10g Release 1, version 10.1.1 Oracle9i Collaboration Suite Release 2, version 9.0.4.2 Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 and 11.5.10 CU2 Oracle E-Business Suite Release 11.0 Oracle Clinical, versions 4.5.0 and 4.5.1 PeopleSoft Enterprise Tools, versions 8.1 through 8.46.03 PeopleSoft CRM, versions 8.81 through 8.9 JD Edwards EnterpriseOne, OneWorld XE, versions 8.95_B1, 8.94_Q1, SP23_K1 Category II Products and components that are bundled with the products listed in Category I: Oracle Database Server 10g Release 1, version 10.1.0.4.2 Oracle Developer Suite, versions 9.0.2.1, 9.0.4.1, 9.0.4.2, 10.1.2.0 Oracle Enterprise Manager Application Server Control, versions 9.0.4.1, 9.0.4.2 Oracle Enterprise Manager 10g Database Control, versions 10.1.0.3, 10.1.0.4 Oracle Workflow, versions 11.5.1 through 11.5.9.5 Category III Products that are desupported as a standalone installation but are supported when installed with the products listed in Category I: Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.1.5 FIPS Oracle8 Database Server Release 8.0.6, version 8.0.6.3 Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1 Oracle9i Application Server Release 1, version 1.0.2.2 DAMAGE: Oracle does not give descriptions of the vulnerabilities on this alert. SOLUTION: Apply the appropriate Oracle patches. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Exploiting some of the vulnerabilities ASSESSMENT: requires network access, butno valid user account. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-024.shtml ORIGINAL BULLETIN: Oracle Critical Patch Update - October 2005 http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html ADDITIONAL LINK: Visit Hewlett-Packard Subscription Service for    HPSBMA01235 SSRT051055 rev.0 ______________________________________________________________________________ REVISION HISTORY: 10/24/05 - revised to add a link to Hewlett Packard Advisory HPSBMA01235 SSRT051055 rev.0. 12/20/05 - revised to reflect change to Oracle Critical Patch Update – October 2005. Please see Modification History section for list of changes. [****** Start Oracle Bulletin October 2005 ******] Oracle Critical Patch Update - October 2005 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. Supported Products and Components Affected The security vulnerabilities addressed by this Critical Patch Update affect the products listed in Categories I, II, and III below. Category I Product releases and versions that are covered by Error Correction Support (ECS) or Extended Maintenance Support (EMS): * Oracle Database 10g Release 2, version 10.2.0.1 * Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4 * Oracle9i Database Release 2, versions 9.2.0.5, 9.2.0.6, 9.2.0.7 * Oracle8i Database Release 3, version 8.1.7.4 * Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4 * Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2 * Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2 * Oracle Collaboration Suite 10g Release 1, version 10.1.1 * Oracle9i Collaboration Suite Release 2, version 9.0.4.2 * Oracle Workflow, versions 2.6.2, 2.6.3, 2.6.3.5, 2.6.4 * Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 and 11.5.10 CU2 * Oracle E-Business Suite Release 11.0 * Oracle Clinical, versions 4.5.0 and 4.5.1 * PeopleSoft Enterprise Tools, versions 8.4x through 8.46.03 * PeopleSoft CRM, versions 8.81 through 8.9 * JD Edwards EnterpriseOne, OneWorld XE, versions 8.95_B1, 8.94_Q1, SP23_K1 Category II Products and components that are bundled with the products listed in Category I: * Oracle Database 10g Release 1, version 10.1.0.4.2 * Oracle Developer Suite, versions 9.0.2.1, 9.0.4.1, 9.0.4.2, 10.1.2.0 * Oracle Enterprise Manager Application Server Control, versions 9.0.4.1, 9.0.4.2 * Oracle Enterprise Manager 10g Database Control, versions 10.1.0.3, 10.1.0.4 Category III Products that are desupported as a standalone installation but are supported when installed with the products listed in Category I: * Oracle9i Database Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.1.5 FIPS * Oracle8 Database Release 8.0.6, version 8.0.6.3 * Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1 * Oracle9i Application Server Release 1, version 1.0.2.2 Patches for Category III products are only available when these products are installed as part of Category I products, and are tested solely on supported configurations and environments. Please refer to the Pre-Installation Note for each product for specific details concerning the support and availability of patches. Unsupported Products Unsupported products, releases and versions have been neither tested for the presence of vulnerabilities addressed by this Critical Patch Update, nor patched, in accordance with section 4.3.3.3 of the Software Error Correction Support Policy, MetaLink Note 209768.1. However, it is likely that earlier patch sets of the affected releases are affected by these vulnerabilities. Oracle Database Client-only Installations The new database vulnerabilities addressed by this Critical Patch Update do not affect Oracle Database Client-only installations (installations that do not have the Oracle Database installed). Therefore, it is not necessary to apply this Critical Patch Update to client-only installations if a prior Critical Patch Update, or Alert 68, has already been applied to the client-only installations. Patch Availability and Risk Matrices The Oracle Database, Enterprise Manager, Oracle Application Server and Oracle Collaboration Suite patches in the Updates are cumulative; each successive Critical Patch Update contains the fixes from the previous Critical Patch Updates. Oracle E-Business Suite and Applications patches are not cumulative, so E-Business Suite and Applications customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply. For each Oracle product that is being administered, please consult the associated Pre-Installation Note for patch availability information and installation instructions. For an overview of all the documents related to this Critical Patch Update, please refer to the Oracle Critical Patch Update October 2005 Documentation Map, MetaLink Note 333954.1. Product Risk Matrix Link to Pre-Installation Note or Pointer to More Information Oracle Database Appendix A - Oracle Database Risk Matrix Pre-Installation Note for the Oracle Database, MetaLink Note 333956.1 Oracle Application Server Appendix B - Oracle Application Server Risk Matrix Pre-Installation Note for the Oracle Application Server, MetaLink Note 333959.1 Oracle Collaboration Suite Appendix C - Oracle Collaboration Suite Risk Matrix Pre-Installation Note for the Oracle Collaboration Suite, MetaLink Note 333961.1 Oracle E-Business Suite and Applications Appendix D - Oracle E-Business Suite and Applications Risk Matrix Pre-Installation Note for the Oracle E-Business Suite, MetaLink Note 333963.1 Oracle Enterprise Manager Appendix E - Enterprise Manager Risk Matrix Pre-Installation Note for the Oracle Enterprise Manager, MetaLink Note 333979.1 Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Appendix F - Oracle PeopleSoft and JD Edwards Applications Risk Matrix Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Advisory Risk Matrix Contents The risk matrices list only security vulnerabilities, and only the security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous fixes can be found in previous Critical Patch Update advisories. One vulnerability appearing in two Risk Matrices Several vulnerabilities addressed by this Critical Patch Update affect both the Database and Application Server products. The Risk Matrices show these shared vulnerabilities by specifying the Vuln #s from both matrices on a single vulnerability row. Risk Matrix Definitions MetaLink Note 293956.1 defines the terms used in the Risk Matrices. Risk Analysis and Blended Attacks Oracle has analyzed each potential vulnerability separately for risk and impact of exploitation. Oracle has performed no analysis on the likelihood and impact of blended attacks (i.e. the exploitation of multiple vulnerabilities combined in a single attack). Policy Statement on Information Provided in Critical Patch Updates and Security Alerts Oracle Corporation conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Pre-Installation notes, the readme files, and FAQs. Oracle does not provide advance notification on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code nor “proof-of-concept” code for vulnerabilities in our products. Critical Patch Update Availability for De-Supported Versions Critical Patch Updates are available for customers who have purchased Extended Maintenance Support (EMS) before the implementation of the Lifetime Support Policy. De-support Notices indicate whether EMS is available for a particular release and platform, as well as the specific period during which EMS will be available. Customers with valid licenses for product versions covered by Extended Support (ES), before the implementation of the Lifetime Support Policy, are entitled to download existing fixes; however, new issues that may arise from the application of patches are not covered under ES. Therefore, ES customers should have comprehensive plans to enable removal of any applied patch. Oracle will not provide Critical Patch Updates for product versions which are no longer covered under the Extended Maintenance Support plan or the Lifetime Support Policy. We recommend that customers upgrade to the latest supported version of Oracle products in order to obtain Critical Patch Updates. Please review the "Extended Support" section within the Technical Support Policies for further guidelines regarding ES and EMS. References * Oracle Critical Patch Updates and Security Alerts * Critical Patch Update - October 2005 FAQ, MetaLink Note 333985.1 * Critical Patch Update - October 2005 as it relates to Oracle Pharmaceutical Applications, MetaLink Note 337522.1 * MetaLink Note 293956.1 defines the terms used in the Risk Matrix. * Oracle Critical Patch Update Program General FAQ, MetaLink Note 290738.1 * Oracle Critical Patch Update Documentation Map, MetaLink Note 333954.1 * Security Alerts and Critical Patch Updates- Frequently Asked Questions, MetaLink Note 237007.1 Credits The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle's attention: Brian Carr; Sacha Faust of S.P.I. Dynamics, Inc.; Esteban Martínez Fayó of Application Security, Inc.; Alexander Kornbrust of Red Database Security; Steven Kost of Integrigy Corporation; David Litchfield of NGSS Limited; noderat ratty; Keigo Yamazaki of Little eArth Corporation Co., Ltd. Modification History 2005-OCT-18 Initial release 2005-DEC-19 * Added Database version 10.2.0.1 to Affected Products section and the DB and EM risk matrices. * Moved Oracle Workflow to Category I and clarified version numbers. * Added Workflow issues to the Database and Application Server Risk Matrices. * Removed references to PeopleSoft Enterprise Tools, version 8.1. Appendix A Oracle Database Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact DB01 PL/SQL SQL (Oracle Net) Database (execute on sys.standard) Difficult Wide Difficult Wide Easy Wide 9i 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4 --- DB02 Change Data Capture SQL (Oracle Net) Database (execute on sys.dbms_cdc_impdp) Easy Wide Easy Wide --- --- 10g 10.1.0.4.2 --- DB03 Change Data Capture SQL (Oracle Net) Database (execute on sys.dbms_cdc_impdp) Difficult Wide Difficult Wide Easy Wide 10g 10.1.0.4.2 --- DB04 Change Data Capture SQL (Oracle Net) Database (execute on sys.dbms_cdc_subscribe) Easy Wide Easy Wide --- --- 9iR2 9.2.0.7, 10.1.0.4.2 --- DB05 Change Data Capture SQL (Oracle Net) Database (execute on sys.dbms_cdc_dputil) Difficult Wide Difficult Wide Easy Wide 10g 10.1.0.4.2 --- DB06 Data Guard Logical Standby SQL (Oracle Net) Database (execute on sys.dbms_logstdby, create procedure) Easy Wide Easy Wide --- --- 9iR2 9.2.0.7, 10.1.0.4.2 --- DB07 Data Pump Export SQL (Oracle Net) Database (execute on sys.kupf$file) Easy Wide Easy Wide --- --- 10g 10.1.0.4.2 --- DB08 Database Scheduler SQL (Oracle Net) Database (execute on sys.dbms_scheduler) Difficult Limited Difficult Limited --- --- 10g 10.1.0.3 --- DB09 Export SQL (Oracle Net) Database (execute on sys.dbms_export_extension) Easy Wide Easy Wide --- --- 8i 8.1.7.4, 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2 --- DB10 Locale SQL (Oracle Net) Database (execute on sys.utl_i18n) --- --- --- --- Easy Wide 9iR2 9.2.0.7, 10.1.0.4.2 --- DB11 Materialized Views SQL (Oracle Net) Database (execute on sys.dbms_snapshot) Difficult Wide Difficult Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2 --- DB12 Materialized Views SQL (Oracle Net) Database (execute on sys.dbms_snapshot) Difficult Wide Difficult Wide Easy Wide 9i 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2 --- DB13 Objects Extension SQL (Oracle Net) Database (map methods) Difficult Wide Difficult Wide Difficult Wide 9i 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2 --- DB14 Oracle Intelligent Agent Local OS Difficult Wide Difficult Wide Difficult Wide 9i 9.0.1.5, 9.0.1.5FIPS --- DB15 Oracle Label Security SQL (Oracle Net) Database (execute on lbacsys.lbac_session) Difficult Wide Difficult Wide Easy Wide 9i 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2 --- DB16 Oracle Security Service Network None Difficult Limited Difficult Limited Difficult Limited 8i 8.1.7.4, 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2 --- DB17 Oracle Spatial SQL (Oracle Net) Database (execute on mdsys.sdo_idx, or mdsys.sdo_rtree_admin, or mdsys.sdo_tune) Difficult Wide Difficult Wide Easy Wide 9iR2 9.2.0.6, 10.1.0.3 --- DB18 Oracle Spatial SQL (Oracle Net) Database (execute on mdsys.sdo_util ) Easy Wide Easy Wide --- --- 10g 10.1.0.4.2 --- DB19 Oracle Spatial SQL (Oracle Net) Database (execute on mdsys.sdo_join) Easy Wide Easy Wide --- --- 10g 10.1.0.4.2 --- DB20 Oracle Spatial SQL (Oracle Net) Database (execute on mdsys.sdo_sam or mdsys.prvt_sam) Easy Wide Easy Wide --- --- 10g 10.1.0.4.2 --- DB21 Oracle Spatial SQL (Oracle Net) Database (execute on mdsys.prvt_idx) Easy Wide Easy Wide --- --- 10g 10.1.0.4.2 --- DB22 Oracle Spatial SQL (Oracle Net) Database (execute on mdsys.md2) Easy Wide Easy Wide --- --- 10g 10.1.0.4.2 --- DB23 Oracle Spatial SQL (Oracle Net) Database (execute on mdsys.rtree_idx) Easy Wide Easy Wide --- --- 10g 10.1.0.4.2 --- DB24 Oracle Spatial SQL (Oracle Net) Database (execute on mdsys.sdo_idx) Easy Wide Easy Wide --- --- 10g 10.1.0.4.2 --- DB25 Oracle Spatial SQL (Oracle Net) Database (execute on mdsys.prvt_idx) Easy Wide Easy Wide --- --- 10g 10.1.0.4.2 --- DB26 Programmatic Interface Local Database, OS (alter session privilege) Easy Wide Easy Wide --- --- 8i 8.1.7.4, 9.0.1.5, 9.0.1.5FIPS, 9.2.0.5 --- DB27 Security SQL (Oracle Net) Database (execute on sys.pbsde) Difficult Wide Difficult Wide Easy Wide 9iR2 9.2.0.6, 10.1.0.4.2 --- DB28 Workspace Manager SQL (Oracle Net) Database (execute on sys.lt) Easy Wide Easy Wide --- --- 9i 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2 --- DB29 Workspace Manager SQL (Oracle Net) Database (execute on sys.lt_ctx_pkg) Easy Wide Easy Wide --- --- 9i 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2 --- DB30 AS03 Oracle HTTP Server Local OS Difficult Wide Difficult Wide --- --- 8i 8.1.7.4, 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2 --- DB31 AS05 Oracle HTTP Server Network (HTTP) None Difficult Wide Easy Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2 --- DB32 AS06 Oracle Internet Directory Local OS Difficult Limited Difficult Limited Difficult Limited 9i 9.0.1.5, 9.0.1.5FIPS, 9.2.0.6 --- DB33 AS08 Oracle Single Sign-On Local OS Easy Limited Difficult Limited --- --- 10g 10.1.0.4.2 --- DB34 AS15 OCS14 APPS17 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 8i 8.1.7.4, 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2, 10.2.0.1 --- DB35 AS16 OCS15 APPS18 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 8i 8.1.7.4, 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2, 10.2.0.1 --- DB36 AS17 OCS16 APPS19 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 8i 8.1.7.4, 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2, 10.2.0.1 --- DB37 AS18 OCS17 APPS20 Oracle Workflow Cartridge Local None Easy Wide Easy Wide --- --- 8i 8.1.7.4, 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2, 10.2.0.1 --- DB38 AS19 OCS18 APPS21 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 8i 8.1.7.4, 9.0.1.5, 9.0.1.5FIPS, 9.2.0.7, 10.1.0.4.2, 10.2.0.1 --- * If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Database Vulnerabilities section of this document. * If a workaround is indicated, the Workarounds, Oracle Database Vulnerabilities section of this document describes the workaround for the Vuln# given above. Required Conditions, Oracle Database Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle Database Vulnerabilities There are no recommended workarounds for the Oracle Database vulnerabilities described in the Oracle Database Risk Matrix. Appendix B Oracle Application Server Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact AS01 OC4J Module Network (HTTP) None Easy Limited --- --- --- --- 9.0.2.3 9.0.2.3, 9.0.4.2, 10.1.2.0.2 --- AS02 Oracle Containers for J2EE Network None --- --- --- --- Easy Limited 9.0.2.3 9.0.2.3, 9.0.3.1, 9.0.4.2, 10.1.2.0 --- AS03 DB30 Oracle HTTP Server Local OS Difficult Wide Difficult Wide --- --- 1.0.2.2 1.0.2.2, 9.0.2.3, 9.0.4.2, 10.1.2.0 --- AS04 Oracle HTTP Server Network (HTTP) None Easy Limited --- --- --- --- 1.0.2.2 1.0.2.2, 9.0.2.3 --- AS05 DB31 Oracle HTTP Server Network (HTTP) None Difficult Wide Easy Wide Easy Wide 1.0.2.2 1.0.2.2, 9.0.2.3, 9.0.4.2, 10.1.2.0 --- AS06 DB32 Oracle Internet Directory Local OS Difficult Limited Difficult Limited Difficult Limited 9.0.2.3 9.0.2.3, 9.0.3.1, 9.0.4.2, 10.1.2.0 --- AS07 Oracle Internet Directory Network (HTTP) None Easy Wide Easy Wide --- --- 9.0.4.1 9.0.4.1, 9.0.4.2, 10.1.2.0 --- AS08 DB33 Oracle Single Sign-On Local OS Easy Limited Difficult Limited --- --- 9.0.2.3 9.0.2.3, 9.0.4.2 --- AS09 Report Server Network (HTTP) None Easy Limited --- --- --- --- 9.0.4.1 9.0.4.2, 10.1.2.0 --- AS10 SQL*ReportWriter Network (HTTP) None Easy Wide Easy Wide --- --- 9.0.2.1 9.0.2.1 --- AS11 Web Cache Network (HTTP) None Easy Wide --- --- --- --- 9.0.2.3 9.0.2.3, 9.0.4.2, 10.1.2.0 --- AS12 Web Cache Network (HTTP) None Difficult Wide Difficult Wide --- --- 1.0.2.2 1.0.2.2, 9.0.2.3, 9.0.4.2, 10.1.2.0 --- AS13 Web Cache Network (HTTP) Web Cache Administrator Easy Wide Easy Wide --- --- 1.0.2.2 1.0.2.2, 9.0.2.3, 9.0.4.2 --- AS14 Web Cache Network None --- --- --- --- Easy Wide 1.0.2.2 1.0.2.2, 9.0.2.3, 9.0.4.2, 10.1.2.0 --- AS15 DB34 OCS14 APPS17 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 9.0.4.1 9.0.4.1, 9.0.4.2, 10.1.2.0 --- AS16 DB35 OCS15 APPS18 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 9.0.4.1 9.0.4.1, 9.0.4.2, 10.1.2.0 --- AS17 DB36 OCS16 APPS19 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 9.0.4.1 9.0.4.1, 9.0.4.2, 10.1.2.0 --- AS18 DB37 OCS17 APPS20 Oracle Workflow Cartridge Local None Easy Wide Easy Wide --- --- 9.0.4.1 9.0.4.1, 9.0.4.2, 10.1.2.0 --- AS19 DB38 OCS18 APPS21 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 9.0.4.1 9.0.4.1, 9.0.4.2, 10.1.2.0 --- * If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Application Server Vulnerabilities section of this document. * If a workaround is indicated, the Workarounds, Oracle Application Server Vulnerabilities section of this document describes the workaround for the Vuln# given above. Required Conditions, Oracle Application Server Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle Application Server Vulnerabilities There are no recommended workarounds for the Oracle Application Server vulnerabilities described in the Application Server Suite Risk Matrix. Appendix C Oracle Collaboration Suite Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact OCS01 Calendar Network None Difficult Wide Difficult Wide Easy Wide --- OCS02 Calendar Local OS Easy Limited --- --- --- --- --- OCS03 Calendar Network (HTTP) Valid Session Easy Limited --- --- --- --- --- OCS04 Calendar Network (Calendar) None Easy Limited --- --- --- --- --- OCS05 Email Server Local OS Easy Limited --- --- --- --- --- OCS06 Email Server Network (IMAP) None --- --- --- --- Easy Wide --- OCS07 Email Server Network (IMAP) Valid Session Difficult Wide --- --- --- --- --- OCS08 Email Server Network (EMAIL) None Easy Limited Easy Limited --- --- --- OCS09 Email Server Network (EMAIL) None Easy Limited Easy Limited Difficult Wide --- OCS10 Email Server Network (EMAIL) None --- --- --- --- Easy Wide --- OCS11 Oracle Files Local OS Easy Limited Easy Limited --- --- --- OCS12 Oracle Files Network (FTP) None --- --- --- --- Easy Wide --- OCS13 Oracle Files Network (NFS) None --- --- --- --- Easy Limited --- OCS14 DB34 AS15 APPS17 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- --- OCS15 DB35 AS16 APPS18 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- --- OCS16 DB36 AS17 APPS19 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- --- OCS17 DB37 AS18 APPS20 Oracle Workflow Cartridge Local None Easy Wide Easy Wide --- --- --- OCS18 DB38 AS19 APPS21 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- --- * If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Collaboration Suite Vulnerabilities section of this document. * If a workaround is indicated, the Workarounds, Oracle Collaboration Suite Vulnerabilities section of this document describes the workaround for the Vuln# given above. Note to Oracle Collaboration Suite 10g Release 1, version 10.1.1 Customers Oracle Collaboration Suite version 10.1.1 is not affected by any of the security vulnerabilites listed in the Oracle Collaboration Suite Risk Matrix However, the products that are bundled with Oracle Collaboration Suite (Oracle Database, Oracle Application Server) are affected by the vulnerabilities, and must be patched according to the Pre-Installation Notes for them. Required Conditions, Oracle Collaboration Suite Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle Collaboration Suite Vulnerabilities There are no recommended workarounds for the Oracle Collaboration Suite vulnerabilities described in the Oracle Collaboration Suite Risk Matrix. Appendix D Oracle E-Business Suite and Applications Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact APPS01 Application Install Local OS (access to log files) Easy Wide Easy Wide --- --- 11.5.1 11.5.10 --- APPS02 Oracle Application Object Library Network (HTTP) None Easy Limited --- --- --- --- 11.5.1 11.5.10 --- APPS03 Oracle Application Object Library Network (HTTP) Valid Session Difficult Limited Difficult Limited --- --- 11.5.8 11.5.10 --- APPS04 Oracle Application Object Library Network (HTTP) None Easy Limited --- --- --- --- 11.5.1 11.5.9 --- APPS05 Oracle Applications Technology Stack Network (HTTP) None Easy Limited --- --- --- --- 11.5.1 11.5.10 --- APPS06 Oracle Applications Technology Stack Network (HTTP) None Easy Wide Easy Wide --- --- 11.5.1 11.5.10 --- APPS07 Oracle Applications Utilities Network (HTTP) None Easy Wide Easy Wide --- --- 11.5.1 11.5.10 --- APPS08 Oracle HRMS (Self Service) Network (HTTP) Valid Session Easy Wide Easy Wide --- --- 11.0 11.5.10 --- APPS09 Oracle HRMS (Self Service) Network (HTTP) Valid Session Easy Wide Easy Wide --- --- 11.5.1 11.5.10 --- APPS10 Oracle HRMS (Self Service) Network (HTTP) Valid Session Easy Wide Easy Wide --- --- 11.5.1 11.5.10 --- APPS11 Oracle HRMS (UK) Network (HTTP) None Easy Wide Easy Wide --- --- 11.5.1 11.5.10 --- APPS12 Oracle Mobile Application Foundation Local Valid Session Easy Wide Easy Wide Difficult Wide 11.5.8 11.5.10 --- APPS13 Oracle SDP Number Portability Local Valid Session Easy Wide Easy Wide Difficult Wide 11.5.9 11.5.10 --- APPS14 Oracle Service Local Valid Session Easy Wide Easy Wide Difficult Wide 11.5.6 11.5.10 --- APPS15 Oracle Service Fulfillment Manager Network (HTTP) Valid Session Easy Limited Easy Limited Easy Limited 11.5.9 11.5.10 --- APPS16 Oracle Universal Work Queue Network (HTTP) Valid Session Easy Limited Easy Limited Easy Limited 11.5.10 11.5.10 --- APPS17 DB34 AS15 OCS14 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.5.1 11.5.9 --- APPS18 DB35 AS16 OCS15 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.5.1 11.5.9 --- APPS19 DB36 AS17 OCS16 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.0 11.5.9 --- APPS20 DB37 AS18 OCS17 Oracle Workflow Cartridge Local None Easy Wide Easy Wide --- --- 11.5.1 11.5.10 --- APPS21 DB38 AS19 OCS18 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.5.9 11.5.9 --- APPS22 Oracle Clinical Forms Valid Session Easy Limited Easy Limited --- --- 4.5.0 4.5.1 --- * If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle E-Business Suite and Applications Vulnerabilities section of this document. * If a workaround is indicated, the Workarounds, Oracle E-Business Suite and Applications Vulnerabilities section of this document describes the workaround for the Vuln# given above. Required Conditions, Oracle E-Business Suite and Applications Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, E-Business Suite Vulnerabilities There are no recommended workarounds for the Oracle E-Business Suite and Applications vulnerabilities described in the Oracle E-Business Suite and Applications Risk Matrix. Appendix E Oracle Enterprise Manager Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact EM01 Oracle Agent Network (HTTP) None Difficult Wide Difficult Wide Easy Wide EM 9.0.4.1 EM 9.0.4.2, EM 10.1.0.4, DB 10.2.0.1 --- * If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Enterprise Manager Vulnerabilities section of this document. * If a workaround is indicated, the Workarounds, Oracle Enterprise Manager Vulnerabilities section of this document describes the workaround for the Vuln# given above. Required Conditions, Oracle Enterprise Manager Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Enterprise Manager Vulnerabilities There are no recommended workarounds for the Oracle Enterprise Manager vulnerabilities described in the Oracle Enterprise Manager Risk Matrix. Appendix F Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact PSE01 PeopleTools Network (PIA) Valid Session Difficult Limited Difficult Limited --- --- 8.42 8.45.17 --- PSE02 PeopleTools Network (PIA) Valid Session Easy Limited Easy Limited Easy Limited 8.44 8.46.02 --- PSE03 PeopleTools Network (PIA) Valid Session Easy Wide Easy Wide Easy Wide 8.44 8.46.03 --- PSE04 PeopleTools Network (PIA) Valid Session Easy Limited --- --- --- --- 8.44 8.46 Yes JDE01 JDEdwards HTML Server Network (HTTP) None Difficult Limited Difficult Limited --- --- EnterpriseOne 8.94 OneWorld XE 8.95_B1, 8.94_Q1, SP23_K1 --- CRM01 Enterprise CRM Sales Network (PIA) Valid Session Difficult Limited Difficult Limited --- --- 8.81 8.9 --- * If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Vulnerabilities section of this document. * If a workaround is indicated, the Workarounds, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Vulnerabilities section of this document describes the workaround for the Vuln# given above. Required Conditions, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Vulnerabilities * PSE04 - Disable the PSOL Manager by using the following steps: 1. Open web.xml that resides in the WEB-INF folder under the PSOL folder. 2. Comment out the servlet-mapping element for PSOLManager by adding tags as shown in below. 3. 9. Restart the PSOL server. 10. Verify the PSOLManager is disabled by attempting to open http://host:port/PSOL/psolmanager.htm with your browser. Then click the List Parameters link and confirm an error page displays. [****** End Oracle Bulletin October 2005 ******] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Oracle for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-014: Client Service for NetWare Could Allow Remote Code Execution Q-015: Vulnerability in Plug and Play Q-016: Ruby Q-017: Sun Java System Application Server May Disclose Source Code of Java Server Pages Q-018: VERITAS NetBackup Java User Interface Format String Vulnerability Q-019: Lynx Security Update Q-020: Multiple Security Vulnerabilities in Mozilla Q-021: Openldap and nss_ldap Security Update Q-022: Snort 2.4.3 Released Q-023: UW-IMAP Vulnerability