__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle Critical Patch Update [January 2006] January 18, 2006 00:00 GMT Number Q-100 [REVISED 24 Jan 2006] ______________________________________________________________________________ PROBLEM: Oracle has released patches for multiple security vulnerabilities. PLATFORM: Category I Product releases and versions that are covered by Error Correction Support (ECS) or Extended Maintenance Support (EMS): * Oracle Database 10g Release 2, version 10.2.0.1 * Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4, 10.1.0.5 * Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7 * Oracle8i Database Release 3, version 8.1.7.4 * Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4 * Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1.0 * Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2 * Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2 * Oracle9i Collaboration Suite Release 2, version 9.0.4.2 * Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2 * Oracle E-Business Suite Release 11.0 * PeopleSoft Enterprise Portal, versions 8.4, 8.8, 8.9 * JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95.F1, SP23_L1 Category II Products and components that are bundled with the products listed in Category I: * Oracle Database 10g Release 1, version 10.1.0.4.2 * Oracle Developer Suite, versions 6i, 9.0.2.1, 9.0.4.1, 9.0.4.2, 10.1.2.0 * Oracle Workflow, versions 11.5.1 through 11.5.9.5 Category III - Products that are de-supported as a standalone installation but are supported when installed with the products listed in Category I: * Oracle9i Database Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.1.5 FIPS * Oracle8 Database Release 8.0.6, version 8.0.6.3 * Oracle9i Application Server Release 1, version 1.0.2.2 * Oracle for OpenView (OfO) versions 8.1.7, 9.1.01, and 9.2 running on HP-UX, Tru64 UNIX, Linux Solaris, and Windows DAMAGE: Please see Oracle's Risk Matrices. There are several sql injection and information disclosure vulnerabilities reported. SOLUTION: Apply the appropriate Oracle patches. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Exploiting some of the vulnerabilities may ASSESSMENT: allow execution of arbitrary code, sql injection, information disclosure. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-100.shtml ORIGINAL BULLETIN: http://www.oracle.com/technology/deploy/security/pdf/cpu jan2006.html ADDITIONAL LINK: See Hewlett-Packard Subscription Service for: HPSBMA02094 SSRT061104 rev. 1 ______________________________________________________________________________ REVISION HISTORY: 01/24/2006 - revised Q-100 to add a link to Hewlett-Packard HPSBMA02094 SSRT061104 rev. 1 for Oracle for OpenView (OfO) versions 8.1.7, 9.1.01, and 9.2 running on HP-UX, Tru64 UNIX, Linux Solaris, and Windows. [***** Start January 2006 *****] Oracle Critical Patch Update - January 2006 Description A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. Supported Products and Components Affected The security vulnerabilities addressed by this Critical Patch Update affect the products listed in Categories I, II, and III below. Category I Product releases and versions that are covered by Error Correction Support (ECS) or Extended Maintenance Support (EMS): * Oracle Database 10g Release 2, version 10.2.0.1 * Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4, 10.1.0.5 * Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7 * Oracle8i Database Release 3, version 8.1.7.4 * Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4 * Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1.0 * Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2 * Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2 * Oracle9i Collaboration Suite Release 2, version 9.0.4.2 * Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2 * Oracle E-Business Suite Release 11.0 * PeopleSoft Enterprise Portal, versions 8.4, 8.8, 8.9 * JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95.F1, SP23_L1 Category II Products and components that are bundled with the products listed in Category I: * Oracle Database 10g Release 1, version 10.1.0.4.2 * Oracle Developer Suite, versions 6i, 9.0.2.1, 9.0.4.1, 9.0.4.2, 10.1.2.0 * Oracle Workflow, versions 11.5.1 through 11.5.9.5 Category III Products that are de-supported as a standalone installation but are supported when installed with the products listed in Category I: * Oracle9i Database Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.1.5 FIPS * Oracle8 Database Release 8.0.6, version 8.0.6.3 * Oracle9i Application Server Release 1, version 1.0.2.2 Patches for Category III products are only available when these products are installed as part of Category I products, and are tested solely on supported configurations and environments. Please refer to the Pre-Installation Note for each product for specific details concerning the support and availability of patches. Unsupported Products Unsupported products, releases and versions have been neither tested for the presence of vulnerabilities addressed by this Critical Patch Update, nor patched, in accordance with section 4.3.3.3 of the Software Error Correction Support Policy, MetaLink Note 209768.1. However, it is likely that earlier patch sets of the affected releases are affected by these vulnerabilities. New for this Critical Patch Update Oracle has provided a default account and password checking utility intended to assist customers with securing certain default database accounts. The utility can be obtained from Patch 4926128, and is described in MetaLink Note 340009.1. This utility does not replace the essential security guidelines outlined in the security checklist, nor does it lessen the importance of verifying the status of all default database accounts. Oracle E-Business Suite customers should refer to the Best Practices for Securing Oracle E-Business Suite, MetaLink Note 189367.1. It is imperative for customers to test and analyze the recommendations before implementing in production. Oracle Database Client-only Installations Three issues addressed in this Critical Patch Update are applicable to Oracle Database Client-only installations (installations that do not have the Oracle Database installed). One vulnerability (DBC02) is in a utility that can be forced to terminate if given long arguments, potentially allowing code of an attacker's choice to be executed. However, this utility is not installed with setuid (elevated) privileges, so the risk that it can be effectively exploited is very low. One of the issues (JN01) enables JDBC clients to bind to OID servers configured to disallow anonymous binds. If JDBC clients are not used to access an OID server, or the OID server is configured to allow anonymous binds, then this particular issue is not applicable to client-only installations. The final client-only related vulnerability (DBC01) concerns named pipes in Windows. The vulnerability is exploitable only when a malicious person is able to create a named pipe that is subsequently used to communicate to a remote database server, also running Windows. This is a rare configuration; clients not configured in this manner are not vulnerable. All three issues applicable to client-only installations are either very low risk or only applicable in specific configurations. Customers are advised to determine the priority of applying the Critical Patch Update to client-only installations based on the risk to their environment. Otherwise, it is not necessary to apply this Critical Patch Update to client- only installations if a prior Critical Patch Update, or Alert 68, has already been applied to the client-only installations. Patch Availability and Risk Matrices The Oracle Database, Oracle Application Server, Oracle Enterprise Manager Grid Control, Oracle Collaboration Suite, JD Edwards EnterpriseOne and OneWorld Tools, and PeopleSoft Enterprise Portal Applications patches in the Updates are cumulative; each successive Critical Patch Update contains the fixes from the previous Critical Patch Updates. Oracle E-Business Suite and Applications patches are not cumulative, so E- Business Suite and Applications customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply. For each Oracle product that is being administered, please consult the associated Pre-Installation Note for patch availability information and installation instructions. For an overview of all the documents related to this Critical Patch Update, please refer to the Oracle Critical Patch Update January 2006 Documentation Map, MetaLink Note 343383.1. Product Risk Matrix Link to Pre-Installation Note or Pointer to More Information Oracle Database Appendix A - Oracle Database Risk Matrix Pre- Installation Note for the Oracle Database, MetaLink Note 343384.1 Oracle Application Server Appendix B - Oracle Application Server Risk Matrix Pre-Installation Note for the Oracle Application Server, MetaLink Note 343385.1 Oracle Collaboration Suite Appendix C - Oracle Collaboration Suite Risk Matrix Pre-Installation Note for the Oracle Collaboration Suite, MetaLink Note 343387.1 Oracle E-Business Suite and Applications Appendix D - Oracle E-Business Suite and Applications Risk Matrix Pre-Installation Note for the Oracle E- Business Suite, MetaLink Note 343389.1 Oracle Enterprise Manager Appendix E - Enterprise Manager Risk Matrix Pre- Installation Note for the Oracle Enterprise Manager, MetaLink Note 343390.1 Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Appendix F - Oracle PeopleSoft and JD Edwards Applications Risk Matrix Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Advisory Risk Matrix Contents The risk matrices list only security vulnerabilities, and only the security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous fixes can be found in previous Critical Patch Update advisories. One Vulnerability Appearing in Several Risk Matrices Several vulnerabilities addressed by this Critical Patch Update affect multiple products. The Risk Matrices show these shared vulnerabilities by using a distinct Vuln # identification for each of them in their row in the Risk Matrix. These rows are then duplicated into all appropriate risk matrices under a gray dividing line. Risk Matrix Definitions MetaLink Note 293956.1 defines the terms used in the Risk Matrices. Risk Analysis and Blended Attacks Oracle has analyzed each potential vulnerability separately for risk and impact of exploitation. Oracle has performed no analysis on the likelihood and impact of blended attacks (i.e. the exploitation of multiple vulnerabilities combined in a single attack). Policy Statement on Information Provided in Critical Patch Updates and Security Alerts Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Pre-Installation notes, the readme files, and FAQs. Oracle does not provide advance notification on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code nor “proof-of-concept” code for vulnerabilities in our products. Critical Patch Update Availability for De-Supported Versions Critical Patch Updates are available for customers who have purchased Extended Maintenance Support (EMS) before the implementation of the Lifetime Support Policy. De-support Notices indicate whether EMS is available for a particular release and platform, as well as the specific period during which EMS will be available. Customers with valid licenses for product versions covered by Extended Support (ES), before the implementation of the Lifetime Support Policy, are entitled to download existing fixes; however, new issues that may arise from the application of patches are not covered under ES. Therefore, ES customers should have comprehensive plans to enable removal of any applied patch. Oracle will not provide Critical Patch Updates for product versions which are no longer covered under the Extended Maintenance Support plan or the Lifetime Support Policy. We recommend that customers upgrade to the latest supported version of Oracle products in order to obtain Critical Patch Updates. Please review the "Extended Support" section within the Technical Support Policies for further guidelines regarding ES and EMS. References * Oracle Critical Patch Updates and Security Alerts * Critical Patch Update - January 2006 Documentation Map, MetaLink Note 343383.1. * Critical Patch Update - January 2006 FAQ, MetaLink Note 343391.1 * Critical Patch Update Program General FAQ, MetaLink Note 290738.1 * Risk Matrix term definitions, MetaLink Note 293956.1 * Security Alerts and Critical Patch Updates- Frequently Asked Questions, MetaLink Note 237007.1 Credits The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle's attention: Raffaele Amendola; Cesar Cerrudo and Esteban Martinez Fayo of Application Security, Inc.; Joxean Koret; Alexander Kornbrust of Red Database Security GmbH; David Litchfield of Next Generation Security Software Ltd.; Srinivas Nookala of Cenzic, Inc.; Steve Orrin formally of Watchfire, Inc.; Amichai Shulman of Imperva, Inc. Modification History 2006-JAN-17 * Initial release Appendix A Oracle Database Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact DB01 Advanced Queuing SQL (Oracle Net) Database (execute on sys.dbms_aqadm_sys or sys.dbms_aqadm_syscalls) Difficult Wide Difficult Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.6, 10.1.0.3 --- DB02 Change Data Capture SQL (Oracle Net) Database (execute on sys.dbms_cdc_utility) Difficult Wide Difficult Wide Easy Wide 9iR2 9.2.0.7, 10.1.0.5, 10.2.0.1 --- DB03 Connection Manager Network None --- --- --- --- Easy Wide 8i 8.1.7.4, 9.0.1.5 --- DB04 Data Pump SQL (Oracle Net) Database (execute on sys.kupw$worker) Easy Wide Easy Wide --- --- 10g 10.1.0.5 --- DB05 Data Pump Metadata API SQL (Oracle Net) Database (execute on sys.dbms_metadata) Easy Wide Easy Wide --- --- 9iR2 9.2.0.7, 10.1.0.5 --- DB06 Data Pump Metadata API SQL (Oracle Net) Database (execute on sys.dbms_datapump) Easy Wide Easy Wide --- --- 10g 10.1.0.5 --- DB07 Dictionary Local Database and OS (alter session, read permission on database log files) Easy Wide --- --- --- --- 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5 --- DB08 Net Foundation Layer Network (Oracle Net) None (network access to a Listener) Difficult Wide Difficult Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, 10.1.0.4 --- DB09 Net Listener Network (Oracle Net) None (network access to a Listener) Difficult Wide Difficult Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5, 10.2.0.1 --- DB10 Net Listener Network (Oracle Net) None (network access to a Listener) Difficult Wide Difficult Wide Easy Wide 10g 10.1.0.5 --- DB11 Net Listener Network (Oracle Net) None (network access to a Listener) --- --- Easy Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7 --- DB12 Network Communications (RPC) Network (Oracle Net) None (network access to a Listener) Difficult Wide Difficult Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5, 10.2.0.1 --- DB13 Network Communications (RPC) Network (Oracle Net) None (network access to a Listener) Difficult Wide Difficult Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5, 10.2.0.1 --- DB14 Oracle Label Security SQL (Oracle Net) Database (execute on lbacsys.lbac_cache) Difficult Wide Difficult Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5 --- DB15 Oracle Text SQL (Oracle Net) Database (execute on cxtsys.catsearch) Difficult Wide Difficult Wide Easy Wide 9iR2 9.2.0.7, 10.1.0.5 --- DB16 Oracle Text SQL (Oracle Net) Database (use of a rewrite specification) Difficult Wide Difficult Wide Easy Wide 10g 10.1.0.5 --- DB17 Oracle Text SQL (Oracle Net) Database (ability to create a ctxsys index) Difficult Wide Difficult Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.1 --- DB18 Program Interface Network SQL (Oracle Net) Database(no special privileges needed) Easy Wide Easy Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.1 --- DB19 Query Optimizer SQL (Oracle Net) Database (execute on sys.outln_pkg) Difficult Wide Difficult Wide Easy Wide 9i 9.0.1.5, 9.2.0.7, 10.1.0.5 --- DB20 Query Optimizer SQL (Oracle Net) Database (no special privileges needed) --- --- --- --- Easy Wide 9iR2 9.2.0.6, 10.1.0.4 --- DB21 Security SQL (Oracle Net) Database (execute on sys.dbms_fga.add_policy) Difficult Wide Difficult Wide Easy Wide 9i 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, 10.1.0.4 --- DB22 Streams Apply SQL (Oracle Net) Database (execute on sys.dbms_apply_adm_internal) Difficult Wide Difficult Wide Easy Wide 9iR2 9.2.0.7, 10.1.0.5 --- DB23 Streams Capture SQL (Oracle Net) Database (execute on sys.dbms_capture_adm_internal) Difficult Wide Difficult Wide Easy Wide 9iR2 9.2.0.7, 10.1.0.5 --- DB24 Streams Capture SQL (Oracle Net) Database (execute on sys.dbms_capture_process) Difficult Wide Difficult Wide Easy Wide 9iR2 9.2.0.7, 10.1.0.5 --- DB25 Streams Capture SQL (Oracle Net) Database (execute on sys.dbms_cdc_ipublish) Easy Wide Easy Wide --- --- 10g 10.1.0.5, 10.2.0.1 --- DB26 Streams Subcomponent SQL (Oracle Net) Database (execute on sys.dbms_apply_process) Difficult Wide Difficult Wide Easy Wide 9iR2 9.2.0.7, 10.1.0.5 --- DB27 TDE Wallet Local OS (ability to access the SGA (e.g. via dumpsga)) Easy Wide --- --- --- --- 10g 10.2.0.1 --- DB28 Upgrade & Downgrade SQL (Oracle Net) Database (execute on sys.dbms_registry) Easy Wide Easy Wide --- --- 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.4 --- DB29 XML Database SQL (Oracle Net) Database (execute on xdb.dbms_xmlschema or xdb.dbms_xmlschema_int) Difficult Wide Difficult Wide Easy Wide 9iR2 9.2.0.7, 10.1.0.4 --- DBC01 Protocol Support Network (Oracle Net) None (network access to a Listener) Difficult Limited Difficult Limited Difficult Limited 8i 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5 --- DBC02 Reorganize Objects & Convert Tablespace Local OS (ability to run nmuct) Difficult Limited Difficult Limited Difficult Limited 10g 10.1.0.4.2 --- JN01 Java Net Network (OID) None (network access to an OID server) Easy Wide --- --- --- --- 8i 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.4 --- OHS01 Oracle HTTP Server Network (HTTP) None Easy Wide --- --- --- --- 9i 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5 --- OHS02 Oracle HTTP Server Network (HTTP) None --- --- --- --- Easy Wide 10g 10.1.0.5 --- WF01 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 9iR2 9.2.0.7 --- WF02 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 10g 10.2.0.1 --- WF03 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 10g 10.2.0.1 --- Required Conditions, Oracle Database Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle Database Vulnerabilities There are no recommended workarounds for the Oracle Database vulnerabilities described in the Oracle Database Risk Matrix. Appendix B Oracle Application Server Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact AS01 Portal Network (HTTP) None Easy Wide --- --- --- --- 1.0.2.2 9.0.4.2, 10.1.2.0 --- JN01 Java Net Network (OID) None (network access to an OID server) Easy Wide --- --- --- --- 1.0.2.2 1.0.2.2, 9.0.4.2, 10.1.2.0.2 --- OHS01 Oracle HTTP Server Network (HTTP) None Easy Wide --- --- --- --- 1.0.2.2 1.0.2.2, 9.0.4.2, 10.1.2.0.2 --- OHS02 Oracle HTTP Server Network (HTTP) None --- --- --- --- Easy Wide 10.1.2.0 10.1.2.0.2 --- FORM01 Oracle Forms Network (HTTP) None Easy Wide Easy Wide --- --- 9.0.4.1 9.0.4.2, 10.1.2.0.2 (10.1.2.0 is not affected) --- FORM02 Oracle Forms Local and Network(HTTP) OS (ability to upload files to Forms server) Easy Wide Easy Wide Easy Wide 9.0.4.1 9.0.4.2, 10.1.2.0.2 (10.1.2.0 is not affected) --- REP01 Oracle Reports Developer Network (HTTP) None --- --- Easy Wide --- --- 9.0.4.1 9.0.4.1 --- REP02 Oracle Reports Developer Network (HTTP) None Easy Limited --- --- --- --- 9.0.4.1 9.0.4.2 --- REP03 Oracle Reports Developer Local and Network(HTTP) OS (ability to upload files to Reports server) Easy Wide Easy Wide Easy Wide 9.0.4.1 9.0.4.2, 10.1.2.0.2(10.1.2.0 is not affected) --- REP04 Oracle Reports Developer Network (HTTP) None Easy Limited --- --- --- --- 9.0.4.1 9.0.4.2 --- REP05 Oracle Reports Developer Network (HTTP) None Easy Wide Easy Wide --- --- 6.0.8.26(PS17) 6.0.8.26(PS17) --- REP06 Oracle Reports Developer Network (HTTP) None Easy Wide Easy Wide --- --- 6.0.8.26(PS17) 6.0.8.26(PS17) --- WF01 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 9.0.4.1 9.0.4.2, 10.1.2.1 --- WF02 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 9.0.4.1 9.0.4.2, 10.1.2.1 --- WF03 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 9.0.4.1 9.0.4.2, 10.1.2.1 --- DBC01 Protocol Support Network (Oracle Net) None (network access to a Listener) Difficult Limited Difficult Limited Difficult Limited 1.0.2.2 1.0.2.2, 9.0.4.2, 10.1.2.0.2 --- DBC02 Reorganize Objects & Convert Tablespace Local OS (ability to run nmuct) Difficult Limited Difficult Limited Difficult Limited 10.1.2.0 10.1.2.0.2 --- Required Conditions, Oracle Application Server Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle Application Server Vulnerabilities There are no recommended workarounds for the Oracle Application Server vulnerabilities described in the Application Server Suite Risk Matrix. Appendix C Oracle Collaboration Suite Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact OCS01 Email Server Network (EMAIL) None Easy Limited --- --- --- --- --- OCS02 Email Server Network (EMAIL) None Easy Limited --- --- --- --- --- OCS03 Email Server Network (IMAP) Valid Session --- --- --- --- Easy Wide --- OCS04 Email Server Network (IMAP/POP) None --- --- --- --- Easy Wide --- OCS05 Email Server Network (SMTP) None Difficult Wide Difficult Wide Easy Wide --- OCS06 Email Server Network (SMTP) None Difficult Wide Difficult Wide Easy Wide --- OCS07 Email Server Network (SMTP) None Difficult Wide Difficult Wide Easy Wide --- OCS08 Email Server Local OS Easy Limited --- --- --- --- --- OCS09 Email Server Network (HTTP) None Easy Limited --- --- --- --- --- OCS10 Oracle Collaboration Suite Wireless & Voice Local OS Easy Limited --- --- --- --- --- OCS11 Oracle Collaboration Suite Wireless & Voice Network (SMS) Valid Session Difficult Limited --- --- --- --- --- OCS12 Oracle Content Management SDK Network (FTP) None Difficult Limited Difficult Limited --- --- --- OCS13 Oracle Content Management SDK Network (HTTP) Valid Session --- --- Easy Limited Difficult Wide --- OCS14 Oracle Content Services Network (EMAIL) None Easy Limited --- --- --- --- --- OCS15 Oracle Content Services Network (HTTP) None Difficult Limited Difficult Limited Difficult Limited --- WF01 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- --- WF02 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- --- WF03 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- --- DBC01 Protocol Support Network (Oracle Net) None (network access to a Listener) Difficult Limited Difficult Limited Difficult Limited --- DBC02 Reorganize Objects & Convert Tablespace Local OS (ability to run nmuct) Difficult Limited Difficult Limited Difficult Limited --- Required Conditions, Oracle Collaboration Suite Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle Collaboration Suite Vulnerabilities There are no recommended workarounds for the Oracle Collaboration Suite vulnerabilities described in the Oracle Collaboration Suite Risk Matrix. Appendix D Oracle E-Business Suite and Applications Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact APPS01 Application Install Local OS (access to log files) Easy Wide --- --- --- --- 11.5.1 11.5.10 --- APPS02 CRM Technical Foundation Network (HTTP) None Easy Limited --- --- --- --- 11.5.4 11.5.9 --- APPS03 iProcurement Network (HTTP) None Easy Limited --- --- --- --- 11.5.9 11.5.9 --- APPS04 Oracle Application Object Library Local OS (access to log files) Easy Wide --- --- --- --- 11.5.1 11.5.9 --- APPS05 Oracle Application Object Library Network (HTTP) None Easy Limited --- --- --- --- 11.5.9 11.5.9 --- APPS06 Oracle Application Object Library Network (HTTP) None Easy Limited --- --- --- --- 11.5.1 11.5.9 --- APPS07 Oracle Applications Framework Network (HTTP) Valid Session Easy Wide Easy Wide --- --- 11.0 11.5.10 --- APPS08 Oracle Applications Technology Stack Network (HTTP) None Easy Limited --- --- --- --- 11.5.1 11.5.10 --- APPS09 Oracle Applications Technology Stack Network (HTTP) None Easy Limited --- --- --- --- 11.5.1 11.5.10 --- APPS10 Oracle Applications Technology Stack Network (HTTP) None Easy Limited --- --- --- --- 11.5.1 11.5.10 --- APPS11 Oracle Applications Technology Stack Network (HTTP) None Easy Limited --- --- --- --- 11.5.1 11.5.10 --- APPS12 Oracle Human Resources Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.5.2 11.5.10 --- APPS13 Oracle iLearning Network (HTTP) None Easy Limited --- --- --- --- 4.2 4.3 --- APPS14 Oracle iLearning Network (HTTP) None Easy Limited --- --- --- --- 4.2 4.3 --- APPS15 Oracle Marketing Network (HTTP) Valid Session Easy Limited Easy Limited --- --- 11.5.10 11.5.10 --- APPS16 Oracle Marketing Network (HTTP) Valid Session Easy Limited Easy Limited --- --- 11.5.10 11.5.10 --- APPS17 Oracle Marketing Encyclopedia System Network (HTTP) Valid Session Easy Limited Easy Limited --- --- 11.5.10 11.5.10 --- APPS18 Oracle Trade Management Network (HTTP) Valid Session Easy Limited Easy Limited --- --- 11.5.10 11.5.10 --- APPS19 Oracle Web Applications Desktop Integration Network (HTTP) Valid Session Easy Limited Easy Limited --- --- 11.5.1 11.5.10 --- WF01 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.0 11.5.10 --- WF02 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.0 11.5.10 --- WF03 Oracle Workflow Cartridge Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.0 11.5.10 --- FORM01 Oracle Forms Network (HTTP) None Easy Wide Easy Wide --- --- 11.5.1 11.5.10 --- FORM02 Oracle Forms Local and Network(HTTP) OS (ability to upload files to Forms server) Easy Wide Easy Wide Easy Wide 11.5.1 11.5.10 --- REP01 Oracle Reports Developer Network (HTTP) None --- --- Easy Wide --- --- 11.5.1 11.5.10 --- REP05 Oracle Reports Developer Network (HTTP) None Easy Wide Easy Wide --- --- 11.5.1 11.5.10 --- REP06 Oracle Reports Developer Network (HTTP) None Easy Wide Easy Wide --- --- 11.5.1 11.5.10 --- Required Conditions, Oracle E-Business Suite and Applications Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, E-Business Suite Vulnerabilities There are no recommended workarounds for the Oracle E-Business Suite and Applications vulnerabilities described in the Oracle E-Business Suite and Applications Risk Matrix. Appendix E Oracle Enterprise Manager Risk Matrix There are no new Oracle Enterprise Manager fixes in this Critical Patch Update. However, some of the fixes for the Oracle Application Server and the Oracle Database apply to the Oracle Enterprise Manager OMS Application and Repository Database. Please consult the Pre-Installation Note for the Oracle Enterprise Manager, MetaLink Note 343390.1 for instructions about how to obtain the necessary patches. Appendix F Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Risk Matrix Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround Confidentiality Integrity Availability Ease Impact Ease Impact Ease Impact PSE01 PeopleSoft Enterprise Portal Local access to client computer None Easy Limited Easy Limited --- --- Enterprise Portal 8.4, 8.8, 8.9 8.4 Bundle 15, 8.8 Bundle 10, 8.9 Bundle 2 --- JDE01 JD Edwards HTML Server Network (HTTP) None Easy Wide Difficult Limited --- --- EnterpriseOne Tools 8.95, OneWorld Tools 8.95.F1 SP23_L1 --- Required Conditions, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Vulnerabilities No additional conditions are required in order to exploit the listed vulnerabilities. Workarounds, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Vulnerabilities There are no recommended workarounds for the listed vulnerabilities. [***** End January 2006 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Oracle for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-090: Vulnerability in Graphics Rendering Engine Q-091: mod_auth_pgsql Security Update Q-092: xpdf Buffer Overflows Q-093: libapache2-mod-auth-pgsql Q-094: auth_ldap Security Update Q-095: Vulnerability in Embedded Web Fonts Could Allow Remote Code Execution Q-096: Vulnerability in TNEF Decoding in Microsoft Outlook and Microsoft Exchange Could Allow Remote Code Execution Q-097: Default Administrative Password in Cisco Security Monitoring, Analysis and Response System (CS-MARS) Q-098: Ethereal Security Update Q-099: Red Hat 4 Kernel Update