Oracle Critical Patch Update - April 2006


Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches.

Supported Products and Components Affected

The security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The Pre-Installation Note that describes the patches for the listed versions is shown in [square brackets] following the product versions. Please click on the links in the [square brackets] or in the Patch Availability Matrix to access the Pre-Installation Notes.

Category I

Product releases and versions that are covered by Error Correction Support (ECS) or Extended Maintenance Support (EMS):

Oracle Database 10g Release 2, versions 10.2.0.1, 10.2.0.2 [ Database ]
Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5 [ Database ]
Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7 [ Database ]
Oracle8i Database Release 3, version 8.1.7.4 [ Database ]
Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4, 10.2.0.1 [ Enterprise Manager ]
Oracle Application Server 10g Release 2, versions 10.1.2.0.0 - 10.1.2.0.2, 10.1.2.1.0, 10.1.3.0.0 [ Application Server ]
Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2 [ Application Server ]
Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2.0, 10.1.2.1 [ Collaboration Suite ]
Oracle9i Collaboration Suite Release 2, version 9.0.4.2 [ Collaboration Suite ]
Oracle E-Business Suite Release 11i, versions 11.5.1 - 11.5.10 CU2 [ E-Business Suite ]
Oracle E-Business Suite Release 11.0 [ E-Business Suite ]
Oracle Pharmaceutical Applications versions 4.5.0 - 4.5.2 [ Pharmaceutical ]
Oracle PeopleSoft Enterprise Tools, versions 8.47GA - 8.47.04 [ PeopleSoft/JDE ]
Oracle PeopleSoft Enterprise Tools, versions 8.46GA - 8.46.12 [ PeopleSoft/JDE ]
JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95 - 8.95.J1 [ PeopleSoft/JDE ]

Category II

Products and components that are bundled with the products listed in Category I:

Oracle Database 10g Release 1, version 10.1.0.4.2 [ Application Server ]
Oracle Developer Suite, versions 6i, 9.0.4.2 [ Application Server ] and [ E-Business Suite ]
Oracle Workflow, versions 11.5.1 through 11.5.9.5 [ E-Business Suite ]

Category III

Products that are de-supported as a standalone installation but are supported when installed with the products listed in Category I:

Oracle9i Database Release 1, versions 9.0.1.4 [ Collaboration Suite ]
Oracle9i Database Release 1, versions 9.0.1.5, 9.0.1.5 FIPS [ Application Server ]
Oracle8 Database Release 8.0.6, version 8.0.6.3 [ Application Server ] and [ E-Business Suite ]
Oracle9i Application Server Release 1, version 1.0.2.2 [ E-Business Suite ]

Patches for Category III products are only available when these products are installed as part of Category I products, and are tested solely on supported configurations and environments. Please refer to the Pre-Installation Note for each product for specific details concerning the support and availability of patches.

Category IV

Products that are supported only on selected platforms. Please consult the appropriate Pre-Installation Notes for details.

Oracle Database 10g Release 1, version 10.1.0.3 [ Database ]
Oracle9i Database Release 2, version 9.2.0.5 [ Database ]

Unsupported Products

Unsupported products, releases and versions are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier patch sets of the affected releases are affected by these vulnerabilities. Supported products are patched in accordance with section 4.3.3.3 of the Software Error Correction Support Policy, MetaLink Note 209768.1.

Default Account and Password Checking Utility

The password checking utility announced in the January 2006 Critical Patch Update has been significantly updated and renamed. The Oracle Default Password Scanner assists customers with securing Oracle-provided default database schema accounts that use default passwords. The MetaLink article titled Frequently Asked Questions about Oracle Default Password Scanner (MetaLink Note 361482.1) provides detailed information for this utility, including instructions for downloading the utility and its accompanying documentation, the Oracle Default Password Scanner User's Guide.

The Oracle Default Password Scanner does not replace the essential security guidelines described in the Database Security Checklist, nor does it lessen the importance of appropriately securing all database and application accounts. Customers using Oracle E-Business Suite should refer to Best Practices for Securing Oracle E-Business Suite (Oracle MetaLink Note 189367.1). Customers using customized applications or other non-Oracle products that are dependent on an Oracle database should refer to the product-specific documentation for each product before implementing these changes in a production environment.

Oracle Database Client-only Installations

The new database vulnerabilities addressed by this Critical Patch Update do not affect Oracle Database Client-only installations (installations that do not have the Oracle Database installed). Therefore, it is not necessary to apply this Critical Patch Update to client-only installations if a prior Critical Patch Update, or Alert 68, has already been applied to the client-only installations.

Client-side software in the middle tier is patched as part of the general middle tier patch and customers do not need to apply additional patches. If this is not the case it will be documented in the appropriate Pre-Installation Note.

Patch Availability and Risk Matrices

The Oracle Database, Oracle Application Server, Oracle Enterprise Manager Grid Control, Oracle Collaboration Suite, JD Edwards EnterpriseOne and OneWorld Tools, and PeopleSoft Enterprise Portal Applications patches in the Updates are cumulative; each successive Critical Patch Update contains the fixes from the previous Critical Patch Updates.

Oracle E-Business Suite and Applications patches are not cumulative, so E-Business Suite and Applications customers should refer to previous Critical Patch Updates to identify previous fixes they want to apply.

For each Oracle product that is being administered, please consult the associated Pre-Installation Note for patch availability information and installation instructions. For an overview of all the documents related to this Critical Patch Update, please refer to the Oracle Critical Patch Update April 2006 Documentation Map, MetaLink Note 360464.1.

Product Risk Matrix Link to Pre-Installation Note or Pointer to More Information
Oracle Database Appendix A - Oracle Database Risk Matrix Pre-Installation Note for the Oracle Database, MetaLink Note 360465.1
Oracle Application Server Appendix B - Oracle Application Server Risk Matrix Pre-Installation Note for the Oracle Application Server, MetaLink Note 360466.1
Oracle Collaboration Suite Appendix C - Oracle Collaboration Suite Risk Matrix Pre-Installation Note for the Oracle Collaboration Suite, MetaLink Note 360467.1
Oracle E-Business Suite and Applications Appendix D - Oracle E-Business Suite and Applications Risk Matrix Pre-Installation Note for the Oracle E-Business Suite, MetaLink Note 360468.1
Oracle Pharmaceutical Applications Appendix D - Oracle E-Business Suite and Applications Risk Matrix Critical Patch Update (CPUAPR2006) as it relates to Oracle Pharmaceutical Applications, MetaLink Note 362646.1
Oracle Enterprise Manager Appendix E - Enterprise Manager Risk Matrix Pre-Installation Note for the Oracle Enterprise Manager, MetaLink Note 360469.1
Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Appendix F - Oracle PeopleSoft and JD Edwards Applications Risk Matrix Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Advisory

Risk Matrix Contents

The risk matrices list only security vulnerabilities, and only the security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous fixes can be found in previous Critical Patch Update advisories.

One Vulnerability Appearing in Several Risk Matrices

Several vulnerabilities addressed by this Critical Patch Update affect multiple products. The Risk Matrices show these shared vulnerabilities by using a distinct Vuln # identification for each of them in their row in the Risk Matrix. These rows are then duplicated into all appropriate risk matrices under a gray dividing line.

Risk Matrix Definitions

MetaLink Note 293956.1 defines the terms used in the Risk Matrices.

Risk Analysis and Blended Attacks

Oracle has analyzed each potential vulnerability separately for risk and impact of exploitation. Oracle has performed no analysis on the likelihood and impact of blended attacks (i.e. the exploitation of multiple vulnerabilities combined in a single attack).

Policy Statement on Information Provided in Critical Patch Updates and Security Alerts

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage.

As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Pre-Installation notes, the readme files, and FAQs. Oracle does not provide advance notification on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code nor “proof-of-concept” code for vulnerabilities in our products.

Critical Patch Update Availability for De-Supported Versions

Critical Patch Updates are available for customers who have purchased Extended Maintenance Support (EMS) before the implementation of the Lifetime Support Policy. De-support Notices indicate whether EMS is available for a particular release and platform, as well as the specific period during which EMS will be available.

Customers with valid licenses for product versions covered by Extended Support (ES), before the implementation of the Lifetime Support Policy, are entitled to download existing fixes; however, new issues that may arise from the application of patches are not covered under ES. Therefore, ES customers should have comprehensive plans to enable removal of any applied patch.

Oracle will not provide Critical Patch Updates for product versions which are no longer covered under the Extended Maintenance Support plan or the Lifetime Support Policy. We recommend that customers upgrade to the latest supported version of Oracle products in order to obtain Critical Patch Updates.

Please review the "Extended Support" section within the Technical Support Policies for further guidelines regarding ES and EMS.


References

Credits

The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle's attention: Esteban Martinez Fayo of Application Security, Inc.; Alexander Kornbrust of Red Database Security GmbH; David Litchfield of Next Generation Security Software Ltd.; noderat ratty.


Critical Patch Update Schedule

Critical Patch Updates are released on the Tuesday closest to the 15th day of January, April, July and October. The next four dates are:

  • 18 July 2006
  • 17 October 2006
  • 16 January 2007
  • 17 April 2007

Modification History

2006-APR-18 Initial release

Appendix A

Oracle Database Risk Matrix

Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK (see note 293956.1) Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround
Confidentiality Integrity Availability
Ease Impact Ease Impact Ease Impact
DB01 Advanced Replication SQL (Oracle Net) Database (execute on sys.dbms_reputil) Difficult Wide Difficult Wide Easy Wide 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5 ---
DB02 Advanced Replication SQL (Oracle Net) Database (execute on sys.dbms_repcat_admin, or execute_catalog_role) Easy Wide Easy Wide --- --- 9iR2 9.2.0.6 ---
DB03 Advanced Replication SQL (Oracle Net) Database (execute on sys.dbms_snapshot_utl) Difficult Wide Difficult Wide Easy Wide 10g 10.1.0.4 ---
DB04 Dictionary SQL (Oracle Net) Database (ability to enable constraints) --- --- Easy Wide Easy Wide 8i 8.1.7.4, 9.0.1.5 ---
DB05 Export SQL (Oracle Net) Database (execute on sys.dbms_export_extension) Easy Wide Easy Wide --- --- 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 ---
DB06 Log Miner SQL (Oracle Net) Database (execute on sys.dbms_logmnr_session) Easy Wide Easy Wide ---
 
9iR2 9.2.0.7, 10.1.0.5 ---
DB07 Oracle Enterprise Manager Intelligent Agent Local OS Difficult Limited Difficult Limited Difficult Limited 9i 9.0.1.5, 9.2.0.7 ---
DB08 Oracle Spatial SQL (Oracle Net) Database (create partitioned mdsys table) Difficult Wide Difficult Wide Easy Wide 9iR2 9.2.0.7, 10.1.0.4, 10.2.0.1 ---
DB09 Oracle Spatial SQL (Oracle Net) Database (execute on mdsys.prvt_idx) Easy Wide Easy Wide --- --- 8i 8.1.7.4, 9.0.1.5, 9.2.0.6 ---
DB10 Oracle Spatial SQL (Oracle Net) Database (execute on mdsys.sdo_catalog.update_catalog) Easy Wide Easy Wide --- --- 8i 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5 ---
DB11 Oracle Spatial SQL (Oracle Net) Database (execute on mdsys.sdo_lrs_trig_ins{1}) Easy Wide Easy Wide --- --- 9i 9.0.1.5, 9.2.0.7, 10.1.0.5 ---
DB12 Oracle Spatial SQL (Oracle Net) Database (execute on mdsys.sdo_pridx) Easy Wide Easy Wide --- --- 9iR2 9.2.0.7, 10.1.0.4 ---
DB13 Oracle Spatial Local OS (access to registry) Easy Limited --- --- --- --- 8i 8.1.7.4, 9.0.1.5, 9.2.0.7 ---

 

 

 

 

 

 

 

 

 

 

 

 

 
PLSQL01 ModPL/SQL for Apache Network (HTTP) None Easy Wide Easy Wide Easy Wide 9iR2 9.2.0.7, 10.1.0.5 ---

Required Conditions, Oracle Database Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Oracle Database Vulnerabilities

There are no recommended workarounds for the Oracle Database vulnerabilities described in the Oracle Database Risk Matrix.


Appendix B

Oracle Application Server Risk Matrix

Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK (see note 293956.1) Earliest Supported Release Affected Last Affected Patch set Workaround
Confidentiality Integrity Availability
Ease Impact Ease Impact Ease Impact
PLSQL01 ModPL/SQL for Apache Network (HTTP) None Easy Wide Easy Wide Easy Wide 1.0.2.2 1.0.2.2, 9.0.4.2, 10.1.2.0.2, 10.1.2.1.0, 10.1.3.0.0 ---

Required Conditions, Oracle Application Server Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Oracle Application Server Vulnerabilities

There are no recommended workarounds for the Oracle Application Server vulnerabilities described in the Application Server Suite Risk Matrix.


Appendix C

Oracle Collaboration Suite Risk Matrix

Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK (see note 293956.1) Workaround
Confidentiality Integrity Availability
Ease Impact Ease Impact Ease Impact
OCS01 Email Server Network (IMAP) Valid Session Difficult Wide Difficult Wide Easy Wide ---
OCS02 Email Server Network (HTTP) None Easy Wide Easy Wide --- --- ---
OCS03 Email Server Network (EMAIL) None Easy Wide --- --- --- --- ---
OCS04 Email Server Network (EMAIL) None Easy Wide --- --- --- --- ---

 

 

 

 

 

 

 

 

 

 

 
PLSQL01 Oracle Applications Technology Stack Network(HTTP) None Easy Wide Easy Wide Easy Wide ---

Required Conditions, Oracle Collaboration Suite Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Oracle Collaboration Suite Vulnerabilities

There are no recommended workarounds for the Oracle Collaboration Suite vulnerabilities described in the Oracle Collaboration Suite Risk Matrix.


Appendix D

Oracle E-Business Suite and Applications Risk Matrix

Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK (see note 293956.1) Earliest Supported Release Affected Last Affected Patch set Workaround
Confidentiality Integrity Availability
Ease Impact Ease Impact Ease Impact
APPS01 Application Install Local OS Difficult Wide Difficult Wide Easy Limited 11.5.1 11.5.10CU2 ---
APPS02 Financials for Asia/Pacific Network(HTTP) Valid Session Easy Wide Easy Wide --- --- 11.0 11.5.9 ---
APPS03 iProcurement Network(HTTP) Valid Session --- --- Easy Limited --- --- 11.5.10 11.5.10 ---
APPS04 Oracle Application Object Library Network(HTTP) None Difficult Limited Difficult Limited --- --- 11.5.6 11.5.10 ---
APPS05 Oracle Application Object Library Network(HTTP) Valid Session Difficult Limited Difficult Limited --- --- 11.5.10 11.5.10CU1 ---
APPS06 Oracle Applications Technology Stack Network(HTTP) Database Easy Limited --- --- Easy Wide 11.5.1 11.5.10 ---
APPS07 Oracle Applications Technology Stack Network(HTTP) None Easy Limited --- --- --- --- 11.5.1 11.5.10 ---
APPS08 Oracle Applications Technology Stack Network(HTTP) OS, Database Easy Limited Difficult Limited --- --- 11.5.1 11.5.10 ---
APPS09 Oracle Diagnostics Interfaces Network(HTTP) None Easy Wide Easy Wide --- --- 11.5.1 11.5.10CU2 ---
APPS10 Oracle General Ledger Network(HTTP) Valid Session Easy Wide Easy Wide --- --- 11.5.1 11.5.10CU2 ---
APPS11 Oracle Order Capture Network(HTTP) None Easy Limited --- --- --- --- 11.5.9 11.5.10 ---
APPS12 Oracle Receivables Network(HTTP) Valid Session Easy Wide Easy Wide --- --- 11.5.5 11.5.10CU2 ---
APPS13 Oracle Receivables Network(HTTP) Valid Session Difficult Wide Difficult Wide --- --- 11.5.8 11.5.10CU2 ---
OPA01 Oracle Thesaurus Management System Network(HTTP) Valid Session Easy Limited --- --- --- --- OPA 4.5.0 OPA 4.5.2 ---

 

 

 

 

 

 

 

 

 

 

 

 

 
PLSQL01 Oracle Applications Technology Stack Network(HTTP) None Easy Wide Easy Wide Easy Wide 11.5.1 11.5.10 ---

Required Conditions, Oracle E-Business Suite and Applications Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, E-Business Suite Vulnerabilities

There are no recommended workarounds for the Oracle E-Business Suite and Applications vulnerabilities described in the Oracle E-Business Suite and Applications Risk Matrix.


Appendix E

Oracle Enterprise Manager Risk Matrix

Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK (see note 293956.1) Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround
Confidentiality Integrity Availability
Ease Impact Ease Impact Ease Impact
EM01 CORE: Reporting Framework Network (HTTP) None Easy Wide Easy Wide --- --- 9iR2 9.0.1.5, 9.2.0.7 ---
EM02 CORE: Reporting Framework Network (HTTP) None Easy Wide --- --- --- --- 9iR2 9.0.1.5, 9.2.0.7 ---

Required Conditions, Oracle Enterprise Manager Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Enterprise Manager Vulnerabilities

There are no recommended workarounds for the Oracle Enterprise Manager vulnerabilities described in the Oracle Enterprise Manager Risk Matrix.


Appendix F

Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Risk Matrix

Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK (see note 293956.1) Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround
Confidentiality Integrity Availability
Ease Impact Ease Impact Ease Impact
PSE01 PeopleTools Local access to web server node None Easy Limited Easy Limited --- --- 8.46 GA
8.47 GA
8.46.12
8.47.04
---
JDE01 JD Edwards EnterpriseOne Security Server Local/Network (JDENET) None Easy Wide Easy Wide --- --- EnterpriseOne Tools 8.95 8.95.J1 ---

Required Conditions, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Vulnerabilities

There are no recommended workarounds for the listed vulnerabilities.