Topics
Security
Critical Patch Update - July 2005
Description
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. The Oracle Database Server, Enterprise Manager, and the Oracle Application Server patches in the Updates are cumulative; each successive Critical Patch Update contains the fixes from the previous Critical Patch Updates.
Supported Products Affected
The following supported product releases and versions are affected by the security vulnerabilities addressed by this Critical Patch Update:
- Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.4
- Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6
- Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.1.5 FIPS
- Oracle8i Database Server Release 3, version 8.1.7.4
- Oracle8 Database Release 8.0.6, version 8.0.6.3
- Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2, 10.1.0.3
- Oracle Enterprise Manager 10g Database Control, versions 10.1.0.2, 10.1.0.3, 10.1.0.4
- Oracle Enterprise Manager Application Server Control, versions 9.0.4.0, 9.0.4.1
- Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1
- Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
- Oracle9i Application Server Release 1, version 1.0.2.2
- Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2
- Oracle E-Business Suite and Applications Release 11i, versions 11.5.1 through 11.5.10
- Oracle E-Business Suite and Applications Release 11.0
- Oracle Workflow, versions 11.5.1 through 11.5.9.5
- Oracle Forms and Reports, versions 4.5.10.22, 6.0.8.25
- Oracle JInitiator, versions 1.1.8, 1.3.1
- Oracle Developer Suite, versions 9.0.2.3, 9.0.4, 9.0.4.1, 9.0.5, 10.1.2
- Oracle Express Server, version 6.3.4.0
All the products and versions listed above are affected by the vulnerabilities fixed in this Critical Patch Update. However, some of these products and versions are only supported in conjunction with other products, in specific configurations, or on certain platforms. Please consult each product's Pre-Installation Note for specific details concerning the support and availability of patches for the products listed above.
Unsupported Products
Unsupported products, releases and versions have neither been tested for the presence of vulnerabilities addressed by this Critical Patch Update, nor patched, in accordance with section 4.3.3.3 of the Software Error Correction Support Policy, MetaLink Note 209768.1. However, it is likely that earlier patch set levels of the affected releases are affected by these vulnerabilities.
Oracle Database Client-only Installations
The new database vulnerabilities addressed by this Critical Patch Update do not affect Oracle Database Client-only installations (installations that do not have the Oracle Database Server installed). Therefore, it is not necessary to apply this Critical Patch Update to client-only installations if a prior Critical Patch Update, or Alert 68, has already been applied to the client-only installations.
Patch Availability and Risk Matrices
For each Oracle product that is being administered, please consult the associated Pre-Installation Note for patch availability information and installation instructions. For an overview of all the documents related to this Critical Patch Update, please see the Oracle Critical Patch Update Documentation Map, MetaLink Note 311088.1.
| Product | Risk Matrix | Pre-Installation Note |
|---|---|---|
| Oracle Database Server | Appendix A - Oracle Database Server Risk Matrix | Pre-Installation Note for the Oracle Database Server, MetaLink Note 311062.1 |
| Oracle Application Server | Appendix B - Oracle Application Server Risk Matrix | Pre-Installation Note for the Oracle Application Server, MetaLink Note 311038.1 |
| Oracle Collaboration Suite | Appendix C - Oracle Collaboration Suite Risk Matrix | Pre-Installation Note for the Oracle Collaboration Suite, MetaLink Note 311039.1 |
| Oracle E-Business and Applications | Appendix D - Oracle E-Business Risk Matrix | Pre-Installation Note for the Oracle E-Business Suite, MetaLink Note 311040.1 |
| Oracle Enterprise Manager | Appendix E - Enterprise Manager Risk Matrix | Pre-Installation Note for the Oracle Enterprise Manager, MetaLink Note 311061.1 |
Risk Matrix Contents
The risk matrices in this advisory list only the vulnerabilities that are new in this advisory. The Oracle Database Server, Enterprise Manager, and the Oracle Application Server patches for this Critical Patch Update are cumulative, and contain all the fixes from the previous Critical Patch Update. Risk matrices for these previous fixes can be found in the previous Critical Patch Update advisory.
E-Business Suite patches are not cumulative, so E-Business Suite customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply.
Oracle Collaboration Suite patches are not cumulative, so Oracle Collaboration Suite customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply.
One Vulnerability Appearing in Two Risk Matrices
Several vulnerabilities addressed by this Critical Patch Update are in both the Database Server and Application Server products. The Risk Matrices show these shared vulnerabilities by specifying the Vuln #s from both matrices on a single vulnerability row.
Risk Matrix Definitions
MetaLink Note 293956.1 defines the terms used in the Risk Matrices.
Risk Analysis and Blended Attacks
Oracle has analyzed each potential vulnerability separately for risk of exploit and impact of exploit. Oracle has performed no analysis on the likelihood and impact of blended attacks (i.e. the exploitation of multiple vulnerabilities combined in a single attack).
Policy Statement on Information Provided in Critical Patch Updates and Security Alerts
Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage.
As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Pre-Installation notes, the readme files, and FAQs. Oracle does not provide advance notification on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code nor “proof-of-concept” code for vulnerabilities in our products.
Critical Patch Update Availability for De-Supported Versions
Critical Patch Updates are available for customers who have purchased Extended Maintenance Support (EMS). De-support Notices indicate whether EMS is available for a particular release and platform, as well as the specific period during which EMS will be available.
Customers with valid licenses for product versions covered by Extended Support (ES) are entitled to download existing fixes; however, new issues that may arise from the application of patches are not covered under ES. Therefore, ES customers should have comprehensive plans to enable removal of any applied patch.
Oracle will not provide Critical Patch Updates for product versions which are no longer covered under the Extended Maintenance Support plan. We recommend that customers upgrade to the latest supported version of Oracle products in order to obtain Critical Patch Updates.
Please review the "Extended Support" section within the Technical Support Policies for further guidelines regarding ES & EMS.
References
- Critical Patch Update - July 2005 FAQ, MetaLink Note 311037.1
- MetaLink Note 293956.1 defines the terms used in the Risk Matrix.
- Oracle Critical Patch Update Program General FAQ, MetaLink Note 290738.1
- Oracle Critical Patch Update Documentation Map, MetaLink Note 311088.1
- Security Alerts and Critical Patch Updates- Frequently Asked Questions, MetaLink Note 237007.1
Credits
The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle’s attention: Gerhard Eschelbeck of Qualys, Inc., Esteban Martínez Fayó of Application Security, Inc., Alexander Kornbrust of Red Database Security, Stephen Kost of Integrigy, David Litchfield of NGSS Limited, Michael Murray of nCircle Network Security, Aaron C. Newman of Application Security, Inc., Mike Sues of Rigel Kent Security.
Modification History
2005-JUL-12: Initial release, version 1
Appendix A
Oracle Database Server Risk Matrix Critical Patch Update - July 2005
| Vuln# | Component | Access Required (Protocol) | Authorization Needed (Package or Privilege Required) | RISK | Earliest Supported Release Affected | Last Affected Patch set (per Supported Release) | Workaround | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Confidentiality | Integrity | Availability | ||||||||||
| Ease | Impact | Ease | Impact | Ease | Impact | |||||||
| DB01 | Oracle Express Server | Network | None | --- | --- | --- | --- | Easy | Limited | 6.3.4 | 6.3.4 | --- |
| DB02 | Oracle OLAP | SQL (Oracle Net) | Database (execute on olapsys) | --- | --- | --- | --- | Easy | Wide | 10g | 10.1.0.4(10g) | --- |
| DB03 | Component Registry | SQL (Oracle Net) | Database (execute on dbms_registry) | Difficult | Wide | Difficult | Wide | --- | --- | 9iR2 | 9.2.0.6(9iR2), 10.1.0.3(10g) | --- |
| DB04 | CORE | SQL (Oracle Net) | Database (execute on utl_file) | Difficult | Limited | Difficult | Limited | --- | --- | 8i | 8.1.7.4(8i), 9.0.1.4(9i), 9.2.0.5(9iR2), 10.1.0.3(10g) | --- |
| DB05 | CORE | SQL (Oracle Net) | Database (ability to create database link) | Difficult | Limited | Difficult | Limited | --- | --- | 9iR2 | 9.2.0.6(9iR2), 10.1.0.4(10g) | --- |
| DB06 | XML Database | Network (HTTP) | Database | Easy | Limited | --- | --- | --- | --- | 9iR2 | 9.2.0.6(9iR2), 10.1.0.3(10g) | --- |
| DB07 | XML Database | Network (FTP) | None | Difficult | Limited | Difficult | Limited | Easy | Limited | 9iR2 | 9.2.0.6(9iR2), 10.1.0.3(10g) | --- |
| DB08 | iSQL*Plus | Network (HTTP) | None | --- | --- | --- | --- | Easy | Wide | 9iR2 | 9.2.0.5(9iR2), 10.1.0.2(10g) | Use a TNS listener password |
| DB09 | iSQL*Plus | SQL (Oracle Net) | Database | Easy | Limited | --- | --- | --- | --- | 10g | 10.1.0.2(10g) | --- |
| DB10 | Single Sign-On | Network (HTTP) | None | Easy | Limited | --- | --- | --- | --- | 8i | 8.1.7.4(8i), 9.0.1.5(9i), 9.0.1.5FIPS(9i), 10.1.0.4(10g) | --- |
| DB11 AS07 | Oracle HTTP Server (mod_ssl) | Network (HTTPS) | None | Difficult | Wide | Difficult | Wide | --- | --- | 8i | 8.1.7.4(8i), 9.0.1.5(9i), 9.2.0.6(9iR2), 10.1.0.4(10g) | --- |
| DB12 AS08 | Oracle HTTP Server (mod_access) | Network (HTTPS) | None | Difficult | Wide | Difficult | Wide | --- | --- | 8i | 8.1.7.4(8i), 9.0.1.5(9i), 9.2.0.6(9iR2), 10.1.0.4(10g) | --- |
- If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Database Vulnerabilities section of this document.
- If a workaround is indicated, the Workarounds, Oracle Database Vulnerabilities section of this document describes a workaround for the Vuln# given above.
Required Conditions, Oracle Database Vulnerabilities
No additional conditions are required in order to exploit the listed vulnerabilities.
Workarounds, Oracle Database Vulnerabilities
DB08: Setting and using a TNS Listener password eliminates this vulnerability.
Appendix B
Application Server Risk Matrix Critical Patch Update - July 2005
| Vuln# | Component | Access Required (Protocol) | Authorization Needed (Package or Privilege Required) | RISK | Earliest Supported Release Affected | Last Affected Patch set | Workaround | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Confidentiality | Integrity | Availability | ||||||||||
| Ease | Impact | Ease | Impact | Ease | Impact | |||||||
| AS01 | Oracle Containers for J2EE | Network | None | Easy | Limited | --- | --- | --- | --- | 9.0.2.3 | 9.0.2.3, 9.0.3.1 | --- |
| AS02 | Oracle Forms | Local | OS | Easy | Limited | Easy | Limited | --- | --- | 4.5.10.22 | 4.5.10.22, 6.0.8.25 | --- |
| AS03 | Oracle Forms | Local | OS | Easy | Limited | --- | --- | --- | --- | 4.5.10.22 | 4.5.10.22, 6.0.8.25 | --- |
| AS04 | Oracle Forms | Local | OS | Easy | Limited | --- | --- | --- | --- | 4.5.10.22 | 4.5.10.22, 6.0.8.25 | --- |
| AS05 | Oracle Forms | Network (HTTP) | None | --- | --- | --- | --- | Easy | Wide | 4.5.10.22 | 4.5.10.22, 6.0.8.25 | --- |
| AS06 | Oracle Forms | Network (HTTP) | Authenticated User | Easy | Wide | Easy | Wide | --- | --- | 4.5.10.22 | 4.5.10.22, 6.0.8.25 | --- |
| AS07 DB11 | Oracle HTTP Server (mod_ssl) | Network (HTTPS) | None | Difficult | Wide | Difficult | Wide | --- | --- | 1.0.2.2 | 1.0.2.2, 9.0.2.3, 9.0.3.1, 9.0.4.1 | --- |
| AS08 DB12 | Oracle HTTP Server (mod_access) | Network (HTTPS) | None | Difficult | Wide | Difficult | Wide | --- | --- | 1.0.2.2 | 1.0.2.2, 9.0.2.3, 9.0.3.1, 9.0.4.1 | --- |
| AS09 | Oracle JDeveloper | Local | OS | Easy | Limited | Easy | Limited | --- | --- | 9.0.4 | 9.0.4, 10.1.2 | --- |
| AS10 | Oracle JDeveloper | Local | OS | Easy | Wide | Easy | Wide | --- | --- | 9.0.3 | 9.0.3, 10.1.2 | --- |
| AS11 | Oracle Reports Developer | Network (HTTP) | None | Difficult | Limited | Difficult | Limited | Easy | Limited | 9.0.2.3 | 9.0.2.3, 9.0.4.2 | --- |
| AS12 | Oracle JInitiator | Network (HTTP) | None | Difficult | Limited | Difficult | Limited | --- | --- | 1.1.8 | 1.1.8.24, 1.3.1.20 | --- |
- If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Application Server Vulnerabilities section of this document.
- If a workaround is indicated, the Workarounds, Oracle Application Server Vulnerabilities section of this document describes a workaround for the Vuln# given above.
Required Conditions, Oracle Application Server Vulnerabilities
No additional conditions are required in order to exploit the listed vulnerabilities.
Workarounds, Oracle Application Server Vulnerabilities
There are no recommended workarounds for the Oracle Application Server vulnerabilities described in the Oracle Application Server Risk Matrix.
Appendix C
Collaboration Suite Risk Matrix
Critical Patch Update - July 2005
| Vuln# | Component | Access Required (Protocol) | Authorization Needed (Package or Privilege Required) | RISK | Workaround | |||||
|---|---|---|---|---|---|---|---|---|---|---|
| Confidentiality | Integrity | Availability | ||||||||
| Ease | Impact | Ease | Impact | Ease | Impact | |||||
| OCS01 | Email Server | Network (SMTP) | None | --- | --- | --- | --- | Easy | Limited | --- |
| OCS02 | Email Server | Network (SMTP) | None | --- | --- | --- | --- | Easy | Wide | --- |
| OCS03 | Email Server | Network (IMAP) | Authenticated OCS user | Difficult | Wide | Difficult | Wide | Easy | Wide | --- |
| OCS04 | Email Server | Network (HTTP) | Authenticated OCS user | --- | --- | --- | --- | Easy | Wide | --- |
| OCS05 | Oracle Web Conferencing | Network (HTTP) | None | Easy | Limited | --- | --- | --- | --- | --- |
| OCS06 | Oracle Web Conferencing | Network (HTTP) | None | Easy | Limited | --- | --- | --- | --- | --- |
- If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Collaboration Suite Vulnerabilities section of this document.
- If a workaround is indicated, the Workarounds, Oracle Collaboration Suite Vulnerabilities section of this document describes a workaround for the Vuln# given above.
Required Conditions, Oracle Collaboration Suite Vulnerabilities
No additional conditions are required in order to exploit the listed vulnerabilities.
Workarounds, Oracle Collaboration Suite Vulnerabilities
There are no recommended workarounds for the Oracle Collaboration Suite vulnerabilities described in the Oracle Collaboration Suite Risk Matrix. < /p>
Appendix D
E-Business Suite Risk Matrix Critical Patch Update - July 2005
| Vuln# | Access Required (Protocol) | Authorization Needed (Package or Privilege Required) | RISK | Earliest Supported Release Affected | Last Affected Patch set | Workaround | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Confidentiality | Integrity | Availability | |||||||||
| Ease | Impact | Ease | Impact | Ease | Impact | ||||||
| APPS01 | Network (HTTP) | Valid Session | Difficult | Wide | Difficult | Wide | --- | --- | 11.5.0 | 11.5.9.5 | --- |
| APPS02 | Network (HTTP) | Valid Session | Difficult | Wide | --- | --- | --- | --- | 11.5.0 | 11.5.9.5 | --- |
| APPS03 | Network (HTTP) | None | Difficult | Wide | Difficult | Wide | --- | --- | 11.5.0 | 11.5.9.5 | --- |
| APPS04 | SQL (Oracle Net) | Database (execute on portal.wpg_session or owf_mgr.wf_event_html) | Difficult | Wide | Difficult | Wide | --- | --- | 11.5.0 | 11.5.9.5 | --- |
| APPS05 | Network (HTTP) | Valid Session | Easy | Limited | --- | --- | --- | --- | 11.5.0 | 11.5.9.5 | --- |
| APPS06 | Network (HTTP) | Valid Session | Easy | Wide | Easy | Wide | --- | --- | 11.5.7 | 11.5.10 | --- |
| APPS07 | Network (HTTP) | Valid Session | Easy | Wide | Easy | Wide | --- | --- | 11.5.8 | 11.5.9 | --- |
| APPS08 | Network (HTTP) | Valid Session | Easy | Wide | Easy | Wide | --- | --- | 11.5.8 | 11.5.10 | --- |
| APPS09 | Network (HTTP) | Valid Session | Difficult | Wide | Difficult | Wide | --- | --- | 11.0 | 11.5.10 | --- |
| APPS10 | Network (HTTP) | Valid Session | Easy | Wide | Difficult | Wide | --- | --- | 11.0 | 11.5.9 | --- |
| APPS11 | Network (HTTP) | None | Easy | Limited | --- | --- | --- | --- | 11.5.6 | 11.5.10 | --- |
| APPS12 | Network (HTTP) | None | Easy | Limited | --- | --- | --- | --- | 11.5.9 | 11.5.10 | --- |
| APPS13 | Network (HTTP) | None | Easy | Limited | --- | --- | --- | --- | 11.5.8 | 11.5.10 | --- |
| APPS14 | Network (HTTP) | None | Easy | Limited | --- | --- | --- | --- | 11.0 | 11.5.9 | --- |
| APPS15 | Network (HTTP) | None | Easy | Wide | Easy | Wide | --- | --- | 11.5.4 | 11.5.10 | --- |
| APPS16 | Network (HTTP) | Valid Session | Easy | Limited | Easy | Limited | --- | --- | 11.5.6 | 11.5.10.CU1 | --- |
| APPS17 | Network (HTTP) | None | Easy | Limited | --- | --- | --- | --- | 6.0.8 | 6.0.8.25 | --- |
- If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle E-Business Suite Vulnerabilities section of this document.
- If a workaround is indicated, the Workarounds, Oracle E-Business Suite Vulnerabilities section of this document describes a workaround for the Vuln# given above.
Required Conditions, Oracle E-Business Suite Vulnerabilities
No additional conditions are required in order to exploit the listed vulnerabilities. An installed version of Oracle E-Business Suite and a connected session are sufficient.
Workarounds, E-Business Suite Vulnerabilities
There are no recommended workarounds for the Oracle E-Business Suite vulnerabilities described in the Oracle E-Business Suite Risk Matrix.
Appendix E
Enterprise Manager Risk Matrix Critical Patch Update - July 2005
| Vuln# | Component | Access Required (Protocol) | Authorization Needed (Package or Privilege Required) | RISK | Earliest Supported Release Affected | Last Affected Patch set (per Supported Release) | Workaround | |||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Confidentiality | Integrity | Availability | ||||||||||
| Ease | Impact | Ease | Impact | Ease | Impact | |||||||
| EM01 | Instance Management | SQL (Oracle Net) | None | Easy | Limited | Easy | Limited | --- | --- | 9iR2 | 9.2.0.6(9iR2), 10.1.0.4(10g) | --- |
| EM02 | CORE: SDK | Network | None | --- | --- | --- | --- | Difficult | Wide | 8i | 8.1.7.4(8i), 9.0.1.4(9i), 9.0.1.5FIPS(9i), 9.2.0.6(9iR2) | --- |
- If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Enterprise Manager Vulnerabilities section of this document.
- If a workaround is indicated, the Workarounds, Oracle Enterprise Manager Vulnerabilities section of this document describes a workaround for the Vuln# given above.
Required Conditions, Oracle Enterprise Manager Vulnerabilities
No additional conditions are required in order to exploit the listed vulnerabilities.
Workarounds, Enterprise Manager Vulnerabilities
There are no recommended workarounds for the Oracle Enterprise Manager vulnerabilities described in the Oracle Enterprise Manager Risk Matrix.
Printer View