Critical Patch Update - July 2005


Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. The Oracle Database Server, Enterprise Manager, and the Oracle Application Server patches in the Updates are cumulative; each successive Critical Patch Update contains the fixes from the previous Critical Patch Updates.

Supported Products Affected

The following supported product releases and versions are affected by the security vulnerabilities addressed by this Critical Patch Update:

  • Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.4
  • Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6
  • Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.1.5 FIPS
  • Oracle8i Database Server Release 3, version 8.1.7.4
  • Oracle8 Database Release 8.0.6, version 8.0.6.3
  • Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2, 10.1.0.3
  • Oracle Enterprise Manager 10g Database Control, versions 10.1.0.2, 10.1.0.3, 10.1.0.4
  • Oracle Enterprise Manager Application Server Control, versions 9.0.4.0, 9.0.4.1
  • Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1
  • Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
  • Oracle9i Application Server Release 1, version 1.0.2.2
  • Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2
  • Oracle E-Business Suite and Applications Release 11i, versions 11.5.1 through 11.5.10
  • Oracle E-Business Suite and Applications Release 11.0
  • Oracle Workflow, versions 11.5.1 through 11.5.9.5
  • Oracle Forms and Reports, versions 4.5.10.22, 6.0.8.25
  • Oracle JInitiator, versions 1.1.8, 1.3.1
  • Oracle Developer Suite, versions 9.0.2.3, 9.0.4, 9.0.4.1, 9.0.5, 10.1.2
  • Oracle Express Server, version 6.3.4.0

All the products and versions listed above are affected by the vulnerabilities fixed in this Critical Patch Update. However, some of these products and versions are only supported in conjunction with other products, in specific configurations, or on certain platforms. Please consult each product's Pre-Installation Note for specific details concerning the support and availability of patches for the products listed above.

Unsupported Products

Unsupported products, releases and versions have neither been tested for the presence of vulnerabilities addressed by this Critical Patch Update, nor patched, in accordance with section 4.3.3.3 of the Software Error Correction Support Policy, MetaLink Note 209768.1. However, it is likely that earlier patch set levels of the affected releases are affected by these vulnerabilities.

Oracle Database Client-only Installations

The new database vulnerabilities addressed by this Critical Patch Update do not affect Oracle Database Client-only installations (installations that do not have the Oracle Database Server installed). Therefore, it is not necessary to apply this Critical Patch Update to client-only installations if a prior Critical Patch Update, or Alert 68, has already been applied to the client-only installations.

Patch Availability and Risk Matrices

For each Oracle product that is being administered, please consult the associated Pre-Installation Note for patch availability information and installation instructions. For an overview of all the documents related to this Critical Patch Update, please see the Oracle Critical Patch Update Documentation Map, MetaLink Note 311088.1.


Product Risk Matrix Pre-Installation Note
Oracle Database Server Appendix A - Oracle Database Server Risk Matrix Pre-Installation Note for the Oracle Database Server, MetaLink Note 311062.1
Oracle Application Server Appendix B - Oracle Application Server Risk Matrix Pre-Installation Note for the Oracle Application Server, MetaLink Note 311038.1
Oracle Collaboration Suite Appendix C - Oracle Collaboration Suite Risk Matrix Pre-Installation Note for the Oracle Collaboration Suite, MetaLink Note 311039.1
Oracle E-Business and Applications Appendix D - Oracle E-Business Risk Matrix Pre-Installation Note for the Oracle E-Business Suite, MetaLink Note 311040.1
Oracle Enterprise Manager Appendix E - Enterprise Manager Risk Matrix Pre-Installation Note for the Oracle Enterprise Manager, MetaLink Note 311061.1

Risk Matrix Contents

The risk matrices in this advisory list only the vulnerabilities that are new in this advisory. The Oracle Database Server, Enterprise Manager, and the Oracle Application Server patches for this Critical Patch Update are cumulative, and contain all the fixes from the previous Critical Patch Update. Risk matrices for these previous fixes can be found in the previous Critical Patch Update advisory.

E-Business Suite patches are not cumulative, so E-Business Suite customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply.

Oracle Collaboration Suite patches are not cumulative, so Oracle Collaboration Suite customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply.

One Vulnerability Appearing in Two Risk Matrices

Several vulnerabilities addressed by this Critical Patch Update are in both the Database Server and Application Server products. The Risk Matrices show these shared vulnerabilities by specifying the Vuln #s from both matrices on a single vulnerability row.

Risk Matrix Definitions

MetaLink Note 293956.1 defines the terms used in the Risk Matrices.

Risk Analysis and Blended Attacks

Oracle has analyzed each potential vulnerability separately for risk of exploit and impact of exploit. Oracle has performed no analysis on the likelihood and impact of blended attacks (i.e. the exploitation of multiple vulnerabilities combined in a single attack).

Policy Statement on Information Provided in Critical Patch Updates and Security Alerts

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage.

As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Pre-Installation notes, the readme files, and FAQs. Oracle does not provide advance notification on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code nor “proof-of-concept” code for vulnerabilities in our products.

Critical Patch Update Availability for De-Supported Versions

Critical Patch Updates are available for customers who have purchased Extended Maintenance Support (EMS). De-support Notices indicate whether EMS is available for a particular release and platform, as well as the specific period during which EMS will be available.

Customers with valid licenses for product versions covered by Extended Support (ES) are entitled to download existing fixes; however, new issues that may arise from the application of patches are not covered under ES. Therefore, ES customers should have comprehensive plans to enable removal of any applied patch.

Oracle will not provide Critical Patch Updates for product versions which are no longer covered under the Extended Maintenance Support plan. We recommend that customers upgrade to the latest supported version of Oracle products in order to obtain Critical Patch Updates.

Please review the "Extended Support" section within the Technical Support Policies for further guidelines regarding ES & EMS.

References

  • Critical Patch Update - July 2005 FAQ, MetaLink Note 311037.1
  • MetaLink Note 293956.1 defines the terms used in the Risk Matrix.
  • Oracle Critical Patch Update Program General FAQ, MetaLink Note 290738.1
  • Oracle Critical Patch Update Documentation Map, MetaLink Note 311088.1
  • Security Alerts and Critical Patch Updates- Frequently Asked Questions, MetaLink Note 237007.1

Credits

The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle’s attention: Gerhard Eschelbeck of Qualys, Inc., Esteban Martínez Fayó of Application Security, Inc., Alexander Kornbrust of Red Database Security, Stephen Kost of Integrigy, David Litchfield of NGSS Limited, Michael Murray of nCircle Network Security, Aaron C. Newman of Application Security, Inc., Mike Sues of Rigel Kent Security.


Modification History

2005-JUL-12: Initial release, version 1

Appendix A

Oracle Database Server Risk Matrix Critical Patch Update - July 2005

Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround
Confidentiality Integrity Availability
Ease Impact Ease Impact Ease Impact
DB01 Oracle Express Server Network None --- --- --- --- Easy Limited 6.3.4 6.3.4 ---
DB02 Oracle OLAP SQL (Oracle Net) Database (execute on olapsys) --- --- --- --- Easy Wide 10g 10.1.0.4(10g) ---
DB03 Component Registry SQL (Oracle Net) Database (execute on dbms_registry) Difficult Wide Difficult Wide --- --- 9iR2 9.2.0.6(9iR2), 10.1.0.3(10g) ---
DB04 CORE SQL (Oracle Net) Database (execute on utl_file) Difficult Limited Difficult Limited --- --- 8i 8.1.7.4(8i), 9.0.1.4(9i), 9.2.0.5(9iR2), 10.1.0.3(10g) ---
DB05 CORE SQL (Oracle Net) Database (ability to create database link) Difficult Limited Difficult Limited --- --- 9iR2 9.2.0.6(9iR2), 10.1.0.4(10g) ---
DB06 XML Database Network (HTTP) Database Easy Limited --- --- --- --- 9iR2 9.2.0.6(9iR2), 10.1.0.3(10g) ---
DB07 XML Database Network (FTP) None Difficult Limited Difficult Limited Easy Limited 9iR2 9.2.0.6(9iR2), 10.1.0.3(10g) ---
DB08 iSQL*Plus Network (HTTP) None --- --- --- --- Easy Wide 9iR2 9.2.0.5(9iR2), 10.1.0.2(10g) Use a TNS listener password
DB09 iSQL*Plus SQL (Oracle Net) Database Easy Limited --- --- --- --- 10g 10.1.0.2(10g) ---
DB10 Single Sign-On Network (HTTP) None Easy Limited --- --- --- --- 8i 8.1.7.4(8i), 9.0.1.5(9i), 9.0.1.5FIPS(9i), 10.1.0.4(10g) ---
DB11 AS07 Oracle HTTP Server (mod_ssl) Network (HTTPS) None Difficult Wide Difficult Wide --- --- 8i 8.1.7.4(8i), 9.0.1.5(9i), 9.2.0.6(9iR2), 10.1.0.4(10g) ---
DB12 AS08 Oracle HTTP Server (mod_access) Network (HTTPS) None Difficult Wide Difficult Wide --- --- 8i 8.1.7.4(8i), 9.0.1.5(9i), 9.2.0.6(9iR2), 10.1.0.4(10g) ---

 

  • If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Database Vulnerabilities section of this document.
  • If a workaround is indicated, the Workarounds, Oracle Database Vulnerabilities section of this document describes a workaround for the Vuln# given above.

Required Conditions, Oracle Database Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Oracle Database Vulnerabilities

DB08: Setting and using a TNS Listener password eliminates this vulnerability.

Appendix B

Application Server Risk Matrix Critical Patch Update - July 2005

Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set Workaround
Confidentiality Integrity Availability
Ease Impact Ease Impact Ease Impact
AS01 Oracle Containers for J2EE Network None Easy Limited --- --- --- --- 9.0.2.3 9.0.2.3, 9.0.3.1 ---
AS02 Oracle Forms Local OS Easy Limited Easy Limited --- --- 4.5.10.22 4.5.10.22, 6.0.8.25 ---
AS03 Oracle Forms Local OS Easy Limited --- --- --- --- 4.5.10.22 4.5.10.22, 6.0.8.25 ---
AS04 Oracle Forms Local OS Easy Limited --- --- --- --- 4.5.10.22 4.5.10.22, 6.0.8.25 ---
AS05 Oracle Forms Network (HTTP) None --- --- --- --- Easy Wide 4.5.10.22 4.5.10.22, 6.0.8.25 ---
AS06 Oracle Forms Network (HTTP) Authenticated User Easy Wide Easy Wide --- --- 4.5.10.22 4.5.10.22, 6.0.8.25 ---
AS07 DB11 Oracle HTTP Server (mod_ssl) Network (HTTPS) None Difficult Wide Difficult Wide --- --- 1.0.2.2 1.0.2.2, 9.0.2.3, 9.0.3.1, 9.0.4.1 ---
AS08 DB12 Oracle HTTP Server (mod_access) Network (HTTPS) None Difficult Wide Difficult Wide --- --- 1.0.2.2 1.0.2.2, 9.0.2.3, 9.0.3.1, 9.0.4.1 ---
AS09 Oracle JDeveloper Local OS Easy Limited Easy Limited --- --- 9.0.4 9.0.4, 10.1.2 ---
AS10 Oracle JDeveloper Local OS Easy Wide Easy Wide --- --- 9.0.3 9.0.3, 10.1.2 ---
AS11 Oracle Reports Developer Network (HTTP) None Difficult Limited Difficult Limited Easy Limited 9.0.2.3 9.0.2.3, 9.0.4.2 ---
AS12 Oracle JInitiator Network (HTTP) None Difficult Limited Difficult Limited --- --- 1.1.8 1.1.8.24, 1.3.1.20 ---

 

  • If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Application Server Vulnerabilities section of this document.
  • If a workaround is indicated, the Workarounds, Oracle Application Server Vulnerabilities section of this document describes a workaround for the Vuln# given above.

Required Conditions, Oracle Application Server Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Oracle Application Server Vulnerabilities

There are no recommended workarounds for the Oracle Application Server vulnerabilities described in the Oracle Application Server Risk Matrix.


Appendix C

Collaboration Suite Risk Matrix
Critical Patch Update - July 2005

Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Workaround
Confidentiality Integrity Availability
Ease Impact Ease Impact Ease Impact
OCS01 Email Server Network (SMTP) None --- --- --- --- Easy Limited ---
OCS02 Email Server Network (SMTP) None --- --- --- --- Easy Wide ---
OCS03 Email Server Network (IMAP) Authenticated OCS user Difficult Wide Difficult Wide Easy Wide ---
OCS04 Email Server Network (HTTP) Authenticated OCS user --- --- --- --- Easy Wide ---
OCS05 Oracle Web Conferencing Network (HTTP) None Easy Limited --- --- --- --- ---
OCS06 Oracle Web Conferencing Network (HTTP) None Easy Limited --- --- --- --- ---

 

  • If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Collaboration Suite Vulnerabilities section of this document.
  • If a workaround is indicated, the Workarounds, Oracle Collaboration Suite Vulnerabilities section of this document describes a workaround for the Vuln# given above.

Required Conditions, Oracle Collaboration Suite Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Oracle Collaboration Suite Vulnerabilities

There are no recommended workarounds for the Oracle Collaboration Suite vulnerabilities described in the Oracle Collaboration Suite Risk Matrix. < /p>
 

Appendix D

E-Business Suite Risk Matrix Critical Patch Update - July 2005

Vuln# Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set Workaround
Confidentiality Integrity Availability
Ease Impact Ease Impact Ease Impact
APPS01 Network (HTTP) Valid Session Difficult Wide Difficult Wide --- --- 11.5.0 11.5.9.5 ---
APPS02 Network (HTTP) Valid Session Difficult Wide --- --- --- --- 11.5.0 11.5.9.5 ---
APPS03 Network (HTTP) None Difficult Wide Difficult Wide --- --- 11.5.0 11.5.9.5 ---
APPS04 SQL (Oracle Net) Database (execute on portal.wpg_session or owf_mgr.wf_event_html) Difficult Wide Difficult Wide --- --- 11.5.0 11.5.9.5 ---
APPS05 Network (HTTP) Valid Session Easy Limited --- --- --- --- 11.5.0 11.5.9.5 ---
APPS06 Network (HTTP) Valid Session Easy Wide Easy Wide --- --- 11.5.7 11.5.10 ---
APPS07 Network (HTTP) Valid Session Easy Wide Easy Wide --- --- 11.5.8 11.5.9 ---
APPS08 Network (HTTP) Valid Session Easy Wide Easy Wide --- --- 11.5.8 11.5.10 ---
APPS09 Network (HTTP) Valid Session Difficult Wide Difficult Wide --- --- 11.0 11.5.10 ---
APPS10 Network (HTTP) Valid Session Easy Wide Difficult Wide --- --- 11.0 11.5.9 ---
APPS11 Network (HTTP) None Easy Limited --- --- --- --- 11.5.6 11.5.10 ---
APPS12 Network (HTTP) None Easy Limited --- --- --- --- 11.5.9 11.5.10 ---
APPS13 Network (HTTP) None Easy Limited --- --- --- --- 11.5.8 11.5.10 ---
APPS14 Network (HTTP) None Easy Limited --- --- --- --- 11.0 11.5.9 ---
APPS15 Network (HTTP) None Easy Wide Easy Wide --- --- 11.5.4 11.5.10 ---
APPS16 Network (HTTP) Valid Session Easy Limited Easy Limited --- --- 11.5.6 11.5.10.CU1 ---
APPS17 Network (HTTP) None Easy Limited --- --- --- --- 6.0.8 6.0.8.25 ---

 

  • If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle E-Business Suite Vulnerabilities section of this document.
  • If a workaround is indicated, the Workarounds, Oracle E-Business Suite Vulnerabilities section of this document describes a workaround for the Vuln# given above.

Required Conditions, Oracle E-Business Suite Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities. An installed version of Oracle E-Business Suite and a connected session are sufficient.

Workarounds, E-Business Suite Vulnerabilities

There are no recommended workarounds for the Oracle E-Business Suite vulnerabilities described in the Oracle E-Business Suite Risk Matrix.

Appendix E

Enterprise Manager Risk Matrix Critical Patch Update - July 2005

Vuln# Component Access Required (Protocol) Authorization Needed (Package or Privilege Required) RISK Earliest Supported Release Affected Last Affected Patch set (per Supported Release) Workaround
Confidentiality Integrity Availability
Ease Impact Ease Impact Ease Impact
EM01 Instance Management SQL (Oracle Net) None Easy Limited Easy Limited --- --- 9iR2 9.2.0.6(9iR2), 10.1.0.4(10g) ---
EM02 CORE: SDK Network None --- --- --- --- Difficult Wide 8i 8.1.7.4(8i), 9.0.1.4(9i), 9.0.1.5FIPS(9i), 9.2.0.6(9iR2) ---

  • If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Enterprise Manager Vulnerabilities section of this document.
  • If a workaround is indicated, the Workarounds, Oracle Enterprise Manager Vulnerabilities section of this document describes a workaround for the Vuln# given above.

Required Conditions, Oracle Enterprise Manager Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Enterprise Manager Vulnerabilities

There are no recommended workarounds for the Oracle Enterprise Manager vulnerabilities described in the Oracle Enterprise Manager Risk Matrix.