Oracle Critical Patch Update - April 2006
Description
A Critical Patch Update is a collection of patches for multiple
security vulnerabilities. It also includes non-security fixes that are
required (because of interdependencies) by those security patches.
Supported Products and Components Affected
The security vulnerabilities addressed by this Critical Patch
Update affect the products listed in the categories below.
The Pre-Installation Note that describes the
patches for the listed versions is shown in [square brackets]
following the product versions. Please click on the links in the
[square brackets] or in the Patch Availability Matrix
to access the Pre-Installation Notes.
Category I
Product releases and versions that are covered by Error Correction
Support (ECS) or Extended Maintenance Support (EMS):
| • Oracle Database 10g Release 2, versions 10.2.0.1, 10.2.0.2 |
[
Database
] |
| • Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5 |
[
Database
] |
| • Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7 |
[
Database
] |
| • Oracle8i Database Release 3, version 8.1.7.4 |
[
Database
] |
| • Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4, 10.2.0.1 |
[
Enterprise Manager
]
|
| • Oracle Application Server 10g Release 2, versions 10.1.2.0.0 - 10.1.2.0.2, 10.1.2.1.0, 10.1.3.0.0 |
[
Application Server
] |
| • Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2 |
[
Application Server
] |
| • Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2.0, 10.1.2.1 |
[
Collaboration Suite
]
|
| • Oracle9i Collaboration Suite Release 2, version 9.0.4.2 |
[
Collaboration Suite
]
|
| • Oracle E-Business Suite Release 11i, versions 11.5.1 - 11.5.10 CU2 |
[
E-Business Suite
]
|
| • Oracle E-Business Suite Release 11.0 |
[
E-Business Suite
]
|
| • Oracle Pharmaceutical Applications versions 4.5.0 - 4.5.2 |
[
Pharmaceutical
]
|
| • Oracle PeopleSoft Enterprise Tools, versions 8.47GA - 8.47.04 |
[
PeopleSoft/JDE
]
|
| • Oracle PeopleSoft Enterprise Tools, versions 8.46GA - 8.46.12 |
[
PeopleSoft/JDE
]
|
| • JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95 - 8.95.J1 |
[
PeopleSoft/JDE
]
|
Category II
Products and components that are bundled with the products listed in Category I:
| • Oracle Database 10g Release 1, version 10.1.0.4.2 |
[
Application Server
]
|
| • Oracle Developer Suite, versions 6i, 9.0.4.2 |
[
Application Server
]
and
[
E-Business Suite
]
|
| • Oracle Workflow, versions 11.5.1 through 11.5.9.5 |
[
E-Business Suite
]
|
Category III
Products that are de-supported as a standalone installation but are
supported when installed with the products listed in Category I:
| • Oracle9i Database Release 1, versions 9.0.1.4
| [
Collaboration Suite
]
|
| • Oracle9i Database Release 1, versions 9.0.1.5, 9.0.1.5 FIPS |
[
Application Server
] |
| • Oracle8 Database Release 8.0.6, version 8.0.6.3 |
[
Application Server
]
and
[
E-Business Suite
] |
| • Oracle9i Application Server Release 1, version 1.0.2.2 |
[
E-Business Suite
]
|
Patches for Category III products are only available when these
products are installed as part of Category I products, and are tested
solely on supported configurations and environments. Please refer to
the Pre-Installation Note for each product for specific details
concerning the support and availability of patches.
Category IV
Products that are supported only on selected platforms. Please consult the appropriate
Pre-Installation Notes for details.
| • Oracle Database 10g Release 1, version 10.1.0.3 |
[
Database
] |
| • Oracle9i Database Release 2, version 9.2.0.5 |
[
Database
] |
Unsupported Products
Unsupported products, releases and versions are not tested for the presence of
vulnerabilities addressed by this Critical Patch Update.
However, it is likely that earlier patch sets of the affected
releases are affected by these vulnerabilities.
Supported products are patched in accordance with section 4.3.3.3 of the Software Error
Correction Support Policy, MetaLink Note 209768.1.
Default Account and Password Checking Utility
The password checking utility announced in the January 2006 Critical
Patch Update has been significantly updated and renamed. The Oracle
Default Password Scanner assists customers with securing
Oracle-provided default database schema accounts that use default
passwords. The MetaLink article titled Frequently Asked Questions
about Oracle Default Password Scanner
(MetaLink Note 361482.1)
provides detailed information for this utility, including instructions
for downloading the utility and its accompanying documentation, the Oracle Default
Password Scanner User's Guide.
The Oracle Default Password Scanner does not replace the essential
security guidelines described in the
Database Security Checklist, nor
does it lessen the importance of appropriately securing all database
and application accounts. Customers using Oracle E-Business Suite
should refer to Best Practices for Securing Oracle E-Business
Suite (Oracle MetaLink Note 189367.1).
Customers using customized
applications or other non-Oracle products that are dependent on an
Oracle database should refer to the product-specific documentation for
each product before implementing these changes in a production
environment.
Oracle Database Client-only Installations
The new database vulnerabilities addressed by this Critical Patch
Update do not affect Oracle Database Client-only installations
(installations that do not have the Oracle Database
installed). Therefore, it is not necessary to apply this Critical
Patch Update to client-only installations if a prior Critical Patch
Update, or Alert 68, has already been applied to the client-only
installations.
Client-side software in the middle tier is patched as part of the
general middle tier patch and customers do not need to apply
additional patches. If this is not the case it will be documented in
the appropriate Pre-Installation Note.
Patch Availability and Risk Matrices
The Oracle Database, Oracle Application Server, Oracle Enterprise
Manager Grid Control, Oracle Collaboration Suite, JD Edwards
EnterpriseOne and OneWorld Tools, and PeopleSoft Enterprise Portal
Applications patches in the Updates are cumulative; each successive
Critical Patch Update contains the fixes from the previous Critical
Patch Updates.
Oracle E-Business Suite and Applications patches are not cumulative,
so E-Business Suite and Applications customers should refer to
previous Critical Patch Updates to identify previous fixes they want
to apply.
For each Oracle product that is being administered, please consult the
associated Pre-Installation Note for patch availability information
and installation instructions. For an overview of all the documents
related to this Critical Patch Update, please refer to the
Oracle Critical Patch Update April 2006 Documentation Map, MetaLink Note 360464.1.
Risk Matrix Contents
The risk matrices list only security vulnerabilities, and only the
security vulnerabilities that are newly fixed by the patches
associated with this advisory. Risk matrices for previous fixes can be
found in
previous Critical Patch Update advisories.
One Vulnerability Appearing in Several Risk Matrices
Several vulnerabilities addressed by this Critical Patch Update affect
multiple products. The Risk Matrices show these shared vulnerabilities
by using a distinct Vuln # identification for each of them in
their row in the Risk Matrix. These rows are then duplicated into all
appropriate risk matrices under a gray dividing line.
Risk Matrix Definitions
MetaLink Note
293956.1 defines the terms used in the Risk Matrices.
Risk Analysis and Blended Attacks
Oracle has analyzed each potential vulnerability separately for risk
and impact of exploitation. Oracle has performed no analysis on the
likelihood and impact of blended attacks (i.e. the exploitation of
multiple vulnerabilities combined in a single attack).
Policy Statement on Information Provided in Critical Patch Updates
and Security Alerts
Oracle conducts an analysis of each security vulnerability addressed
by a Critical Patch Update (CPU) or a Security Alert. The results of
the security analysis are reflected in the associated documentation
describing, for example, the type of vulnerability, the conditions
required to exploit it and the result of a successful exploit. Oracle
provides this information, in part, so that customers may conduct
their own risk analysis based on the particulars of their product
usage.
As a matter of policy, Oracle will not provide additional information
about the specifics of vulnerabilities beyond what is provided in the
CPU or Security Alert notification, the Pre-Installation notes, the
readme files, and FAQs. Oracle does not provide advance notification
on CPU or Security Alerts to individual customers. Finally, Oracle
does not develop or distribute active exploit code nor
“proof-of-concept” code for vulnerabilities in our
products.
Critical Patch Update Availability for De-Supported Versions
Critical Patch Updates are available for customers who have purchased
Extended Maintenance Support (EMS) before the implementation of the
Lifetime Support Policy. De-support Notices indicate whether EMS is
available for a particular release and platform, as well as the
specific period during which EMS will be available.
Customers with valid licenses for product versions covered by Extended
Support (ES), before the implementation of the Lifetime Support
Policy, are entitled to download existing fixes; however, new issues
that may arise from the application of patches are not covered under
ES. Therefore, ES customers should have comprehensive plans to enable
removal of any applied patch.
Oracle will not provide Critical Patch Updates for product versions
which are no longer covered under the Extended Maintenance Support
plan or the Lifetime Support Policy. We recommend that customers
upgrade to the latest supported version of Oracle products in order to
obtain Critical Patch Updates.
Please review the "Extended Support" section within the Technical Support
Policies for further guidelines regarding ES and EMS.
References
-
Oracle Critical Patch Updates and Security Alerts
- Critical Patch Update - April 2006 Documentation Map, MetaLink Note 360464.1
- Oracle Critical Patch Updates and Security Alerts - Frequently Asked Questions, MetaLink Note
360470.1
- Risk Matrix term definitions, MetaLink Note 293956.1
Credits
The following people discovered and brought security vulnerabilities
addressed by this Critical Patch Update to Oracle's attention:
Esteban Martinez Fayo of Application Security, Inc.;
Alexander Kornbrust of Red Database Security GmbH;
David Litchfield of Next Generation Security Software Ltd.;
noderat ratty.
Critical Patch Update Schedule
Critical Patch Updates are released on the Tuesday closest to the 15th
day of January, April, July and October. The next four dates are:
- 18 July 2006
- 17 October 2006
- 16 January 2007
- 17 April 2007
Modification History
Appendix A
Oracle Database Risk Matrix
| Vuln# |
Component |
Access Required (Protocol) |
Authorization Needed (Package or Privilege Required) |
RISK (see note 293956.1) |
Earliest Supported Release Affected |
Last Affected Patch set (per Supported Release) |
Workaround |
| Confidentiality |
Integrity |
Availability |
| Ease |
Impact |
Ease |
Impact |
Ease |
Impact |
| DB01 |
Advanced Replication |
SQL (Oracle Net) |
Database (execute on sys.dbms_reputil) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
8i |
8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5 |
--- |
| DB02 |
Advanced Replication |
SQL (Oracle Net) |
Database (execute on sys.dbms_repcat_admin, or execute_catalog_role) |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
9iR2 |
9.2.0.6 |
--- |
| DB03 |
Advanced Replication |
SQL (Oracle Net) |
Database (execute on sys.dbms_snapshot_utl) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
10g |
10.1.0.4 |
--- |
| DB04 |
Dictionary |
SQL (Oracle Net) |
Database (ability to enable constraints) |
--- |
--- |
Easy |
Wide |
Easy |
Wide |
8i |
8.1.7.4, 9.0.1.5 |
--- |
| DB05 |
Export |
SQL (Oracle Net) |
Database (execute on sys.dbms_export_extension) |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
8i |
8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.2 |
--- |
| DB06 |
Log Miner |
SQL (Oracle Net) |
Database (execute on sys.dbms_logmnr_session) |
Easy |
Wide |
Easy |
Wide |
--- |
|
9iR2 |
9.2.0.7, 10.1.0.5 |
--- |
| DB07 |
Oracle Enterprise Manager Intelligent Agent |
Local |
OS |
Difficult |
Limited |
Difficult |
Limited |
Difficult |
Limited |
9i |
9.0.1.5, 9.2.0.7 |
--- |
| DB08 |
Oracle Spatial |
SQL (Oracle Net) |
Database (create partitioned mdsys table) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
9iR2 |
9.2.0.7, 10.1.0.4, 10.2.0.1 |
--- |
| DB09 |
Oracle Spatial |
SQL (Oracle Net) |
Database (execute on mdsys.prvt_idx) |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
8i |
8.1.7.4, 9.0.1.5, 9.2.0.6 |
--- |
| DB10 |
Oracle Spatial |
SQL (Oracle Net) |
Database (execute on mdsys.sdo_catalog.update_catalog) |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
8i |
8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5 |
--- |
| DB11 |
Oracle Spatial |
SQL (Oracle Net) |
Database (execute on mdsys.sdo_lrs_trig_ins{1}) |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
9i |
9.0.1.5, 9.2.0.7, 10.1.0.5 |
--- |
| DB12 |
Oracle Spatial |
SQL (Oracle Net) |
Database (execute on mdsys.sdo_pridx) |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
9iR2 |
9.2.0.7, 10.1.0.4 |
--- |
| DB13 |
Oracle Spatial |
Local |
OS (access to registry) |
Easy |
Limited |
--- |
--- |
--- |
--- |
8i |
8.1.7.4, 9.0.1.5, 9.2.0.7 |
--- |
|
|
|
|
|
|
|
|
|
|
|
|
|
| PLSQL01 |
ModPL/SQL for Apache |
Network (HTTP) |
None |
Easy |
Wide |
Easy |
Wide |
Easy |
Wide |
9iR2 |
9.2.0.7, 10.1.0.5 |
--- |
Required Conditions, Oracle Database Vulnerabilities
No additional conditions are required in order to exploit the listed
vulnerabilities.
Workarounds, Oracle Database Vulnerabilities
There are no recommended workarounds for the Oracle Database
vulnerabilities described in the Oracle Database Risk Matrix.
Appendix B
Oracle Application Server Risk Matrix
| Vuln# |
Component |
Access Required (Protocol) |
Authorization Needed (Package or Privilege Required) |
RISK (see note 293956.1) |
Earliest Supported Release Affected |
Last Affected Patch set |
Workaround |
| Confidentiality |
Integrity |
Availability |
| Ease |
Impact |
Ease |
Impact |
Ease |
Impact |
| PLSQL01 |
ModPL/SQL for Apache |
Network (HTTP) |
None |
Easy |
Wide |
Easy |
Wide |
Easy |
Wide |
1.0.2.2 |
1.0.2.2, 9.0.4.2, 10.1.2.0.2, 10.1.2.1.0, 10.1.3.0.0 |
--- |
Required Conditions, Oracle Application Server Vulnerabilities
No additional conditions are required in order to exploit the listed
vulnerabilities.
Workarounds, Oracle Application Server Vulnerabilities
There are no recommended workarounds for the Oracle Application Server
vulnerabilities described in the Application Server Suite Risk Matrix.
Appendix C
Oracle Collaboration Suite Risk Matrix
| Vuln# |
Component |
Access Required (Protocol) |
Authorization Needed (Package or Privilege Required) |
RISK (see note 293956.1) |
Workaround |
| Confidentiality |
Integrity |
Availability |
| Ease |
Impact |
Ease |
Impact |
Ease |
Impact |
| OCS01 |
Email Server |
Network (IMAP) |
Valid Session |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
--- |
| OCS02 |
Email Server |
Network (HTTP) |
None |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
--- |
| OCS03 |
Email Server |
Network (EMAIL) |
None |
Easy |
Wide |
--- |
--- |
--- |
--- |
--- |
| OCS04 |
Email Server |
Network (EMAIL) |
None |
Easy |
Wide |
--- |
--- |
--- |
--- |
--- |
|
|
|
|
|
|
|
|
|
|
|
| PLSQL01 |
Oracle Applications Technology Stack |
Network(HTTP) |
None |
Easy |
Wide |
Easy |
Wide |
Easy |
Wide |
--- |
Required Conditions, Oracle Collaboration Suite Vulnerabilities
No additional conditions are required in order to exploit the listed
vulnerabilities.
Workarounds, Oracle Collaboration Suite Vulnerabilities
There are no recommended workarounds for the Oracle Collaboration Suite
vulnerabilities described in the Oracle Collaboration Suite Risk
Matrix.
Appendix D
Oracle E-Business Suite and Applications Risk Matrix
| Vuln# |
Component |
Access Required (Protocol) |
Authorization Needed (Package or Privilege Required) |
RISK (see note 293956.1) |
Earliest Supported Release Affected |
Last Affected Patch set |
Workaround |
| Confidentiality |
Integrity |
Availability |
| Ease |
Impact |
Ease |
Impact |
Ease |
Impact |
| APPS01 |
Application Install |
Local |
OS |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Limited |
11.5.1 |
11.5.10CU2 |
--- |
| APPS02 |
Financials for Asia/Pacific |
Network(HTTP) |
Valid Session |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
11.0 |
11.5.9 |
--- |
| APPS03 |
iProcurement |
Network(HTTP) |
Valid Session |
--- |
--- |
Easy |
Limited |
--- |
--- |
11.5.10 |
11.5.10 |
--- |
| APPS04 |
Oracle Application Object Library |
Network(HTTP) |
None |
Difficult |
Limited |
Difficult |
Limited |
--- |
--- |
11.5.6 |
11.5.10 |
--- |
| APPS05 |
Oracle Application Object Library |
Network(HTTP) |
Valid Session |
Difficult |
Limited |
Difficult |
Limited |
--- |
--- |
11.5.10 |
11.5.10CU1 |
--- |
| APPS06 |
Oracle Applications Technology Stack |
Network(HTTP) |
Database |
Easy |
Limited |
--- |
--- |
Easy |
Wide |
11.5.1 |
11.5.10 |
--- |
| APPS07 |
Oracle Applications Technology Stack |
Network(HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
11.5.1 |
11.5.10 |
--- |
| APPS08 |
Oracle Applications Technology Stack |
Network(HTTP) |
OS, Database |
Easy |
Limited |
Difficult |
Limited |
--- |
--- |
11.5.1 |
11.5.10 |
--- |
| APPS09 |
Oracle Diagnostics Interfaces |
Network(HTTP) |
None |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
11.5.1 |
11.5.10CU2 |
--- |
| APPS10 |
Oracle General Ledger |
Network(HTTP) |
Valid Session |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
11.5.1 |
11.5.10CU2 |
--- |
| APPS11 |
Oracle Order Capture |
Network(HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
11.5.9 |
11.5.10 |
--- |
| APPS12 |
Oracle Receivables |
Network(HTTP) |
Valid Session |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
11.5.5 |
11.5.10CU2 |
--- |
| APPS13 |
Oracle Receivables |
Network(HTTP) |
Valid Session |
Difficult |
Wide |
Difficult |
Wide |
--- |
--- |
11.5.8 |
11.5.10CU2 |
--- |
| OPA01 |
Oracle Thesaurus Management System |
Network(HTTP) |
Valid Session |
Easy |
Limited |
--- |
--- |
--- |
--- |
OPA 4.5.0 |
OPA 4.5.2 |
--- |
|
|
|
|
|
|
|
|
|
|
|
|
|
| PLSQL01 |
Oracle Applications Technology Stack |
Network(HTTP) |
None |
Easy |
Wide |
Easy |
Wide |
Easy |
Wide |
11.5.1 |
11.5.10 |
--- |
Required Conditions, Oracle E-Business Suite and Applications Vulnerabilities
No additional conditions are required in order to exploit the listed
vulnerabilities.
Workarounds, E-Business Suite Vulnerabilities
There are no recommended workarounds for the Oracle E-Business Suite and Applications
vulnerabilities described in the Oracle E-Business Suite and Applications Risk Matrix.
Appendix E
Oracle Enterprise Manager Risk Matrix
| Vuln# |
Component |
Access Required (Protocol) |
Authorization Needed (Package or Privilege Required) |
RISK (see note 293956.1) |
Earliest Supported Release Affected |
Last Affected Patch set (per Supported Release) |
Workaround |
| Confidentiality |
Integrity |
Availability |
| Ease |
Impact |
Ease |
Impact |
Ease |
Impact |
| EM01 |
CORE: Reporting Framework |
Network (HTTP) |
None |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
9iR2 |
9.0.1.5, 9.2.0.7 |
--- |
| EM02 |
CORE: Reporting Framework |
Network (HTTP) |
None |
Easy |
Wide |
--- |
--- |
--- |
--- |
9iR2 |
9.0.1.5, 9.2.0.7 |
--- |
Required Conditions, Oracle Enterprise Manager Vulnerabilities
No additional conditions are required in order to exploit the listed
vulnerabilities.
Workarounds, Enterprise Manager Vulnerabilities
There are no recommended workarounds for the Oracle Enterprise Manager
vulnerabilities described in the Oracle Enterprise
Manager Risk Matrix.
Appendix F
Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Risk Matrix
| Vuln# |
Component |
Access Required (Protocol) |
Authorization Needed (Package or Privilege Required) |
RISK (see note 293956.1) |
Earliest Supported Release Affected |
Last Affected Patch set (per Supported Release) |
Workaround |
| Confidentiality |
Integrity |
Availability |
| Ease |
Impact |
Ease |
Impact |
Ease |
Impact |
| PSE01 |
PeopleTools |
Local access to web server node |
None |
Easy |
Limited |
Easy |
Limited |
--- |
--- |
8.46 GA
8.47 GA |
8.46.12
8.47.04 |
--- |
| JDE01 |
JD Edwards EnterpriseOne Security Server |
Local/Network (JDENET) |
None |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
EnterpriseOne Tools 8.95 |
8.95.J1 |
--- |
Required Conditions, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Vulnerabilities
No additional conditions are required in order to exploit the listed
vulnerabilities.
Workarounds, Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Vulnerabilities
There are no recommended workarounds for the listed vulnerabilities.
| 
Bookmark
