Oracle Critical Patch Update - January 2006
Description
A Critical Patch Update is a collection of patches for multiple
security vulnerabilities. It also includes non-security fixes that are
required (because of interdependencies) by those security patches.
Supported Products and Components Affected
The security vulnerabilities addressed by this Critical Patch
Update affect the products listed in Categories I, II, and III
below.
Category I
Product releases and versions that
are covered by Error Correction Support (ECS) or Extended Maintenance
Support (EMS):
- Oracle Database 10g Release 2, version 10.2.0.1
- Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4, 10.1.0.5
- Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7
- Oracle8i Database Release 3, version 8.1.7.4
- Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4
- Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1.0
- Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2
- Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2
- Oracle9i Collaboration Suite Release 2, version 9.0.4.2
- Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2
- Oracle E-Business Suite Release 11.0
- PeopleSoft Enterprise Portal, versions 8.4, 8.8, 8.9
- JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95.F1, SP23_L1
Category II
Products and components that are bundled with the products listed in Category I:
- Oracle Database 10g Release 1, version 10.1.0.4.2
- Oracle Developer Suite, versions 6i, 9.0.2.1, 9.0.4.1, 9.0.4.2, 10.1.2.0
- Oracle Workflow, versions 11.5.1 through 11.5.9.5
Category III
Products that are de-supported as a standalone installation but are
supported when installed with the products listed in Category I:
- Oracle9i Database Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.1.5 FIPS
- Oracle8 Database Release 8.0.6, version 8.0.6.3
- Oracle9i Application Server Release 1, version 1.0.2.2
Patches for Category III products are only available when these
products are installed as part of Category I products, and are tested
solely on supported configurations and environments. Please refer to
the Pre-Installation Note for each product for specific details
concerning the support and availability of patches.
Unsupported Products
Unsupported products, releases and versions have been neither tested
for the presence of vulnerabilities addressed by this Critical Patch
Update, nor patched, in accordance with section 4.3.3.3 of the
Software Error Correction Support Policy, MetaLink Note 209768.1.
However, it is likely that earlier patch sets of the affected
releases are affected by these vulnerabilities.
New for this Critical Patch Update
Oracle has provided a default account and password checking utility
intended to assist customers with securing certain default database accounts.
The utility can be obtained from
Patch 4926128, and is described in MetaLink Note 340009.1.
This utility does not replace the essential security guidelines
outlined in the
security checklist, nor does it lessen the importance of verifying the status of all
default database accounts. Oracle E-Business Suite customers should
refer to the Best Practices for Securing Oracle E-Business Suite,
MetaLink Note 189367.1.
It is imperative for customers to test and analyze the recommendations
before implementing in production.
Oracle Database Client-only Installations
Three issues addressed in this Critical Patch Update are applicable to
Oracle Database Client-only installations (installations that do not
have the Oracle Database installed).
One vulnerability (DBC02) is in a utility that can be forced to
terminate if given long arguments, potentially allowing code of an
attacker's choice to be executed. However, this utility is not
installed with setuid (elevated) privileges, so the risk that it can
be effectively exploited is very low.
One of the issues (JN01) enables JDBC clients to bind to OID servers
configured to disallow anonymous binds. If JDBC clients are not used
to access an OID server, or the OID server is configured to allow
anonymous binds, then this particular issue is not applicable to
client-only installations.
The final client-only related vulnerability (DBC01) concerns named
pipes in Windows. The vulnerability is exploitable only when a
malicious person is able to create a named pipe that is subsequently
used to communicate to a remote database server, also running
Windows. This is a rare configuration; clients not configured in this
manner are not vulnerable.
All three issues applicable to client-only installations are either
very low risk or only applicable in specific configurations. Customers
are advised to determine the priority of applying the Critical Patch
Update to client-only installations based on the risk to their
environment.
Otherwise, it is not necessary to apply this Critical Patch Update to
client-only installations if a prior Critical Patch Update, or Alert
68, has already been applied to the client-only installations.
Patch Availability and Risk Matrices
The Oracle Database, Oracle Application Server, Oracle Enterprise
Manager Grid Control, Oracle Collaboration Suite, JD Edwards
EnterpriseOne and OneWorld Tools, and PeopleSoft Enterprise Portal
Applications patches in the Updates are cumulative; each successive
Critical Patch Update contains the fixes from the previous Critical
Patch Updates.
Oracle E-Business Suite and Applications patches are not cumulative,
so E-Business Suite and Applications customers should refer to
previous Critical Patch Updates to identify previous fixes they wish
to apply.
For each Oracle product that is being administered, please consult the
associated Pre-Installation Note for patch availability information
and installation instructions. For an overview of all the documents
related to this Critical Patch Update, please refer to the
Oracle Critical Patch Update January 2006 Documentation Map, MetaLink Note 343383.1.
Risk Matrix Contents
The risk matrices list only security vulnerabilities, and only the
security vulnerabilities that are newly fixed by the patches
associated with this advisory. Risk matrices for previous fixes can
be found in
previous Critical Patch Update advisories.
One Vulnerability Appearing in Several Risk Matrices
Several vulnerabilities addressed by this Critical Patch Update affect
multiple products. The Risk Matrices show these shared vulnerabilities
by using a distinct Vuln # identification for each of them in
their row in the Risk Matrix. These rows are then duplicated into all
appropriate risk matrices under a gray dividing line.
Risk Matrix Definitions
MetaLink Note
293956.1 defines the terms used in the Risk Matrices.
Risk Analysis and Blended Attacks
Oracle has analyzed each potential vulnerability separately for risk
and impact of exploitation. Oracle has performed no analysis on the
likelihood and impact of blended attacks (i.e. the exploitation of
multiple vulnerabilities combined in a single attack).
Policy Statement on Information Provided in Critical Patch Updates
and Security Alerts
Oracle conducts an analysis of each security vulnerability addressed
by a Critical Patch Update (CPU) or a Security Alert. The results of
the security analysis are reflected in the associated documentation
describing, for example, the type of vulnerability, the conditions
required to exploit it and the result of a successful exploit. Oracle
provides this information, in part, so that customers may conduct
their own risk analysis based on the particulars of their product
usage.
As a matter of policy, Oracle will not provide additional information
about the specifics of vulnerabilities beyond what is provided in the
CPU or Security Alert notification, the Pre-Installation notes, the
readme files, and FAQs. Oracle does not provide advance notification
on CPU or Security Alerts to individual customers. Finally, Oracle
does not develop or distribute active exploit code nor
“proof-of-concept” code for vulnerabilities in our
products.
Critical Patch Update Availability for De-Supported Versions
Critical Patch Updates are available for customers who have purchased
Extended Maintenance Support (EMS) before the implementation of the
Lifetime Support Policy. De-support Notices indicate whether EMS is
available for a particular release and platform, as well as the
specific period during which EMS will be available.
Customers with valid licenses for product versions covered by Extended
Support (ES), before the implementation of the Lifetime Support
Policy, are entitled to download existing fixes; however, new issues
that may arise from the application of patches are not covered under
ES. Therefore, ES customers should have comprehensive plans to enable
removal of any applied patch.
Oracle will not provide Critical Patch Updates for product versions
which are no longer covered under the Extended Maintenance Support
plan or the Lifetime Support Policy. We recommend that customers
upgrade to the latest supported version of Oracle products in order to
obtain Critical Patch Updates.
Please review the "Extended Support" section within the Technical Support
Policies for further guidelines regarding ES and EMS.
References
-
Oracle Critical Patch Updates and Security Alerts
- Critical Patch Update - January 2006 Documentation Map, MetaLink Note 343383.1.
- Critical Patch Update - January 2006 FAQ, MetaLink Note
343391.1
- Critical Patch Update Program General FAQ, MetaLink Note
290738.1
- Risk Matrix term definitions, MetaLink Note 293956.1
- Security Alerts and Critical Patch Updates- Frequently Asked Questions,
MetaLink Note
237007.1
Credits
The following people discovered and brought security vulnerabilities
addressed by this Critical Patch Update to Oracle's attention:
Raffaele Amendola;
Cesar Cerrudo and Esteban Martinez Fayo of Application Security, Inc.;
Joxean Koret;
Alexander Kornbrust of Red Database Security GmbH;
David Litchfield of Next Generation Security Software Ltd.;
Srinivas Nookala of Cenzic, Inc.;
Steve Orrin formally of Watchfire, Inc.;
Amichai Shulman of Imperva, Inc.
Modification History
Appendix A
Oracle Database Risk Matrix
| Vuln# |
Component |
Access Required (Protocol) |
Authorization Needed (Package or Privilege Required) |
RISK |
Earliest Supported Release Affected |
Last Affected Patch set (per Supported Release) |
Workaround |
| Confidentiality |
Integrity |
Availability |
| Ease |
Impact |
Ease |
Impact |
Ease |
Impact |
| DB01 |
Advanced Queuing |
SQL (Oracle Net) |
Database (execute on sys.dbms_aqadm_sys or sys.dbms_aqadm_syscalls) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
8i |
8.1.7.4, 9.0.1.5, 9.2.0.6, 10.1.0.3 |
--- |
| DB02 |
Change Data Capture |
SQL (Oracle Net) |
Database (execute on sys.dbms_cdc_utility) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
9iR2 |
9.2.0.7, 10.1.0.5, 10.2.0.1 |
--- |
| DB03 |
Connection Manager |
Network |
None |
--- |
--- |
--- |
--- |
Easy |
Wide |
8i |
8.1.7.4, 9.0.1.5 |
--- |
| DB04 |
Data Pump |
SQL (Oracle Net) |
Database (execute on sys.kupw$worker) |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
10g |
10.1.0.5 |
--- |
| DB05 |
Data Pump Metadata API |
SQL (Oracle Net) |
Database (execute on sys.dbms_metadata) |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
9iR2 |
9.2.0.7, 10.1.0.5 |
--- |
| DB06 |
Data Pump Metadata API |
SQL (Oracle Net) |
Database (execute on sys.dbms_datapump) |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
10g |
10.1.0.5 |
--- |
| DB07 |
Dictionary |
Local |
Database and OS (alter session, read permission on database log files) |
Easy |
Wide |
--- |
--- |
--- |
--- |
8i |
8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5 |
--- |
| DB08 |
Net Foundation Layer |
Network (Oracle Net) |
None (network access to a Listener) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
8i |
8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, 10.1.0.4 |
--- |
| DB09 |
Net Listener |
Network (Oracle Net) |
None (network access to a Listener) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
8i |
8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5, 10.2.0.1 |
--- |
| DB10 |
Net Listener |
Network (Oracle Net) |
None (network access to a Listener) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
10g |
10.1.0.5 |
--- |
| DB11 |
Net Listener |
Network (Oracle Net) |
None (network access to a Listener) |
--- |
--- |
Easy |
Wide |
Easy |
Wide |
8i |
8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7 |
--- |
| DB12 |
Network Communications (RPC) |
Network (Oracle Net) |
None (network access to a Listener) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
8i |
8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5, 10.2.0.1 |
--- |
| DB13 |
Network Communications (RPC) |
Network (Oracle Net) |
None (network access to a Listener) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
8i |
8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5, 10.2.0.1 |
--- |
| DB14 |
Oracle Label Security |
SQL (Oracle Net) |
Database (execute on lbacsys.lbac_cache) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
8i |
8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5 |
--- |
| DB15 |
Oracle Text |
SQL (Oracle Net) |
Database (execute on cxtsys.catsearch) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
9iR2 |
9.2.0.7, 10.1.0.5 |
--- |
| DB16 |
Oracle Text |
SQL (Oracle Net) |
Database (use of a rewrite specification) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
10g |
10.1.0.5 |
--- |
| DB17 |
Oracle Text |
SQL (Oracle Net) |
Database (ability to create a ctxsys index) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
8i |
8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.1 |
--- |
| DB18 |
Program Interface Network |
SQL (Oracle Net) |
Database(no special privileges needed) |
Easy |
Wide |
Easy |
Wide |
Easy |
Wide |
8i |
8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, 10.2.0.1 |
--- |
| DB19 |
Query Optimizer |
SQL (Oracle Net) |
Database (execute on sys.outln_pkg) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
9i |
9.0.1.5, 9.2.0.7, 10.1.0.5 |
--- |
| DB20 |
Query Optimizer |
SQL (Oracle Net) |
Database (no special privileges needed) |
--- |
--- |
--- |
--- |
Easy |
Wide |
9iR2 |
9.2.0.6, 10.1.0.4 |
--- |
| DB21 |
Security |
SQL (Oracle Net) |
Database (execute on sys.dbms_fga.add_policy) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
9i |
9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, 10.1.0.4 |
--- |
| DB22 |
Streams Apply |
SQL (Oracle Net) |
Database (execute on sys.dbms_apply_adm_internal) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
9iR2 |
9.2.0.7, 10.1.0.5 |
--- |
| DB23 |
Streams Capture |
SQL (Oracle Net) |
Database (execute on sys.dbms_capture_adm_internal) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
9iR2 |
9.2.0.7, 10.1.0.5 |
--- |
| DB24 |
Streams Capture |
SQL (Oracle Net) |
Database (execute on sys.dbms_capture_process) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
9iR2 |
9.2.0.7, 10.1.0.5 |
--- |
| DB25 |
Streams Capture |
SQL (Oracle Net) |
Database (execute on sys.dbms_cdc_ipublish) |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
10g |
10.1.0.5, 10.2.0.1 |
--- |
| DB26 |
Streams Subcomponent |
SQL (Oracle Net) |
Database (execute on sys.dbms_apply_process) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
9iR2 |
9.2.0.7, 10.1.0.5 |
--- |
| DB27 |
TDE Wallet |
Local |
OS (ability to access the SGA (e.g. via dumpsga)) |
Easy |
Wide |
--- |
--- |
--- |
--- |
10g |
10.2.0.1 |
--- |
| DB28 |
Upgrade & Downgrade |
SQL (Oracle Net) |
Database (execute on sys.dbms_registry) |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
8i |
8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.4 |
--- |
| DB29 |
XML Database |
SQL (Oracle Net) |
Database (execute on xdb.dbms_xmlschema or xdb.dbms_xmlschema_int) |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
9iR2 |
9.2.0.7, 10.1.0.4 |
--- |
|
| DBC01 |
Protocol Support |
Network (Oracle Net) |
None (network access to a Listener) |
Difficult |
Limited |
Difficult |
Limited |
Difficult |
Limited |
8i |
8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5 |
--- |
| DBC02 |
Reorganize Objects & Convert Tablespace |
Local |
OS (ability to run nmuct) |
Difficult |
Limited |
Difficult |
Limited |
Difficult |
Limited |
10g |
10.1.0.4.2 |
--- |
| JN01 |
Java Net |
Network (OID) |
None (network access to an OID server) |
Easy |
Wide |
--- |
--- |
--- |
--- |
8i |
8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.4 |
--- |
| OHS01 |
Oracle HTTP Server |
Network (HTTP) |
None |
Easy |
Wide |
--- |
--- |
--- |
--- |
9i |
9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5 |
--- |
| OHS02 |
Oracle HTTP Server |
Network (HTTP) |
None |
--- |
--- |
--- |
--- |
Easy |
Wide |
10g |
10.1.0.5 |
--- |
| WF01 |
Oracle Workflow Cartridge |
Network (HTTP) |
Valid Session |
Easy |
Limited |
--- |
--- |
--- |
--- |
9iR2 |
9.2.0.7 |
--- |
| WF02 |
Oracle Workflow Cartridge |
Network (HTTP) |
Valid Session |
Easy |
Limited |
--- |
--- |
--- |
--- |
10g |
10.2.0.1 |
--- |
| WF03 |
Oracle Workflow Cartridge |
Network (HTTP) |
Valid Session |
Easy |
Limited |
--- |
--- |
--- |
--- |
10g |
10.2.0.1 |
--- |
Required Conditions, Oracle Database Vulnerabilities
No additional conditions are required in order to exploit the listed
vulnerabilities.
Workarounds, Oracle Database Vulnerabilities
There are no recommended workarounds for the Oracle Database
vulnerabilities described in the Oracle Database Risk Matrix.
Appendix B
Oracle Application Server Risk Matrix
| Vuln# |
Component |
Access Required (Protocol) |
Authorization Needed (Package or Privilege Required) |
RISK |
Earliest Supported Release Affected |
Last Affected Patch set |
Workaround |
| Confidentiality |
Integrity |
Availability |
| Ease |
Impact |
Ease |
Impact |
Ease |
Impact |
| AS01 |
Portal |
Network (HTTP) |
None |
Easy |
Wide |
--- |
--- |
--- |
--- |
1.0.2.2 |
9.0.4.2, 10.1.2.0 |
--- |
|
| JN01 |
Java Net |
Network (OID) |
None (network access to an OID server) |
Easy |
Wide |
--- |
--- |
--- |
--- |
1.0.2.2 |
1.0.2.2, 9.0.4.2, 10.1.2.0.2 |
--- |
| OHS01 |
Oracle HTTP Server |
Network (HTTP) |
None |
Easy |
Wide |
--- |
--- |
--- |
--- |
1.0.2.2 |
1.0.2.2, 9.0.4.2, 10.1.2.0.2 |
--- |
| OHS02 |
Oracle HTTP Server |
Network (HTTP) |
None |
--- |
--- |
--- |
--- |
Easy |
Wide |
10.1.2.0 |
10.1.2.0.2 |
--- |
| FORM01 |
Oracle Forms |
Network (HTTP) |
None |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
9.0.4.1 |
9.0.4.2, 10.1.2.0.2 (10.1.2.0 is not affected) |
--- |
| FORM02 |
Oracle Forms |
Local and Network(HTTP) |
OS (ability to upload files to Forms server) |
Easy |
Wide |
Easy |
Wide |
Easy |
Wide |
9.0.4.1 |
9.0.4.2, 10.1.2.0.2 (10.1.2.0 is not affected) |
--- |
| REP01 |
Oracle Reports Developer |
Network (HTTP) |
None |
--- |
--- |
Easy |
Wide |
--- |
--- |
9.0.4.1 |
9.0.4.1 |
--- |
| REP02 |
Oracle Reports Developer |
Network (HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
9.0.4.1 |
9.0.4.2 |
--- |
| REP03 |
Oracle Reports Developer |
Local and Network(HTTP) |
OS (ability to upload files to Reports server) |
Easy |
Wide |
Easy |
Wide |
Easy |
Wide |
9.0.4.1 |
9.0.4.2, 10.1.2.0.2(10.1.2.0 is not affected) |
--- |
| REP04 |
Oracle Reports Developer |
Network (HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
9.0.4.1 |
9.0.4.2 |
--- |
| REP05 |
Oracle Reports Developer |
Network (HTTP) |
None |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
6.0.8.26(PS17) |
6.0.8.26(PS17) |
--- |
| REP06 |
Oracle Reports Developer |
Network (HTTP) |
None |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
6.0.8.26(PS17) |
6.0.8.26(PS17) |
--- |
| WF01 |
Oracle Workflow Cartridge |
Network (HTTP) |
Valid Session |
Easy |
Limited |
--- |
--- |
--- |
--- |
9.0.4.1 |
9.0.4.2, 10.1.2.1 |
--- |
| WF02 |
Oracle Workflow Cartridge |
Network (HTTP) |
Valid Session |
Easy |
Limited |
--- |
--- |
--- |
--- |
9.0.4.1 |
9.0.4.2, 10.1.2.1 |
--- |
| WF03 |
Oracle Workflow Cartridge |
Network (HTTP) |
Valid Session |
Easy |
Limited |
--- |
--- |
--- |
--- |
9.0.4.1 |
9.0.4.2, 10.1.2.1 |
--- |
| DBC01 |
Protocol Support |
Network (Oracle Net) |
None (network access to a Listener) |
Difficult |
Limited |
Difficult |
Limited |
Difficult |
Limited |
1.0.2.2 |
1.0.2.2, 9.0.4.2, 10.1.2.0.2 |
--- |
| DBC02 |
Reorganize Objects & Convert Tablespace |
Local |
OS (ability to run nmuct) |
Difficult |
Limited |
Difficult |
Limited |
Difficult |
Limited |
10.1.2.0 |
10.1.2.0.2 |
--- |
Required Conditions, Oracle Application Server Vulnerabilities
No additional conditions are required in order to exploit the listed
vulnerabilities.
Workarounds, Oracle Application Server Vulnerabilities
There are no recommended workarounds for the Oracle Application Server
vulnerabilities described in the Application Server Suite Risk Matrix.
Appendix C
Oracle Collaboration Suite Risk Matrix
| Vuln# |
Component |
Access Required (Protocol) |
Authorization Needed (Package or Privilege Required) |
RISK |
Workaround |
| Confidentiality |
Integrity |
Availability |
| Ease |
Impact |
Ease |
Impact |
Ease |
Impact |
| OCS01 |
Email Server |
Network (EMAIL) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
--- |
| OCS02 |
Email Server |
Network (EMAIL) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
--- |
| OCS03 |
Email Server |
Network (IMAP) |
Valid Session |
--- |
--- |
--- |
--- |
Easy |
Wide |
--- |
| OCS04 |
Email Server |
Network (IMAP/POP) |
None |
--- |
--- |
--- |
--- |
Easy |
Wide |
--- |
| OCS05 |
Email Server |
Network (SMTP) |
None |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
--- |
| OCS06 |
Email Server |
Network (SMTP) |
None |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
--- |
| OCS07 |
Email Server |
Network (SMTP) |
None |
Difficult |
Wide |
Difficult |
Wide |
Easy |
Wide |
--- |
| OCS08 |
Email Server |
Local |
OS |
Easy |
Limited |
--- |
--- |
--- |
--- |
--- |
| OCS09 |
Email Server |
Network (HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
--- |
| OCS10 |
Oracle Collaboration Suite Wireless & Voice |
Local |
OS |
Easy |
Limited |
--- |
--- |
--- |
--- |
--- |
| OCS11 |
Oracle Collaboration Suite Wireless & Voice |
Network (SMS) |
Valid Session |
Difficult |
Limited |
--- |
--- |
--- |
--- |
--- |
| OCS12 |
Oracle Content Management SDK |
Network (FTP) |
None |
Difficult |
Limited |
Difficult |
Limited |
--- |
--- |
--- |
| OCS13 |
Oracle Content Management SDK |
Network (HTTP) |
Valid Session |
--- |
--- |
Easy |
Limited |
Difficult |
Wide |
--- |
| OCS14 |
Oracle Content Services |
Network (EMAIL) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
--- |
| OCS15 |
Oracle Content Services |
Network (HTTP) |
None |
Difficult |
Limited |
Difficult |
Limited |
Difficult |
Limited |
--- |
|
| WF01 |
Oracle Workflow Cartridge |
Network (HTTP) |
Valid Session |
Easy |
Limited |
--- |
--- |
--- |
--- |
--- |
| WF02 |
Oracle Workflow Cartridge |
Network (HTTP) |
Valid Session |
Easy |
Limited |
--- |
--- |
--- |
--- |
--- |
| WF03 |
Oracle Workflow Cartridge |
Network (HTTP) |
Valid Session |
Easy |
Limited |
--- |
--- |
--- |
--- |
--- |
| DBC01 |
Protocol Support |
Network (Oracle Net) |
None (network access to a Listener) |
Difficult |
Limited |
Difficult |
Limited |
Difficult |
Limited |
--- |
| DBC02 |
Reorganize Objects & Convert Tablespace |
Local |
OS (ability to run nmuct) |
Difficult |
Limited |
Difficult |
Limited |
Difficult |
Limited |
--- |
Required Conditions, Oracle Collaboration Suite Vulnerabilities
No additional conditions are required in order to exploit the listed
vulnerabilities.
Workarounds, Oracle Collaboration Suite Vulnerabilities
There are no recommended workarounds for the Oracle Collaboration Suite
vulnerabilities described in the Oracle Collaboration Suite Risk
Matrix.
Appendix D
Oracle E-Business Suite and Applications Risk Matrix
| Vuln# |
Component |
Access Required (Protocol) |
Authorization Needed (Package or Privilege Required) |
RISK |
Earliest Supported Release Affected |
Last Affected Patch set |
Workaround |
| Confidentiality |
Integrity |
Availability |
| Ease |
Impact |
Ease |
Impact |
Ease |
Impact |
| APPS01 |
Application Install |
Local |
OS (access to log files) |
Easy |
Wide |
--- |
--- |
--- |
--- |
11.5.1 |
11.5.10 |
--- |
| APPS02 |
CRM Technical Foundation |
Network (HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
11.5.4 |
11.5.9 |
--- |
| APPS03 |
iProcurement |
Network (HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
11.5.9 |
11.5.9 |
--- |
| APPS04 |
Oracle Application Object Library |
Local |
OS (access to log files) |
Easy |
Wide |
--- |
--- |
--- |
--- |
11.5.1 |
11.5.9 |
--- |
| APPS05 |
Oracle Application Object Library |
Network (HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
11.5.9 |
11.5.9 |
--- |
| APPS06 |
Oracle Application Object Library |
Network (HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
11.5.1 |
11.5.9 |
--- |
| APPS07 |
Oracle Applications Framework |
Network (HTTP) |
Valid Session |
Easy |
Wide |
Easy |
Wide |
--- |
--- |
11.0 |
11.5.10 |
--- |
| APPS08 |
Oracle Applications Technology Stack |
Network (HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
11.5.1 |
11.5.10 |
--- |
| APPS09 |
Oracle Applications Technology Stack |
Network (HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
11.5.1 |
11.5.10 |
--- |
| APPS10 |
Oracle Applications Technology Stack |
Network (HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
11.5.1 |
11.5.10 |
--- |
| APPS11 |
Oracle Applications Technology Stack |
Network (HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
11.5.1 |
11.5.10 |
--- |
| APPS12 |
Oracle Human Resources |
Network (HTTP) |
Valid Session |
Easy |
Limited |
--- |
--- |
--- |
--- |
11.5.2 |
11.5.10 |
--- |
| APPS13 |
Oracle iLearning |
Network (HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
4.2 |
4.3 |
--- |
| APPS14 |
Oracle iLearning |
Network (HTTP) |
None |
Easy |
Limited |
--- |
--- |
--- |
--- |
4.2 |
4.3 |
--- |
| APPS15 |
Oracle Marketing |
Network (HTTP) |
Valid Session |
Easy |
Limited |
Easy |
Limited |
--- |
--- |
11.5.10 |
11.5.10 |
--- |
| APPS16 |
Oracle Marketing |
Network (HTTP) |
Valid Session |
Easy |
Limited |
Easy |
Limited |
--- |
--- |
11.5.10 |
11.5.10 |
--- |
| APPS17 |
Oracle Marketing Encyclopedia System |
Network (HTTP) |
Valid Session |
Easy |
Limited |
Easy |
Limited |
--- |
--- |
11.5.10 |
11.5.10 |
--- |
| APPS18 |
Oracle Trade Management |
Network (HTTP) |
Valid Session |
Easy |
Limited |
Easy |
Limited |
--- |
--- |
11.5.10 |
11.5.10 |
--- |
| APPS19 |
Oracle Web Applications Desktop Integration |
Network (HTTP) |
Valid Session |
Easy |
Limited |
Easy |
Limited |
--- |
--- |
11.5.1 |
11.5.10 |
--- |
|
| WF01 |
Oracle Workflow Cartridge |
Network (HTTP) |
Valid Session |
Easy |
Limited |
--- |
--- |
--- |
--- |
11.0 |
11.5.10 |
--- |
| WF02 |
Oracle Workflow Cartridge |
Network (HTTP) |
Valid Session |
Easy |
Limited |
--- |
--- |
--- |
--- |
11.0 |
11.5.10 |
--- |
| WF03 |
Oracle Workflow Cartridge |
Network (HTTP) |
Valid Session |
Easy |
Limited |
---</ | |
Bookmark