Critical Patch Update July 2005

PRODUCTS

Database
Middleware
Developer Tools
Enterprise Management
Applications Technology
Products A-Z

TECHNOLOGIES

BI & Data Warehousing
Embedded
Java
Linux
.NET
PHP
Security
Windows Server System
Technologies A-Z

ARCHITECTURE

Enterprise 2.0
Extreme Transaction Processing
Service-Oriented Architecture
Virtualization

COMMUNITY

Join OTN
Oracle ACEs
Oracle Wiki
Blogs
Podcasts
Events
Newsletters
Oracle Magazine
Oracle Books
Certification
User Groups
Partner White Papers

Printer View

E-mail this page

Bookmark

Critical Patch Update - July 2005

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. The Oracle Database Server, Enterprise Manager, and the Oracle Application Server patches in the Updates are cumulative; each successive Critical Patch Update contains the fixes from the previous Critical Patch Updates.

Supported Products Affected

The following supported product releases and versions are affected by the security vulnerabilities addressed by this Critical Patch Update:

Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.4
Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6
Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.1.5 FIPS
Oracle8i Database Server Release 3, version 8.1.7.4
Oracle8 Database Release 8.0.6, version 8.0.6.3
Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2, 10.1.0.3
Oracle Enterprise Manager 10g Database Control, versions 10.1.0.2, 10.1.0.3, 10.1.0.4
Oracle Enterprise Manager Application Server Control, versions 9.0.4.0, 9.0.4.1
Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1
Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
Oracle9i Application Server Release 1, version 1.0.2.2
Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2
Oracle E-Business Suite and Applications Release 11i, versions 11.5.1 through 11.5.10
Oracle E-Business Suite and Applications Release 11.0
Oracle Workflow, versions 11.5.1 through 11.5.9.5
Oracle Forms and Reports, versions 4.5.10.22, 6.0.8.25
Oracle JInitiator, versions 1.1.8, 1.3.1
Oracle Developer Suite, versions 9.0.2.3, 9.0.4, 9.0.4.1, 9.0.5, 10.1.2
Oracle Express Server, version 6.3.4.0

All the products and versions listed above are affected by the vulnerabilities fixed in this Critical Patch Update. However, some of these products and versions are only supported in conjunction with other products, in specific configurations, or on certain platforms. Please consult each product's Pre-Installation Note for specific details concerning the support and availability of patches for the products listed above.

Unsupported Products

Unsupported products, releases and versions have neither been tested for the presence of vulnerabilities addressed by this Critical Patch Update, nor patched, in accordance with section 4.3.3.3 of the Software Error Correction Support Policy, MetaLink Note 209768.1. However, it is likely that earlier patch set levels of the affected releases are affected by these vulnerabilities.

Oracle Database Client-only Installations

The new database vulnerabilities addressed by this Critical Patch Update do not affect Oracle Database Client-only installations (installations that do not have the Oracle Database Server installed). Therefore, it is not necessary to apply this Critical Patch Update to client-only installations if a prior Critical Patch Update, or Alert 68, has already been applied to the client-only installations.

Patch Availability and Risk Matrices

For each Oracle product that is being administered, please consult the associated Pre-Installation Note for patch availability information and installation instructions. For an overview of all the documents related to this Critical Patch Update, please see the Oracle Critical Patch Update Documentation Map, MetaLink Note 311088.1.

Product Risk Matrix Pre-Installation Note

Oracle Database Server Appendix A - Oracle Database Server Risk Matrix Pre-Installation Note for the Oracle Database Server, MetaLink Note 311062.1

Oracle Application Server Appendix B - Oracle Application Server Risk Matrix Pre-Installation Note for the Oracle Application Server, MetaLink Note 311038.1

Oracle Collaboration Suite Appendix C - Oracle Collaboration Suite Risk Matrix Pre-Installation Note for the Oracle Collaboration Suite, MetaLink Note 311039.1

Oracle E-Business and Applications Appendix D - Oracle E-Business Risk Matrix Pre-Installation Note for the Oracle E-Business Suite, MetaLink Note 311040.1

Oracle Enterprise Manager Appendix E - Enterprise Manager Risk Matrix Pre-Installation Note for the Oracle Enterprise Manager, MetaLink Note 311061.1

Risk Matrix Contents

The risk matrices in this advisory list only the vulnerabilities that are new in this advisory. The Oracle Database Server, Enterprise Manager, and the Oracle Application Server patches for this Critical Patch Update are cumulative, and contain all the fixes from the previous Critical Patch Update. Risk matrices for these previous fixes can be found in the previous Critical Patch Update advisory.

E-Business Suite patches are not cumulative, so E-Business Suite customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply.

Oracle Collaboration Suite patches are not cumulative, so Oracle Collaboration Suite customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply.

One Vulnerability Appearing in Two Risk Matrices

Several vulnerabilities addressed by this Critical Patch Update are in both the Database Server and Application Server products. The Risk Matrices show these shared vulnerabilities by specifying the Vuln #s from both matrices on a single vulnerability row.

Risk Matrix Definitions

MetaLink Note 293956.1 defines the terms used in the Risk Matrices.

Risk Analysis and Blended Attacks

Oracle has analyzed each potential vulnerability separately for risk of exploit and impact of exploit. Oracle has performed no analysis on the likelihood and impact of blended attacks (i.e. the exploitation of multiple vulnerabilities combined in a single attack).

Policy Statement on Information Provided in Critical Patch Updates and Security Alerts

Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage.

As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Pre-Installation notes, the readme files, and FAQs. Oracle does not provide advance notification on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code nor “proof-of-concept” code for vulnerabilities in our products.

Critical Patch Update Availability for De-Supported Versions

Critical Patch Updates are available for customers who have purchased Extended Maintenance Support (EMS). De-support Notices indicate whether EMS is available for a particular release and platform, as well as the specific period during which EMS will be available.

Customers with valid licenses for product versions covered by Extended Support (ES) are entitled to download existing fixes; however, new issues that may arise from the application of patches are not covered under ES. Therefore, ES customers should have comprehensive plans to enable removal of any applied patch.

Oracle will not provide Critical Patch Updates for product versions which are no longer covered under the Extended Maintenance Support plan. We recommend that customers upgrade to the latest supported version of Oracle products in order to obtain Critical Patch Updates.

Please review the "Extended Support" section within the Technical Support Policies for further guidelines regarding ES & EMS.

References

Critical Patch Update - July 2005 FAQ, MetaLink Note 311037.1
MetaLink Note 293956.1 defines the terms used in the Risk Matrix.
Oracle Critical Patch Update Program General FAQ, MetaLink Note 290738.1
Oracle Critical Patch Update Documentation Map, MetaLink Note 311088.1
Security Alerts and Critical Patch Updates- Frequently Asked Questions, MetaLink Note 237007.1

Credits

The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle’s attention: Gerhard Eschelbeck of Qualys, Inc., Esteban Martínez Fayó of Application Security, Inc., Alexander Kornbrust of Red Database Security, Stephen Kost of Integrigy, David Litchfield of NGSS Limited, Michael Murray of nCircle Network Security, Aaron C. Newman of Application Security, Inc., Mike Sues of Rigel Kent Security.

Modification History

2005-JUL-12: Initial release, version 1

Appendix A
Oracle Database Server Risk Matrix
Critical Patch Update - July 2005

Vuln#	Component	Access Required (Protocol)	Authorization Needed (Package or Privilege Required)	RISK						Earliest Supported Release Affected	Last Affected Patch set (per Supported Release)	Workaround
				Confidentiality		Integrity		Availability
				Ease	Impact	Ease	Impact	Ease	Impact
DB01	Oracle Express Server	Network	None	---	---	---	---	Easy	Limited	6.3.4	6.3.4	---
DB02	Oracle OLAP	SQL (Oracle Net)	Database (execute on olapsys)	---	---	---	---	Easy	Wide	10g	10.1.0.4(10g)	---
DB03	Component Registry	SQL (Oracle Net)	Database (execute on dbms_registry)	Difficult	Wide	Difficult	Wide	---	---	9iR2	9.2.0.6(9iR2), 10.1.0.3(10g)	---
DB04	CORE	SQL (Oracle Net)	Database (execute on utl_file)	Difficult	Limited	Difficult	Limited	---	---	8i	8.1.7.4(8i), 9.0.1.4(9i), 9.2.0.5(9iR2), 10.1.0.3(10g)	---
DB05	CORE	SQL (Oracle Net)	Database (ability to create database link)	Difficult	Limited	Difficult	Limited	---	---	9iR2	9.2.0.6(9iR2), 10.1.0.4(10g)	---
DB06	XML Database	Network (HTTP)	Database	Easy	Limited	---	---	---	---	9iR2	9.2.0.6(9iR2), 10.1.0.3(10g)	---
DB07	XML Database	Network (FTP)	None	Difficult	Limited	Difficult	Limited	Easy	Limited	9iR2	9.2.0.6(9iR2), 10.1.0.3(10g)	---
DB08	iSQL*Plus	Network (HTTP)	None	---	---	---	---	Easy	Wide	9iR2	9.2.0.5(9iR2), 10.1.0.2(10g)	Use a TNS listener password
DB09	iSQL*Plus	SQL (Oracle Net)	Database	Easy	Limited	---	---	---	---	10g	10.1.0.2(10g)	---
DB10	Single Sign-On	Network (HTTP)	None	Easy	Limited	---	---	---	---	8i	8.1.7.4(8i), 9.0.1.5(9i), 9.0.1.5FIPS(9i), 10.1.0.4(10g)	---
DB11 AS07	Oracle HTTP Server (mod_ssl)	Network (HTTPS)	None	Difficult	Wide	Difficult	Wide	---	---	8i	8.1.7.4(8i), 9.0.1.5(9i), 9.2.0.6(9iR2), 10.1.0.4(10g)	---
DB12 AS08	Oracle HTTP Server (mod_access)	Network (HTTPS)	None	Difficult	Wide	Difficult	Wide	---	---	8i	8.1.7.4(8i), 9.0.1.5(9i), 9.2.0.6(9iR2), 10.1.0.4(10g)	---

If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Database Vulnerabilities section of this document.

If a workaround is indicated, the Workarounds, Oracle Database Vulnerabilities section of this document describes a workaround for the Vuln# given above.

Required Conditions, Oracle Database Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Oracle Database Vulnerabilities

DB08: Setting and using a TNS Listener password eliminates this vulnerability.

Appendix B
Application Server Risk Matrix
Critical Patch Update - July 2005

Vuln#	Component	Access Required (Protocol)	Authorization Needed (Package or Privilege Required)	RISK						Earliest Supported Release Affected	Last Affected Patch set	Workaround
				Confidentiality		Integrity		Availability
				Ease	Impact	Ease	Impact	Ease	Impact
AS01	Oracle Containers for J2EE	Network	None	Easy	Limited	---	---	---	---	9.0.2.3	9.0.2.3, 9.0.3.1	---
AS02	Oracle Forms	Local	OS	Easy	Limited	Easy	Limited	---	---	4.5.10.22	4.5.10.22, 6.0.8.25	---
AS03	Oracle Forms	Local	OS	Easy	Limited	---	---	---	---	4.5.10.22	4.5.10.22, 6.0.8.25	---
AS04	Oracle Forms	Local	OS	Easy	Limited	---	---	---	---	4.5.10.22	4.5.10.22, 6.0.8.25	---
AS05	Oracle Forms	Network (HTTP)	None	---	---	---	---	Easy	Wide	4.5.10.22	4.5.10.22, 6.0.8.25	---
AS06	Oracle Forms	Network (HTTP)	Authenticated User	Easy	Wide	Easy	Wide	---	---	4.5.10.22	4.5.10.22, 6.0.8.25	---
AS07 DB11	Oracle HTTP Server (mod_ssl)	Network (HTTPS)	None	Difficult	Wide	Difficult	Wide	---	---	1.0.2.2	1.0.2.2, 9.0.2.3, 9.0.3.1, 9.0.4.1	---
AS08 DB12	Oracle HTTP Server (mod_access)	Network (HTTPS)	None	Difficult	Wide	Difficult	Wide	---	---	1.0.2.2	1.0.2.2, 9.0.2.3, 9.0.3.1, 9.0.4.1	---
AS09	Oracle JDeveloper	Local	OS	Easy	Limited	Easy	Limited	---	---	9.0.4	9.0.4, 10.1.2	---
AS10	Oracle JDeveloper	Local	OS	Easy	Wide	Easy	Wide	---	---	9.0.3	9.0.3, 10.1.2	---
AS11	Oracle Reports Developer	Network (HTTP)	None	Difficult	Limited	Difficult	Limited	Easy	Limited	9.0.2.3	9.0.2.3, 9.0.4.2	---
AS12	Oracle JInitiator	Network (HTTP)	None	Difficult	Limited	Difficult	Limited	---	---	1.1.8	1.1.8.24, 1.3.1.20	---

If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Application Server Vulnerabilities section of this document.

If a workaround is indicated, the Workarounds, Oracle Application Server Vulnerabilities section of this document describes a workaround for the Vuln# given above.

Required Conditions, Oracle Application Server Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Oracle Application Server Vulnerabilities

There are no recommended workarounds for the Oracle Application Server vulnerabilities described in the Oracle Application Server Risk Matrix.

Appendix C
Collaboration Suite Risk Matrix
Critical Patch Update - July 2005

Vuln#	Component	Access Required (Protocol)	Authorization Needed (Package or Privilege Required)	RISK						Workaround
				Confidentiality		Integrity		Availability
				Ease	Impact	Ease	Impact	Ease	Impact
OCS01	Email Server	Network (SMTP)	None	---	---	---	---	Easy	Limited	---
OCS02	Email Server	Network (SMTP)	None	---	---	---	---	Easy	Wide	---
OCS03	Email Server	Network (IMAP)	Authenticated OCS user	Difficult	Wide	Difficult	Wide	Easy	Wide	---
OCS04	Email Server	Network (HTTP)	Authenticated OCS user	---	---	---	---	Easy	Wide	---
OCS05	Oracle Web Conferencing	Network (HTTP)	None	Easy	Limited	---	---	---	---	---
OCS06	Oracle Web Conferencing	Network (HTTP)	None	Easy	Limited	---	---	---	---	---

If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Collaboration Suite Vulnerabilities section of this document.

If a workaround is indicated, the Workarounds, Oracle Collaboration Suite Vulnerabilities section of this document describes a workaround for the Vuln# given above.

Required Conditions, Oracle Collaboration Suite Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Oracle Collaboration Suite Vulnerabilities

There are no recommended workarounds for the Oracle Collaboration Suite vulnerabilities described in the Oracle Collaboration Suite Risk Matrix.

Appendix D
E-Business Suite Risk Matrix
Critical Patch Update - July 2005

Vuln#	Access Required (Protocol)	Authorization Needed (Package or Privilege Required)	RISK						Earliest Supported Release Affected	Last Affected Patch set	Workaround
			Confidentiality		Integrity		Availability
			Ease	Impact	Ease	Impact	Ease	Impact
APPS01	Network (HTTP)	Valid Session	Difficult	Wide	Difficult	Wide	---	---	11.5.0	11.5.9.5	---
APPS02	Network (HTTP)	Valid Session	Difficult	Wide	---	---	---	---	11.5.0	11.5.9.5	---
APPS03	Network (HTTP)	None	Difficult	Wide	Difficult	Wide	---	---	11.5.0	11.5.9.5	---
APPS04	SQL (Oracle Net)	Database (execute on portal.wpg_session or owf_mgr.wf_event_html)	Difficult	Wide	Difficult	Wide	---	---	11.5.0	11.5.9.5	---
APPS05	Network (HTTP)	Valid Session	Easy	Limited	---	---	---	---	11.5.0	11.5.9.5	---
APPS06	Network (HTTP)	Valid Session	Easy	Wide	Easy	Wide	---	---	11.5.7	11.5.10	---
APPS07	Network (HTTP)	Valid Session	Easy	Wide	Easy	Wide	---	---	11.5.8	11.5.9	---
APPS08	Network (HTTP)	Valid Session	Easy	Wide	Easy	Wide	---	---	11.5.8	11.5.10	---
APPS09	Network (HTTP)	Valid Session	Difficult	Wide	Difficult	Wide	---	---	11.0	11.5.10	---
APPS10	Network (HTTP)	Valid Session	Easy	Wide	Difficult	Wide	---	---	11.0	11.5.9	---
APPS11	Network (HTTP)	None	Easy	Limited	---	---	---	---	11.5.6	11.5.10	---
APPS12	Network (HTTP)	None	Easy	Limited	---	---	---	---	11.5.9	11.5.10	---
APPS13	Network (HTTP)	None	Easy	Limited	---	---	---	---	11.5.8	11.5.10	---
APPS14	Network (HTTP)	None	Easy	Limited	---	---	---	---	11.0	11.5.9	---
APPS15	Network (HTTP)	None	Easy	Wide	Easy	Wide	---	---	11.5.4	11.5.10	---
APPS16	Network (HTTP)	Valid Session	Easy	Limited	Easy	Limited	---	---	11.5.6	11.5.10.CU1	---
APPS17	Network (HTTP)	None	Easy	Limited	---	---	---	---	6.0.8	6.0.8.25	---

If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle E-Business Suite Vulnerabilities section of this document.

If a workaround is indicated, the Workarounds, Oracle E-Business Suite Vulnerabilities section of this document describes a workaround for the Vuln# given above.

Required Conditions, Oracle E-Business Suite Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities. An installed version of Oracle E-Business Suite and a connected session are sufficient.

Workarounds, E-Business Suite Vulnerabilities

There are no recommended workarounds for the Oracle E-Business Suite vulnerabilities described in the Oracle E-Business Suite Risk Matrix.

Appendix E
Enterprise Manager Risk Matrix
Critical Patch Update - July 2005

Vuln#	Component	Access Required (Protocol)	Authorization Needed (Package or Privilege Required)	RISK						Earliest Supported Release Affected	Last Affected Patch set (per Supported Release)	Workaround
				Confidentiality		Integrity		Availability
				Ease	Impact	Ease	Impact	Ease	Impact
EM01	Instance Management	SQL (Oracle Net)	None	Easy	Limited	Easy	Limited	---	---	9iR2	9.2.0.6(9iR2), 10.1.0.4(10g)	---
EM02	CORE: SDK	Network	None	---	---	---	---	Difficult	Wide	8i	8.1.7.4(8i), 9.0.1.4(9i), 9.0.1.5FIPS(9i), 9.2.0.6(9iR2)	---

If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Enterprise Manager Vulnerabilities section of this document.

If a workaround is indicated, the Workarounds, Oracle Enterprise Manager Vulnerabilities section of this document describes a workaround for the Vuln# given above.

Required Conditions, Oracle Enterprise Manager Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Enterprise Manager Vulnerabilities

There are no recommended workarounds for the Oracle Enterprise Manager vulnerabilities described in the Oracle Enterprise Manager Risk Matrix.

E-mail this page

Printer View

	About Oracle \| \| Careers \| Contact Us \| Site Maps \| Legal Notices \| Terms of Use \| Privacy