Oracle Critical Patch Update - October 2005

Description

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches.

Supported Products and Components Affected

The security vulnerabilities addressed by this Critical Patch Update affect the products listed in Categories I, II, and III below.

Category I

Product releases and versions that are covered by Error Correction Support (ECS) or Extended Maintenance Support (EMS):

• Oracle Database 10g Release 2, version 10.2.0.1
• Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4
• Oracle9i Database Release 2, versions 9.2.0.5, 9.2.0.6, 9.2.0.7
• Oracle8i Database Release 3, version 8.1.7.4
• Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4
• Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2
• Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2
• Oracle Collaboration Suite 10g Release 1, version 10.1.1
• Oracle9i Collaboration Suite Release 2, version 9.0.4.2
• Oracle Workflow, versions 2.6.2, 2.6.3, 2.6.3.5, 2.6.4
• Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 and 11.5.10 CU2
• Oracle E-Business Suite Release 11.0
• Oracle Clinical, versions 4.5.0 and 4.5.1
• PeopleSoft Enterprise Tools, versions 8.4x through 8.46.03
• PeopleSoft CRM, versions 8.81 through 8.9
• JD Edwards EnterpriseOne, OneWorld XE, versions 8.95_B1, 8.94_Q1, SP23_K1

Category II

Products and components that are bundled with the products listed in Category I:

• Oracle Database 10g Release 1, version 10.1.0.4.2
• Oracle Developer Suite, versions 9.0.2.1, 9.0.4.1, 9.0.4.2, 10.1.2.0
• Oracle Enterprise Manager Application Server Control, versions 9.0.4.1, 9.0.4.2
• Oracle Enterprise Manager 10g Database Control, versions 10.1.0.3, 10.1.0.4

Category III

Products that are desupported as a standalone installation but are supported when installed with the products listed in Category I:

• Oracle9i Database Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.1.5 FIPS
• Oracle8 Database Release 8.0.6, version 8.0.6.3
• Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
• Oracle9i Application Server Release 1, version 1.0.2.2

Patches for Category III products are only available when these products are installed as part of Category I products, and are tested solely on supported configurations and environments. Please refer to the Pre-Installation Note for each product for specific details concerning the support and availability of patches.

Unsupported Products

Unsupported products, releases and versions have been neither tested for the presence of vulnerabilities addressed by this Critical Patch Update, nor patched, in accordance with section 4.3.3.3 of the Software Error Correction Support Policy, MetaLink Note 209768.1. However, it is likely that earlier patch sets of the affected releases are affected by these vulnerabilities.

Oracle Database Client-only Installations

The new database vulnerabilities addressed by this Critical Patch Update do not affect Oracle Database Client-only installations (installations that do not have the Oracle Database installed). Therefore, it is not necessary to apply this Critical Patch Update to client-only installations if a prior Critical Patch Update, or Alert 68, has already been applied to the client-only installations.

Patch Availability and Risk Matrices

The Oracle Database, Enterprise Manager, Oracle Application Server and Oracle Collaboration Suite patches in the Updates are cumulative; each successive Critical Patch Update contains the fixes from the previous Critical Patch Updates.

Oracle E-Business Suite and Applications patches are not cumulative, so E-Business Suite and Applications customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply.

For each Oracle product that is being administered, please consult the associated Pre-Installation Note for patch availability information and installation instructions. For an overview of all the documents related to this Critical Patch Update, please refer to the Oracle Critical Patch Update October 2005 Documentation Map, MetaLink Note 333954.1.

Risk Matrix Contents

The risk matrices list only security vulnerabilities, and only the security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous fixes can be found in previous Critical Patch Update advisories.

One vulnerability appearing in two Risk Matrices

Several vulnerabilities addressed by this Critical Patch Update affect both the Database and Application Server products. The Risk Matrices show these shared vulnerabilities by specifying the Vuln #s from both matrices on a single vulnerability row.

Risk Matrix Definitions

MetaLink Note 293956.1 defines the terms used in the Risk Matrices.

Risk Analysis and Blended Attacks

Oracle has analyzed each potential vulnerability separately for risk and impact of exploitation. Oracle has performed no analysis on the likelihood and impact of blended attacks (i.e. the exploitation of multiple vulnerabilities combined in a single attack).

Policy Statement on Information Provided in Critical Patch Updates and Security Alerts

Oracle Corporation conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU) or a Security Alert. The results of the security analysis are reflected in the associated documentation describing, for example, the type of vulnerability, the conditions required to exploit it and the result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage.

As a matter of policy, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Pre-Installation notes, the readme files, and FAQs. Oracle does not provide advance notification on CPU or Security Alerts to individual customers. Finally, Oracle does not develop or distribute active exploit code nor “proof-of-concept” code for vulnerabilities in our products.

Critical Patch Update Availability for De-Supported Versions

Critical Patch Updates are available for customers who have purchased Extended Maintenance Support (EMS) before the implementation of the Lifetime Support Policy. De-support Notices indicate whether EMS is available for a particular release and platform, as well as the specific period during which EMS will be available.

Customers with valid licenses for product versions covered by Extended Support (ES), before the implementation of the Lifetime Support Policy, are entitled to download existing fixes; however, new issues that may arise from the application of patches are not covered under ES. Therefore, ES customers should have comprehensive plans to enable removal of any applied patch.

Oracle will not provide Critical Patch Updates for product versions which are no longer covered under the Extended Maintenance Support plan or the Lifetime Support Policy. We recommend that customers upgrade to the latest supported version of Oracle products in order to obtain Critical Patch Updates.

Please review the "Extended Support" section within the Technical Support Policies for further guidelines regarding ES and EMS.

References

• Oracle Critical Patch Updates and Security Alerts
• Critical Patch Update - October 2005 FAQ, MetaLink Note 333985.1
• Critical Patch Update - October 2005 as it relates to Oracle Pharmaceutical Applications, MetaLink Note 337522.1
• MetaLink Note 293956.1 defines the terms used in the Risk Matrix.
• Oracle Critical Patch Update Program General FAQ, MetaLink Note 290738.1
• Oracle Critical Patch Update Documentation Map, MetaLink Note 333954.1
• Security Alerts and Critical Patch Updates- Frequently Asked Questions, MetaLink Note 237007.1

Credits

The following people discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle's attention: Brian Carr; Sacha Faust of S.P.I. Dynamics, Inc.; Esteban Martínez Fayó of Application Security, Inc.; Alexander Kornbrust of Red Database Security; Steven Kost of Integrigy Corporation; David Litchfield of NGSS Limited; noderat ratty; Keigo Yamazaki of Little eArth Corporation Co., Ltd.

Modification History

2005-OCT-18	Initial release
2005-DEC-19	Added Database version 10.2.0.1 to Affected Products section and the DB and EM risk matrices. Moved Oracle Workflow to Category I and clarified version numbers. Added Workflow issues to the Database and Application Server Risk Matrices. Removed references to PeopleSoft Enterprise Tools, version 8.1.

• If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Database Vulnerabilities section of this document.
• If a workaround is indicated, the Workarounds, Oracle Database Vulnerabilities section of this document describes the workaround for the Vuln# given above.

Required Conditions, Oracle Database Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Oracle Database Vulnerabilities

There are no recommended workarounds for the Oracle Database vulnerabilities described in the Oracle Database Risk Matrix.

• If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Application Server Vulnerabilities section of this document.
• If a workaround is indicated, the Workarounds, Oracle Application Server Vulnerabilities section of this document describes the workaround for the Vuln# given above.

Required Conditions, Oracle Application Server Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Oracle Application Server Vulnerabilities There are no recommended workarounds for the Oracle Application Server vulnerabilities described in the Application Server Suite Risk Matrix.

• If further credentials or specific configurations are required to exploit the vulnerability, they will be listed in the Required Conditions, Oracle Collaboration Suite Vulnerabilities section of this document.
• If a workaround is indicated, the Workarounds, Oracle Collaboration Suite Vulnerabilities section of this document describes the workaround for the Vuln# given above.

Note to Oracle Collaboration Suite 10g Release 1, version 10.1.1 Customers

Oracle Collaboration Suite version 10.1.1 is not affected by any of the security vulnerabilites listed in the Oracle Collaboration Suite Risk Matrix However, the products that are bundled with Oracle Collaboration Suite (Oracle Database, Oracle Application Server) are affected by the vulnerabilities, and must be patched according to the Pre-Installation Notes for them.

Required Conditions, Oracle Collaboration Suite Vulnerabilities

No additional conditions are required in order to exploit the listed vulnerabilities.

Workarounds, Oracle Collaboration Suite Vulnerabilities

There are no recommended workarounds for the Oracle Collaboration Suite vulnerabilities described in the Oracle Collaboration Suite Risk Matrix.