Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:17559
HistoryJul 21, 2007 - 12:00 a.m.

US-CERT Technical Cyber Security Alert TA07-200A -- Oracle Releases Patches for Multiple Vulnerabilities

2007-07-2100:00:00
vulners.com
18
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

                    National Cyber Alert System

            Technical Cyber Security Alert TA07-200A

Oracle Releases Patches for Multiple Vulnerabilities

Original release date: July 19, 2007
Last revised: –
Source: US-CERT

Systems Affected

 * Oracle Database
 * Oracle Application Server
 * Oracle Collaboration Suite
 * Oracle E-Business Suite and Applications
 * Oracle PeopleSoft Enterprise and JD EnterpriseOne

For more detailed information regarding affected product versions,
refer to the Oracle Critical Patch Update - July 2007.

Overview

Oracle has released patches to address numerous vulnerabilities in
different Oracle products. The impacts of these vulnerabilities
include remote execution of arbitrary code, information disclosure,
and denial of service.

I. Description

Oracle has released the Critical Patch Update - July 2007. According
to Oracle, this Critical Patch Update (CPU) includes the following new
security fixes:
* 17 for the Oracle Databases
* 1 for Oracle Internet Directory
* 1 for Oracle Application Express
* 4 for the Oracle Application Server
* 1 for Oracle Collaboration Suite
* 14 for the Oracle E-Business Suite
* 3 for Oracle PeopleSoft Enterprise PeopleTools
* 2 for PeopleSoft Enterprise Customer Relationship Management
* 2 for PeopleSoft Enterprise Human Capital Management

Many Oracle products include or share code with other vulnerable
Oracle products and components. Therefore, one vulnerability may
affect multiple Oracle products and components. Refer to the July 2007
CPU for details regarding which vulnerabilities affect specific Oracle
products and components.

For a list of publicly known vulnerabilities addressed in the July
2007 CPU, refer to the Map of Public Vulnerability to Advisory/Alert.
The July 2007 CPU does not associate Vuln# identifiers (e.g., DB01)
with other available information, even in the Map of Public
Vulnerability to Advisory/Alert document. As more details about
vulnerabilities and remediation strategies become available, we will
update the individual vulnerability notes.

II. Impact

The impact of these vulnerabilities varies depending on the product,
component, and configuration of the system. Potential consequences
include remote execution of arbitrary code or commands, sensitive
information disclosure, and denial of service. Vulnerable components
may be available to unauthenticated, remote attackers. An attacker who
compromises an Oracle database may be able to gain access to sensitive
information or take complete control of the host system.

III. Solution

Apply patches from Oracle

Apply the appropriate patches or upgrade as specified in the Critical
Patch Update - July 2007. Note that this Critical Patch Update only
lists newly corrected vulnerabilities.

As noted in the update, some patches are cumulative, others are not.
Oracle E-Business Suite and Applications patches are not cumulative,
so E-Business Suite and Applications customers should refer to
previous Critical Patch Updates to identify previous fixes they want
to apply.

Vulnerabilities described in the July 2007 CPU may affect Oracle
Database 10g Express Edition (XE). According to Oracle, Oracle
Database XE is based on the Oracle Database 10g Release 2 code.

Known issues with Oracle patches are documented in the
pre-installation notes and patch readme files. Please consult these
documents and test before making changes to production systems.

IV. References

 * US-CERT Vulnerability Notes Related to Critical Patch Update - July 2007 - <http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_jul_2007>

 * Critical Patch Update - July 2007 - <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html>
 
 * Critical Patch Updates and Security Alerts - <http://www.oracle.com/technology/deploy/security/alerts.htm>
 
 * Map of Public Vulnerability to Advisory/Alert - <http://www.oracle.com/technology/deploy/security/critical-patch-updates/public_vuln_to_advisory_mapping.html>
 
 * Oracle Database Security Checklist (PDF) - <http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf>

 * Critical Patch Update Implementation Best Practices (PDF) - <http://www.oracle.com/technology/deploy/security/pdf/cpu_whitepaper.pdf>
 
 * Oracle Database 10g Express Edition - <http://www.oracle.com/technology/products/database/xe/index.html>
 
 * Details Oracle Critical Patch Update July 2007 - <http://www.red-database-security.com/advisory/oracle_cpu_jul_2007.html>

The most recent version of this document can be found at:

 <http://www.us-cert.gov/cas/techalerts/TA07-200A.html>

Feedback can be directed to US-CERT Technical Staff. Please send
email to <[email protected]> with "TA07-200A Feedback VU#322460" in the
subject.

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html&gt;.

Produced 2007 by US-CERT, a government organization.

Terms of use:

 &lt;http://www.us-cert.gov/legal.html&gt;

Revision History

July 19, 2007: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBRp/JpfRFkHkM87XOAQL+aAf+LT57XEEdJFo0/rEvLauhqOviaJlUvPez
5pPCcB8GA9BlzNlF4acoIR8QxMqtGg2MVG/uSk6XPTK2CVKDKcBPmsp6iQxMbPCF
Xz7iCuET++IcyUbIi7pMXaJIl6qCZKb8irhH11Z6IwAWjPkrsVv82wz4yCP+APEe
+ANt4e/byziJ7AySg6WR/Rzpi+nedjLicpjfUilkQhRiXs6k9x5dUON4pPNU7DUV
PeTZ3zccEVBvcr/t6YCzZ+yIzLZiAzVghH7SNbgDYv+NRboCjNOu95MniA8Oz2ED
xNOf/wbFj7LMUsmza7u8kTaywUHOyR7LQ9mANsuHJb3n4Ug9/SAVdQ==
=FFpC
-----END PGP SIGNATURE-----

JSON