National Cyber Alert System<br /><br /> Technical Cyber Security Alert TA06-109A<br /><br /><br />Oracle Products Contain Multiple Vulnerabilities<br /><br /> Original release date: April 19, 2006<br /> Last revised: --<br /> Source: US-CERT<br /><br /><br />Systems Affected<br /><br /> * Oracle Database 10g<br /> * Oracle9i Database<br /> * Oracle8i Database<br /> * Oracle Enterprise Manager 10g Grid Control<br /> * Oracle Application Server 10g<br /> * Oracle Collaboration Suite 10g<br /> * Oracle9i Collaboration Suite<br /> * Oracle E-Business Suite Release 11i<br /> * Oracle E-Business Suite Release 11.0<br /> * Oracle Pharmaceutical Applications<br /> * JD Edwards EnterpriseOne, OneWorld Tools<br /> * Oracle PeopleSoft Enterprise Tools<br /> * Oracle Workflow<br /> * Oracle Developer Suite 6i<br /><br /> For more information regarding affected product versions, please see<br /> the Oracle Critical Patch Update - April 2006.<br /><br /><br />Overview<br /><br /> Oracle products and components are affected by multiple<br /> vulnerabilities. The impacts of these vulnerabilities include remote<br /> execution of arbitrary code, information disclosure, and denial of<br /> service.<br /><br /><br />I. Description<br /><br /> Oracle has released Critical Patch Update - April 2006. This update<br /> addresses more than thirty vulnerabilities in different Oracle<br /> products and components.<br /><br /> The Critical Patch Update provides information about affected<br /> components, access and authorization required, and the impact of the<br /> vulnerabilities on data confidentiality, integrity, and availability.<br /> MetaLink customers should refer to MetaLink Note 293956.1 (login<br /> required) for more information on terms used in the Critical Patch<br /> Update.<br /><br /> According to Oracle, none of the vulnerabilities corrected in the<br /> Oracle Critical Patch Update affect Oracle Database Client-only<br /> installations.<br /><br /> The PL/SQL Gateway vulnerability identified as PLSQL01 in the Oracle<br /> Critical Patch Update corresponds to US-CERT Vulnerability Note<br /> VU#169164, which includes further details including workarounds.<br /><br /> In most cases, Oracle does not associate Vuln# identifiers (e.g.,<br /> DB01) with other available information. As more details about<br /> vulnerabilities and remediation strategies becomes available, we will<br /> update the individual vulnerability notes.<br /><br /><br />II. Impact<br /><br /> The impact of these vulnerabilities varies depending on the product,<br /> component, and configuration of the system. Potential consequences<br /> include the execution of arbitrary code or commands, information<br /> disclosure, and denial of service. Vulnerable components may be<br /> available to unauthenticated, remote attackers. An attacker who<br /> compromises an Oracle database may be able to gain access to sensitive<br /> information.<br /><br /><br />III. Solution<br /><br />Apply a patch<br /><br /> Apply the appropriate patches or upgrade as specified in the Oracle<br /> Critical Patch Update - April 2006. Note that this Critical Patch<br /> Update only lists newly corrected issues. Updates to patches for<br /> previously known issues are not listed.<br /><br /> As noted in the update, some patches are cumulative, others are not:<br /><br /> The Oracle Database, Oracle Application Server, Oracle Enterprise<br /> Manager Grid Control, Oracle Collaboration Suite, JD Edwards<br /> EnterpriseOne and OneWorld Tools, and PeopleSoft Enterprise Portal<br /> Applications patches in the Updates are cumulative; each successive<br /> Critical Patch Update contains the fixes from the previous Critical<br /> Patch Updates.<br /> Oracle E-Business Suite and Applications patches are not<br /> cumulative, so E-Business Suite and Applications customers should<br /> refer to previous Critical Patch Updates to identify previous fixes<br /> they wish to apply. <br /><br /> Patches for some platforms and components were not available when the<br /> Critical Patch Update was published on April 18, 2006. Please see<br /> MetaLink Note 360465.1 (login required) for more information.<br /><br /> Known issues with Oracle patches are documented in the<br /> pre-installation notes and patch readme files. Please consult these<br /> documents specific to your system before applying patches.<br /><br /><br />Appendix A. Vendor Information<br /><br />Oracle<br /><br /> Please see Oracle Critical Patch Update - April 2006 and Critical<br /> Patch Updates and Security Alerts.<br /><br /><br />Appendix B. References<br /><br /> * US-CERT Vulnerability Note VU#169164 -<br /> <http://www.kb.cert.org/vuls/id/169164><br /><br /> * US-CERT Vulnerability Notes Related to Critical Patch Update -<br /> April 2006 -<br /> <http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_apri<br /> l_2006><br /><br /> * Critical Patch Update - April 2006 -<br /> <http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.h<br /> tml><br /><br /> * Critical Patch Updates and Security Alerts -<br /> <http://www.oracle.com/technology/deploy/security/alerts.htm><br /><br /> * Map of Public Vulnerability to Advisory/Alert -<br /> <http://www.oracle.com/technology/deploy/security/pdf/public_vuln_<br /> to_advisory_mapping.html><br /><br /> * Oracle Database Security Checklist (PDF) -<br /> <http://www.oracle.com/technology/deploy/security/pdf/twp_security<br /> _checklist_db_database.pdf><br /><br /> * MetaLink Note 293956.1 (login required) -<br /> <http://metalink.oracle.com/metalink/plsql/showdoc?db=Not&id=29395<br /> 6.1><br /><br /> * MetaLink Note 360465.1 (login required) -<br /> <http://metalink.oracle.com/metalink/plsql/showdoc?db=Not&id=36046<br /> 5><br /><br /> * Details Oracle Critical Patch Update April 2006 -<br /> <http://www.red-database-security.com/advisory/oracle_cpu_apr_2006<br /> .html><br /><br /><br /> ____________________________________________________________________<br /><br /> Information used in this document came from Oracle, NGSSoftware, and<br /> Red-Database-Security.<br /><br /> Oracle credits the following individuals for providing information<br /> regarding vulnerabilities addressed in the Critical Patch Update -<br /> April 2006: Esteban Martinez Fayo of Application Security, Inc.,<br /> Alexander Kornbrust of Red-Database-Security, David Litchfield of<br /> NGSSoftware Ltd., and noderat ratty.<br /> ____________________________________________________________________<br /><br /> The most recent version of this document can be found at:<br /><br /> <http://www.us-cert.gov/cas/techalerts/TA06-109A.html><br /> ____________________________________________________________________<br /><br /> Feedback can be directed to US-CERT Technical Staff. Please send<br /> email to <cert@cert.org> with "TA06-109A Feedback VU#169164" in the<br /> subject.<br /> ____________________________________________________________________<br /><br /> For instructions on subscribing to or unsubscribing from this<br /> mailing list, visit <http://www.us-cert.gov/cas/signup.html>.<br /> ____________________________________________________________________<br /><br /> Produced 2006 by US-CERT, a government organization.<br /><br /> Terms of use:<br /><br /> <http://www.us-cert.gov/legal.html><br /> ____________________________________________________________________<br /><br /><br />Revision History<br /><br /> Apr 19, 2006: Initial release