Oracle Products Contain Multiple Vulnerabilities
- Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.3.1, 10.1.0.4 (10.1.0.3.1 is supported for Oracle Application Server only)
- Oracle9i Database Server Release 2, versions 184.108.40.206, 220.127.116.11
- Oracle9i Database Server Release 1, versions 18.104.22.168, 22.214.171.124, 9.0.4 (126.96.36.199 FIPS) (all of which are supported for Oracle Application Server only)
- Oracle8i Database Server Release 3, version 188.8.131.52
- Oracle Application Server 10g Release 2 (10.1.2)
- Oracle Application Server 10g (9.0.4), versions 184.108.40.206, 220.127.116.11
- Oracle9i Application Server Release 2, versions 18.104.22.168, 22.214.171.124
- Oracle9i Application Server Release 1, version 126.96.36.199
- Oracle Collaboration Suite Release 2, versions 188.8.131.52, 184.108.40.206
- Oracle E-Business Suite and Applications Release 11i, versions 11.5.0 through 11.5.10
- Oracle E-Business Suite and Applications Release 11.0
- Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2, 10.1.0.3
- Oracle Enterprise Manager versions 220.127.116.11, 18.104.22.168
- PeopleSoft EnterpriseOne Applications, versions 8.9 SP2 and 8.93
- PeopleSoft OneWorldXe/ERP8 Applications, versions SP22 and higher
Various Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include unauthenticated, remote code execution, information disclosure, and denial of service.
Oracle released a Critical Patch Update in April that addresses more than seventy vulnerabilities in different Oracle products and components. The Critical Patch Update provides information about which components are affected, what access and authorization are required, and how data confidentiality, integrity, and availability may be impacted.
US-CERT strongly recommends that sites running Oracle review the Critical Patch Update, apply patches, and take other mitigating action as appropriate.
Oracle HTTP Server is based on the Apache HTTP Server. According to Oracle, the Critical Patch Update addresses a number of previously disclosed Apache vulnerabilities. Oracle Database Client-only installations are not affected.
The impacts of these vulnerabilities vary depending on product or component and configuration. Potential consequences include remote execution of arbitrary code or commands, information disclosure, and denial of service. An attacker who compromises an Oracle database may be able to gain access to sensitive information.
Apply a patch
Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update - April 2005. The update notes that some Oracle patches are cumulative while others are not:
The Oracle Database Server, Enterprise Manager, and the Oracle Application Server patches for this Critical Patch Update are cumulative, and contain all the fixes from the previous Critical Patch Update.
E-Business Suite patches are not cumulative, so E-Business Suite customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply.
Oracle Collaboration Suite patches are not cumulative, so Oracle Collaboration Suite customers should refer to previous Critical Patch Updates to identify previous fixes they wish to apply.
It may be possible to mitigate some vulnerabilities by disabling or removing unnecessary components and restricting network access. Revoking PUBLIC EXECUTE privileges from vulnerable stored procedures may reduce the impact of SQL injection vulnerabilities (VU#982109). For more specific workarounds please see the individual Vulnerability Notes.
Oracle Critical Patch Update - April 2005 contains a workaround for a vulnerability in PeopleSoft.
Appendix A. Vendor Information
Appendix B. References
- Critical Patch Update - April 2005 (PDF)- http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf>
- Critical Patch Updates and Security Alerts - http://www.oracle.com/technology/deploy/security/alerts.htm>
- Map of Public Vulnerability to Advisory/Alert - http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
- Comments on Oracle Critical Patch Update April 2005 - http://www.red-database-security.com/wp/comments_oracle_cpu_april_2005_us.pdf>
- NGSSoftware Oracle Database vulnerabilities - http://www.ngssoftware.com/advisories/oracle-03.txt>
- US-CERT Vulnerability Note VU#948486 - http://www.kb.cert.org/vuls/id/948486>
- US-CERT Vulnerability Note VU#982109 - http://www.kb.cert.org/vuls/id/982109>
Thanks to Alexander Kornbrust of Red-Database-Security GmbH. Information used in this document came from Red-Database-Security and Oracle. Oracle credits NGS Software Ltd., Integrigy, and Application Security, Inc.
Feedback can be directed to the authors: Art Manion and Jeff Gennari.
April 27, 2005: Initial release