- Oracle Database
- Oracle Application Server
- Oracle Secure Enterprise Search
- Oracle Enterprise Manager
- Oracle Collaboration Suite
- Ultra Search component
- Oracle E-Business Suite
- JD Edwards EnterpriseOne Tools
Oracle has released patches to address numerous vulnerabilities in different Oracle products. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.
Oracle has released the Critical Patch Update - April 2007. According to Oracle, this Critical Patch Update (CPU) includes:
- 13 new security fixes for the Oracle Databases
- 1 new security fix for Oracle Secure Enterprise Search
- 1 new security fix for Oracle Enterprise Manager
- 1 new security fix for Oracle Workflow Cartridge
- 1 new security fix for the Ultra Search component
Many Oracle products include or share code with other vulnerable Oracle products and components. Therefore, one vulnerability may affect multiple Oracle products and components. Refer to the April 2007 CPU for details regarding which vulnerabilities affect specific Oracle products and components.
As of April 18, 2007, updates for Oracle Vuln#s DB01 and DB03 are not available. These vulnerabilities affect Oracle Database 220.127.116.11 on the Windows platform only.
For a list of publicly known vulnerabilities addressed in the April 2007 CPU, refer to the Map of Public Vulnerability to Advisory/Alert. The April 2007 CPU does not associate Vuln# identifiers (e.g., DB01) with other available information, even in the Map of Public Vulnerability to Advisory/Alert document. As more details about vulnerabilities and remediation strategies become available, we will update the individual vulnerability notes.
The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include remote execution of arbitrary code or commands, sensitive information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to gain access to sensitive information or take complete control of the host system.
Apply patches from Oracle
Apply the appropriate patches or upgrade as specified in the Critical Patch Update - April 2007. Note that this Critical Patch Update only lists newly corrected vulnerabilities.
As noted in the update, some patches are cumulative, others are not:
The Oracle Database, Oracle Application Server, Oracle Enterprise Manager Grid Control, Oracle Collaboration Suite, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications and PeopleSoft Enterprise PeopleTools patches in the Updates are cumulative; each Critical Patch Update contains the fixes from the previous Critical Patch Updates.
Oracle E-Business Suite and Applications patches are not cumulative, so E-Business Suite and Applications customers should refer to previous Critical Patch Updates to identify previous fixes they want to apply.
Vulnerabilities described in the April 2007 CPU may affect Oracle Database 10g Express Edition (XE). According to Oracle, Oracle Database XE is based on the Oracle Database 10g Release 2 code.
Known issues with Oracle patches are documented in the pre-installation notes and patch readme files. Please consult these documents and test before making changes to production systems.
- US-CERT Vulnerability Notes Related to Critical Patch Update - April 2007 - http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_apr_2007
- Critical Patch Update - April 2007 - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html
- Critical Patch Updates and Security Alerts - http://www.oracle.com/technology/deploy/security/alerts.htm
- Map of Public Vulnerability to Advisory/Alert - http://www.oracle.com/technology/deploy/security/critical-patch-updates/public_vuln_to_advisory_mapping.html
- Oracle Database Security Checklist (PDF) - http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf
- Critical Patch Update Implementation Best Practices (PDF) - http://www.oracle.com/technology/deploy/security/pdf/cpu_whitepaper.pdf
- Oracle Database 10g Express Edition - http://www.oracle.com/technology/products/database/xe/index.html
- Details Oracle Critical Patch Update April 2007 - http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html
April 18, 2007: Initial release