U.S. Flag Official website of the Department of Homeland Security

Note: This page is part of the us-cert.gov archive.This document is part of the US-CERT website archive. These documents are no longer updated and may contain outdated information. Links may also no longer function. Please contact info@us-cert.gov if you have any questions about the US-CERT website archive.

TLP:WHITE

Alert (TA07-200A)

Oracle Releases Patches for Multiple Vulnerabilities

Original release date: July 19, 2007

Systems Affected

  • Oracle Database
  • Oracle Application Server
  • Oracle Collaboration Suite
  • Oracle E-Business Suite and Applications
  • Oracle PeopleSoft Enterprise and JD EnterpriseOne
For more detailed information regarding affected product versions, refer to the Oracle Critical Patch Update - July 2007.

Overview

Oracle has released patches to address numerous vulnerabilities in different Oracle products. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

Description

Oracle has released the Critical Patch Update - July 2007. According to Oracle, this Critical Patch Update (CPU) includes the following new security fixes:

  • 17 for the Oracle Databases
  • 1 for Oracle Internet Directory
  • 1 for Oracle Application Express
  • 4 for the Oracle Application Server
  • 1 for Oracle Collaboration Suite
  • 14 for the Oracle E-Business Suite
  • 3 for Oracle PeopleSoft Enterprise PeopleTools
  • 2 for PeopleSoft Enterprise Customer Relationship Management
  • 2 for PeopleSoft Enterprise Human Capital Management

Many Oracle products include or share code with other vulnerable Oracle products and components. Therefore, one vulnerability may affect multiple Oracle products and components. Refer to the July 2007 CPU for details regarding which vulnerabilities affect specific Oracle products and components.

For a list of publicly known vulnerabilities addressed in the July 2007 CPU, refer to the Map of Public Vulnerability to Advisory/Alert. The July 2007 CPU does not associate Vuln# identifiers (e.g., DB01) with other available information, even in the Map of Public Vulnerability to Advisory/Alert document. As more details about vulnerabilities and remediation strategies become available, we will update the individual vulnerability notes.

Impact

The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include remote execution of arbitrary code or commands, sensitive information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to gain access to sensitive information or take complete control of the host system.

Solution

Apply patches from Oracle

Apply the appropriate patches or upgrade as specified in the Critical Patch Update - July 2007. Note that this Critical Patch Update only lists newly corrected vulnerabilities.

As noted in the update, some patches are cumulative, others are not.

Oracle E-Business Suite and Applications patches are not cumulative, so E-Business Suite and Applications customers should refer to previous Critical Patch Updates to identify previous fixes they want to apply.

Vulnerabilities described in the July 2007 CPU may affect Oracle Database 10g Express Edition (XE). According to Oracle, Oracle Database XE is based on the Oracle Database 10g Release 2 code.

Known issues with Oracle patches are documented in the pre-installation notes and patch readme files. Please consult these documents and test before making changes to production systems.


References

Revision History

  • July 19, 2007: Initial release
    July 19, 2007: Fixed feedback link

This product is provided subject to this Notification and this Privacy & Use policy.

Was this document helpful?  Yes  |  Somewhat  |  No

Back to Top