| |
| Threat Type: | IntelliShield: Security Activity Bulletin |
|
| IntelliShield ID: | 19236 |
| Version: | 1 |
| First Published: | 2009 October 20 21:10 GMT |
| Last Published: | 2009 October 20 21:10 GMT |
| Port: |
Not Available
|
| CVE: | CVE-2009-0217
,
CVE-2009-1007
,
CVE-2009-1018
,
CVE-2009-1964
,
CVE-2009-1965
,
CVE-2009-1971
,
CVE-2009-1972
,
CVE-2009-1979
,
CVE-2009-1985
,
CVE-2009-1990
,
CVE-2009-1991
,
CVE-2009-1992
,
CVE-2009-1993
,
CVE-2009-1994
,
CVE-2009-1995
,
CVE-2009-1997
,
CVE-2009-1998
,
CVE-2009-1999
,
CVE-2009-2000
,
CVE-2009-2001
,
CVE-2009-2002
,
CVE-2009-2625
,
CVE-2009-2670
,
CVE-2009-2671
,
CVE-2009-2672
,
CVE-2009-2673
,
CVE-2009-2674
,
CVE-2009-2675
,
CVE-2009-2676
,
CVE-2009-3392
,
CVE-2009-3393
,
CVE-2009-3395
,
CVE-2009-3396
,
CVE-2009-3397
,
CVE-2009-3399
,
CVE-2009-3400
,
CVE-2009-3401
,
CVE-2009-3402
,
CVE-2009-3403
,
CVE-2009-3404
,
CVE-2009-3405
,
CVE-2009-3406
,
CVE-2009-3407
,
CVE-2009-3408
,
CVE-2009-3409 |
|
| Urgency: |
Unlikely Use
|  |
| Credibility: |
Confirmed
|  |
| Severity: |
Moderate Damage
|  |
|
|
| |
| Version Summary: | Oracle has released the October 2009 Critical Patch Update to address multiple security vulnerabilities in Oracle products. |
| |
Description |
| |
Oracle has released the Critical Patch Update advisory for October 2009. The update contains 38 distinct security fixes for various Oracle products. Many of these fixes address vulnerabilities that an attacker can exploit remotely and without prior authentication. All patches are cumulative except those for the E-Business Suite and the Oracle BEA products. The following Oracle products are affected:
Oracle Database 9iR2, 10g, 10gR2, and 11g
Oracle Application Server 10gR2, and 10gR3
Oracle Business Intelligence Enterprise Edition
Oracle E-Business Suite Release 11i and 12
AutoVue
Agile Engineering Data Management (EDM)
PeopleSoft PeopleTools & Enterprise Portal
PeopleSoft Enterprise HCM (TAM)
JD Edward Tools
Oracle WebLogic Server
Oracle WebLogic Portal
Oracle JRockit
Oracle Communications Order and Service Management
The Oracle database products have 16 new vulnerability fixes, of which six can be exploited by an unauthenticated, remote attacker. One of these vulnerabilities affects client-only installations. Oracle Application Server has three new vulnerability fixes, two of which can be exploited without the need for authentication.
Oracle E-Business Suite has eight new vulnerability fixes, of which five can be exploited by an unauthenticated, remote attacker.
PeopleSoft and JD Edwards Suite have four new vulnerabilities, all of which require authentication to exploit.
BEA products contain six vulnerabilities, all of which are exploitable without prior authentication. The vulnerability listed as CVE-2009-3403 in the Oracle announcement actually represents seven vulnerabilities, as announced by Sun for the JRE/JDK. Oracle Communications Order and Service Management contains one vulnerability but it requires authentication to exploit..
Oracle has released a security advisory at the following link: Oracle Critical Patch Update October 2009
Oracle has released patches for registered users at the following link: Oracle |
| |
| Alert History |
| |
Initial Release |
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
| Primary Products: |
| Oracle Corporation | Agile Engineering Data Management (EDM) | 6.1 Base |
| Oracle Corporation | AutoVue | 19 .3 |
| Oracle Corporation | JD Edwards Tools | 8.98 Base |
| Oracle Corporation | Oracle9i Database Server | 9.2.0.8 Base | 9.2.0.8DV Base |
| Oracle Corporation | Oracle Application Server 10g | 10.1.2 .3.0 | 10.1.3 .4.0, .5.0 |
| Oracle Corporation | Oracle Business Intelligence Enterprise Edition | 10.1.3 .4.0, .4.1 |
| Oracle Corporation | Oracle Communications Order and Service Management | 2.8.0 Base | 6.2.0 Base | 6.3 .1, Base |
| Oracle Corporation | Oracle Database Server 10g | 10.1 .0.5 | 10.2 .0.3, .0.4 |
| Oracle Corporation | Oracle Database Server 11g | 11.1 .0.7.0 |
| Oracle Corporation | Oracle E-Business Suite | 11i 11.5.10.2 | 12.0 .6 | 12.1 Base |
| Oracle Corporation | PeopleSoft Enterprise HCM (TAM) | 8.9 Base | 9.0 Base |
| Oracle Corporation | PeopleSoft Enterprise PeopleTools | 8.49 .01, .02, .03, .04, .05, .06, .07, .08, .09, .10, .11, .12, .13, .14, Base |
| Oracle Corporation | PeopleSoft Enterprise Portal Solutions | 8.49 Base |
| Oracle Corporation | WebLogic JRockit 6 JDK | 1.4 .2, .2_01, .2_02, .2_03, .2_04, .2_05, .2_06, .2_07, .2_08, .2_09, .2_10, .2_11, .2_12, .2_13, .2_14, .2_15, .2_16, .2_17, .2_18 | 5.0 .0, .0_01, .0_02, .0_03, .0_04, .0_05, .0_06, .0_07, .0_08, .0_09, .0_10, .0_11, .0_12, .0_13, .0_14, .0_15, .0_16, Base | 6.0 .0_01, .0_02, .0_03, .0_04, .0_05, .0_06, .0_07, .0_08, .0_09, .0_10, Base |
| Oracle Corporation | WebLogic Portal | 10.0 Base, MP1 | 10.2 Base, MP1 | 10.3 .1, Base | 8.1 Base, SP1, SP2, SP3, SP4, SP5, SP6 | 9.2 Base, MP1, MP2, MP3 |
| Oracle Corporation | WebLogic Server | 10.0 Base, MP1 | 7.0 Base, SP1, SP2, SP3, SP4, SP5, SP6 | 8.1 Base, SP1, SP2, SP3, SP4, SP5 | 9.0 Base | 9.1 Base | 9.2 Base, MP1, MP2, MP3 |
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
