Oracle has released the October 2009 Critical Patch Update to address multiple security vulnerabilities in Oracle products.
Oracle has released the Critical Patch Update advisory for October 2009. The update contains 38 distinct security fixes for various Oracle products. Many of these fixes address vulnerabilities that an attacker can exploit remotely and without prior authentication. All patches are cumulative except those for the E-Business Suite and the Oracle BEA products. The following Oracle products are affected:
Oracle Database 9iR2, 10g, 10gR2, and 11g Oracle Application Server 10gR2, and 10gR3 Oracle Business Intelligence Enterprise Edition Oracle E-Business Suite Release 11i and 12 AutoVue Agile Engineering Data Management (EDM) PeopleSoft PeopleTools & Enterprise Portal PeopleSoft Enterprise HCM (TAM) JD Edward Tools Oracle WebLogic Server Oracle WebLogic Portal Oracle JRockit Oracle Communications Order and Service Management
The Oracle database products have 16 new vulnerability fixes, of which six can be exploited by an unauthenticated, remote attacker. One of these vulnerabilities affects client-only installations. Oracle Application Server has three new vulnerability fixes, two of which can be exploited without the need for authentication.
Oracle E-Business Suite has eight new vulnerability fixes, of which five can be exploited by an unauthenticated, remote attacker.
PeopleSoft and JD Edwards Suite have four new vulnerabilities, all of which require authentication to exploit.
BEA products contain six vulnerabilities, all of which are exploitable without prior authentication. The vulnerability listed as CVE-2009-3403 in the Oracle announcement actually represents seven vulnerabilities, as announced by Sun for the JRE/JDK. Oracle Communications Order and Service Management contains one vulnerability but it requires authentication to exploit..
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.