Security Activity Bulletin

Oracle Critical Patch Update October 2009

 
Threat Type:IntelliShield: Applied Mitigation Bulletin
IntelliShield ID:19236
Version:1
First Published:2009 October 20 21:10 GMT
Last Published:2009 October 20 21:10 GMT
Port: Not available
CVE:CVE-2009-0217 , CVE-2009-1007 , CVE-2009-1018 , CVE-2009-1964 , CVE-2009-1965 , CVE-2009-1971 , CVE-2009-1972 , CVE-2009-1979 , CVE-2009-1985 , CVE-2009-1990 , CVE-2009-1991 , CVE-2009-1992 , CVE-2009-1993 , CVE-2009-1994 , CVE-2009-1995 , CVE-2009-1997 , CVE-2009-1998 , CVE-2009-1999 , CVE-2009-2000 , CVE-2009-2001 , CVE-2009-2002 , CVE-2009-2625 , CVE-2009-2670 , CVE-2009-2671 , CVE-2009-2672 , CVE-2009-2673 , CVE-2009-2674 , CVE-2009-2675 , CVE-2009-2676 , CVE-2009-3392 , CVE-2009-3393 , CVE-2009-3395 , CVE-2009-3396 , CVE-2009-3397 , CVE-2009-3399 , CVE-2009-3400 , CVE-2009-3401 , CVE-2009-3402 , CVE-2009-3403 , CVE-2009-3404 , CVE-2009-3405 , CVE-2009-3406 , CVE-2009-3407 , CVE-2009-3408 , CVE-2009-3409
Urgency:Unlikely Use
Credibility:Confirmed
Severity:Moderate Damage
 
Version Summary:

Oracle has released the October 2009 Critical Patch Update to address multiple security vulnerabilities in Oracle products.

 

Description
 

Oracle has released the Critical Patch Update advisory for October 2009.? The update contains 38 distinct?security fixes for various Oracle products.? Many of these fixes address vulnerabilities that an attacker can exploit remotely and without prior authentication.? All patches are cumulative except those for the E-Business Suite and the Oracle BEA products.? The following Oracle products are affected:

Oracle Database 9iR2, 10g, 10gR2, and 11g
Oracle Application Server 10gR2, and 10gR3
Oracle Business Intelligence Enterprise Edition
Oracle E-Business Suite Release 11i and 12
AutoVue
Agile Engineering Data Management (EDM)
PeopleSoft PeopleTools & Enterprise Portal
PeopleSoft Enterprise HCM (TAM)
JD Edward Tools
Oracle WebLogic Server
Oracle WebLogic Portal
Oracle JRockit?
Oracle Communications Order and Service Management

The Oracle database products have 16 new vulnerability fixes, of which six can be exploited by an unauthenticated, remote attacker. One of these vulnerabilities affects client-only installations.? Oracle Application Server has three new vulnerability fixes,?two of which can be exploited without the need for authentication.

Oracle E-Business Suite has eight new vulnerability fixes, of which five can be exploited by an unauthenticated, remote attacker.

PeopleSoft and JD Edwards Suite have four new vulnerabilities, all of which require authentication to exploit.

BEA products contain six vulnerabilities, all of which are exploitable without prior authentication.? The vulnerability listed as CVE-2009-3403 in the Oracle announcement actually represents seven vulnerabilities, as announced by Sun for the JRE/JDK. Oracle Communications Order and Service Management contains one vulnerability but it requires authentication to exploit..

Oracle has released a security advisory at the following link: Oracle Critical Patch Update October 2009

Oracle has released patches for registered users at the following link: Oracle

 
Alert History
 

Initial Release



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
Oracle CorporationAgile Engineering Data Management (EDM) 6.1 Base
Oracle CorporationAutoVue 19 .3
Oracle CorporationJD Edwards Tools 8.98 Base
Oracle CorporationOracle Application Server 10g 10.1.2 .3.0 | 10.1.3 .4.0, .5.0
Oracle CorporationOracle Business Intelligence Enterprise Edition 10.1.3 .4.0, .4.1
Oracle CorporationOracle Communications Order and Service Management 2.8.0 Base | 6.2.0 Base | 6.3 Base, .1
Oracle CorporationOracle Database Server 10g 10.1 .0.5 | 10.2 .0.3, .0.4
Oracle CorporationOracle Database Server 11g 11.1 .0.7.0
Oracle CorporationOracle E-Business Suite 11i 11.5.10.2 | 12.0 .6 | 12.1 Base
Oracle CorporationOracle9i Database Server 9.2.0.8 Base | 9.2.0.8DV Base
Oracle CorporationPeopleSoft Enterprise HCM (TAM) 8.9 Base | 9.0 Base
Oracle CorporationPeopleSoft Enterprise PeopleTools 8.49 Base, .01, .02, .03, .04, .05, .06, .07, .08, .09, .10, .11, .12, .13, .14
Oracle CorporationPeopleSoft Enterprise Portal Solutions 8.49 Base
Oracle CorporationWebLogic JRockit 6 JDK 1.4 .2, .2_01, .2_02, .2_03, .2_04, .2_05, .2_06, .2_07, .2_08, .2_09, .2_10, .2_11, .2_12, .2_13, .2_14, .2_15, .2_16, .2_17, .2_18 | 5.0 Base, .0, .0_01, .0_02, .0_03, .0_04, .0_05, .0_06, .0_07, .0_08, .0_09, .0_10, .0_11, .0_12, .0_13, .0_14, .0_15, .0_16 | 6.0 Base, .0_01, .0_02, .0_03, .0_04, .0_05, .0_06, .0_07, .0_08, .0_09, .0_10
Oracle CorporationWebLogic Portal 8.1 Base, SP1, SP2, SP3, SP4, SP5, SP6 | 9.2 Base, MP1, MP2, MP3 | 10.0 Base, MP1 | 10.2 Base, MP1 | 10.3 Base, .1
Oracle CorporationWebLogic Server 7.0 Base, SP1, SP2, SP3, SP4, SP5, SP6 | 8.1 Base, SP1, SP2, SP3, SP4, SP5 | 9.0 Base | 9.1 Base | 9.2 Base, MP1, MP2, MP3 | 10.0 Base, MP1

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield