Oracle has released the Critical Patch Update advisory for October 2009. The update contains 38 distinct security fixes for various Oracle products. Many of these fixes address vulnerabilities that an attacker can exploit remotely and without prior authentication. All patches are cumulative except those for the E-Business Suite and the Oracle BEA products. The following Oracle products are affected:
Oracle Database 9iR2, 10g, 10gR2, and 11g Oracle Application Server 10gR2, and 10gR3 Oracle Business Intelligence Enterprise Edition Oracle E-Business Suite Release 11i and 12 AutoVue Agile Engineering Data Management (EDM) PeopleSoft PeopleTools & Enterprise Portal PeopleSoft Enterprise HCM (TAM) JD Edward Tools Oracle WebLogic Server Oracle WebLogic Portal Oracle JRockit Oracle Communications Order and Service Management
The Oracle database products have 16 new vulnerability fixes, of which six can be exploited by an unauthenticated, remote attacker. One of these vulnerabilities affects client-only installations. Oracle Application Server has three new vulnerability fixes, two of which can be exploited without the need for authentication.
Oracle E-Business Suite has eight new vulnerability fixes, of which five can be exploited by an unauthenticated, remote attacker.
PeopleSoft and JD Edwards Suite have four new vulnerabilities, all of which require authentication to exploit.
BEA products contain six vulnerabilities, all of which are exploitable without prior authentication. The vulnerability listed as CVE-2009-3403 in the Oracle announcement actually represents seven vulnerabilities, as announced by Sun for the JRE/JDK. Oracle Communications Order and Service Management contains one vulnerability but it requires authentication to exploit..
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A
PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM
THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
A standalone copy or paraphrase of the text of this document that omits the distribution URL is an uncontrolled copy and may lack important information or contain factual errors. The information in this document is intended for end users of Cisco products
Cisco Multivendor Vulnerability Alerts respond to vulnerabilities identified in third-party vendors' products. These alerts contain information compiled from diverse sources and provide comprehensive technical descriptions, objective analytical assessments, workarounds and practical safeguards, and links to vendor advisories and patches.