星期三, 4月 20, 2011

Security Alert (A11-04-04): Multiple Vulnerabilities in Oracle Products (April 2011)

Affected Systems:
Database
  • Oracle Database 11g Release 2, versions 11.2.0.1, 11.2.0.2
  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
  • Oracle Database 10g Release 1, version 10.1.0.5
Fusion Middleware
  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.2.0, 11.1.1.3.0, 11.1.1.4.0
  • Oracle Application Server 10g Release 2, version 10.1.2.3.0
  • Oracle Application Server 10g Release 3, version 10.1.3.5.0
  • Oracle Identity Management 10g, versions 10.1.4.0.1, 10.1.4.3
  • Oracle JRockit, versions R27.6.8 and earlier (JDK/JRE 1.4.2, 5, 6), R28.1.1 and earlier (JDK/JRE 5, 6)
  • Oracle Outside In Technology, versions 8.3.2.0, 8.3.5.0
  • Oracle WebLogic Server, versions 8.1.6, 9.2.3, 9.2.4, 10.0.2, 11gR1(10.3.2, 10.3.3, 10.3.4)
E-Business Suite
  • Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.1, 12.1.2, 12.1.3
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle Supply Chain
  • Oracle Agile Technology Platform, versions 9.3.0.2, 9.3.1
PeopleSoft
  • Oracle PeopleSoft Enterprise CRM, version 8.9
  • Oracle PeopleSoft Enterprise ELS, versions 9.0, 9.1
  • Oracle PeopleSoft Enterprise HRMS, versions 9.0, 9.1
  • Oracle PeopleSoft Enterprise Portal, versions 8.8, 8.9, 9.0, 9.1
  • Oracle PeopleSoft Enterprise People Tools, versions 8.49, 8.50, 8.51
JD Edwards
  • Oracle JD Edwards OneWorld Tools, version 24.1.x
  • Oracle JD Edwards EnterpriseOne Tools, version 8.98.x
Siebel
  • Oracle Siebel CRM Core, versions 7.8.2, 8.0.0, 8.1.1
Health Sciences Applications
  • Oracle InForm, versions 4.5, 4.6, 5.0
Oracle Sun Product Suite
  • Oracle Sun Product Suite
  • Oracle Open Office, version 3 and StarOffice/StarSuite, versions 7, 8
Summary:
Oracle has released Critical Patch Updates with collections of patches for 73 security vulnerabilities found in various Oracle products and Oracle Sun products.
Patches for Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools, Siebel Enterprise, Oracle Industry Applications and Oracle VM are cumulative.
Impact:
Depending on the vulnerability exploited, a successful attack could lead to denial of service, access to sensitive information, or taking complete control of an affected system.
Recommendation:
Patches for affected systems are available. Users of the affected systems should follow the recommendations provided by the product vendor and take immediate actions to mitigate the risk. For detailed information of the patches, please refer to the section "Patch Availability Table and Risk Matrices" of corresponding security advisory at the vendor's website:
  • http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
Users may contact their product support vendors for the fixes and assistance.
DITSOs (or your delegates) are also requested to inform the relevant system administrators and end users as appropriate about this issue.
More Information:
More information about the vulnerabilities is available at:
  • http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
  • http://www.us-cert.gov/current/index.html#oracle_critical_patch_update_pre1
  • http://www.kb.cert.org/vuls/id/520721
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3555
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3450
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3451
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3452
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3453
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3454
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-3689
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4253
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4452
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4476
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4643
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0411
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0412
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0785
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0787
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0789
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0790
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0791
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0792
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0793
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0794
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0795
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0796
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0797
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0798
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0799
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0800
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0801
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0803
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0804
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0805
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0806
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0807
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0808
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0809
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0810
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0812
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0813
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0818
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0819
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0820
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0821
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0823
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0824
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0825
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0826
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0827
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0828
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0829
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0833
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0834
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0836
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0837
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0839
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0840
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0841
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0843
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0844
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0846
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0847
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0849
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0850
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0851
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0853
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0854
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0855
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0856
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0857
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0858
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0859
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0860
  • http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0861