=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN437
_____________________________________________________________________

DATE                      : 07/07/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Oracle Database,
                                 Oracle Application Server,
                                 Oracle Collaboration Suite
                                 Oracle E-Business Suite,
                                 Oracle Enterprise Manager Grid,
                                 Oracle PeopleSoft Applications.

======================================================================

                 Technical Cyber Security Alert TA05-117A

             Oracle Products Contain Multiple Vulnerabilities

    Original release date: April 27, 2005
    Last revised: --
    Source: US-CERT


Systems Affected

    From the Oracle Critical Patch Update - April 2005:

      * Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3,
        10.1.0.3.1, 10.1.0.4 (10.1.0.3.1 is supported for Oracle
        Application Server only)
      * Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6
      * Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5,
        9.0.4 (9.0.1.5 FIPS) (all of which are supported for Oracle
        Application Server only)
      * Oracle8i Database Server Release 3, version 8.1.7.4
      * Oracle Application Server 10g Release 2 (10.1.2)
      * Oracle Application Server 10g (9.0.4), versions 9.0.4.0,
        9.0.4.1
      * Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
      * Oracle9i Application Server Release 1, version 1.0.2.2
      * Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2
      * Oracle E-Business Suite and Applications Release 11i, versions
        11.5.0 through 11.5.10
      * Oracle E-Business Suite and Applications Release 11.0
      * Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2,
        10.1.0.3
      * Oracle Enterprise Manager versions 9.0.4.0, 9.0.4.1
      * PeopleSoft EnterpriseOne Applications, versions 8.9 SP2 and 8.93
      * PeopleSoft OneWorldXe/ERP8 Applications, versions SP22 and higher


Overview

    Various Oracle products and components are affected by multiple
    vulnerabilities. The impacts of these vulnerabilities include
    unauthenticated, remote code execution, information disclosure, and
    denial of service.


I. Description

    Oracle released a Critical Patch Update in April that addresses
    more than seventy vulnerabilities in different Oracle products and
    components. The Critical Patch Update provides information about
    which components are affected, what access and authorization are
    required, and how data confidentiality, integrity, and availability
    may be impacted.

    US-CERT strongly recommends that sites running Oracle review the
    Critical Patch Update, apply patches, and take other mitigating
    action as appropriate.

    Oracle HTTP Server is based on the Apache HTTP Server. According to
    Oracle, the Critical Patch Update addresses a number of previously
    disclosed Apache vulnerabilities. Oracle Database Client-only
    installations are not affected.

    US-CERT is tracking all of these issues under VU#948486. As further
    information becomes available, we will publish individual
    Vulnerability Notes.


II. Impact

    The impacts of these vulnerabilities vary depending on product or
    component and configuration. Potential consequences include remote
    execution of arbitrary code or commands, information disclosure,
    and denial of service. An attacker who compromises an Oracle
    database may be able to gain access to sensitive information.


III. Solution

Apply a patch

    Apply the appropriate patches or upgrade as specified in the Oracle
    Critical Patch Update - April 2005. The update notes that some
    Oracle patches are cumulative while others are not:

      The Oracle Database Server, Enterprise Manager, and the Oracle
      Application Server patches for this Critical Patch Update are
      cumulative, and contain all the fixes from the previous Critical
      Patch Update.
      ...

      E-Business Suite patches are not cumulative, so E-Business Suite
      customers should refer to previous Critical Patch Updates to
      identify previous fixes they wish to apply.

      Oracle Collaboration Suite patches are not cumulative, so Oracle
      Collaboration Suite customers should refer to previous Critical
      Patch Updates to identify previous fixes they wish to apply.

Workarounds

    It may be possible to mitigate some vulnerabilities by disabling or
    removing unnecessary components and restricting network access.
    Revoking PUBLIC EXECUTE privileges from vulnerable stored
    procedures may reduce the impact of SQL injection vulnerabilities
    (VU#982109).  For more specific workarounds please see the
    individual Vulnerability Notes.

    Oracle Critical Patch Update - April 2005 contains a workaround for a
    vulnerability in PeopleSoft.


Appendix A. Vendor Information

Oracle

    Please see Oracle Critical Patch Update - April 2005 and Critical
    Patch Updates and Security Alerts.


Appendix B. References

      * Critical Patch Update - April 2005 -
        <http://www.oracle.com/technology/deploy/security/pdf/
        cpuapr2005.pdf>

      * Critical Patch Updates and Security Alerts -
        <http://www.oracle.com/technology/deploy/security/alerts.htm>

      * Map of Public Vulnerability to Advisory/Alert -
        <http://www.oracle.com/technology/deploy/security/pdf/
        public_vuln_to_advisory_mapping.html>

      * Comments on Oracle Critical Patch Update April 2005 -
        <http://www.red-database-security.com/wp/
        comments_oracle_cpu_april_2005_us.pdf>

      * NGSSoftware Oracle Database vulnerabilities -
        <http://www.ngssoftware.com/advisories/oracle-03.txt>

      * US-CERT Vulnerability Note VU#948486 -
        <http://www.kb.cert.org/vuls/id/948486>

      * US-CERT Vulnerability Note VU#982109 -
        <http://www.kb.cert.org/vuls/id/982109>

      _________________________________________________________________

    Thanks to Alexander Kornbrust of Red-Database-Security GmbH.
    Information used in this document came from Red-Database-Security and
    Oracle. Oracle credits NGS Software Ltd., Integrigy, and Application
    Security, Inc.
      _________________________________________________________________

    Feedback can be directed to the authors: Art Manion and Jeff Gennari.

    Send mail to <cert@cert.org>.

    Please include the Subject line "TA04-315A Feedback VU#948486".
      _________________________________________________________________

    Copyright 2005 Carnegie Mellon University.

    Terms of use:  <http://www.us-cert.gov/legal.html>
      _________________________________________________________________

    The most recent version of this document is available at:

    <http://www.us-cert.gov/cas/techalerts/TA05-117A.html>
      _________________________________________________________________


Revision History

    April 27, 2005: Initial release

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================