=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2007/VULN012
_____________________________________________________________________

DATE                      : 17/01/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Oracle products.

======================================================================

                National Cyber Alert System

           Technical Cyber Security Alert TA07-017A


Oracle Releases Patches for Multiple Vulnerabilities

    Original release date: January 17, 2007
    Last revised: --
    Source: US-CERT


Systems Affected

      * Oracle Database
      * Oracle Application Server
      * Oracle HTTP Server (Apache)
      * Oracle Identity Management
      * Oracle Enterprise Manager Grid Control
      * Oracle E-Business Suite
      * Oracle Collaboration Suite
      * Oracle PeopleSoft Enterprise PeopleTools
      * Oracle Life Sciences Applications (formerly Oracle Pharmaceutical
        Applications)

    For more detailed information regarding affected product versions,
    refer to the Oracle Critical Patch Update - January 2007.


Overview

    Oracle has released patches to address numerous vulnerabilities in
    different Oracle products. The impacts of these vulnerabilities
    include remote execution of arbitrary code, information disclosure,
    and denial of service.


I. Description

    Oracle has released the Critical Patch Update - January 2007.
    According to Oracle, this Critical Patch Update (CPU) contains:

      * 17 new security fixes for the Oracle Database, one of which is for
        Oracle Database client-only installations

      * 9 new security fixes for the Oracle HTTP Server

      * 12 new security fixes for the Oracle Application Server

      * 7 new security fixes for the Oracle E-Business Suite

      * 6 new security fixes for the Oracle Enterprise Manager

      * 3 new security fixes for the Oracle PeopleSoft Enterprise
        PeopleTools

    Many Oracle products include or share code with other vulnerable
    Oracle products and components. Therefore, one vulnerability may
    affect multiple Oracle products and components. For example, the
    January 2007 CPU does not contain any fixes specifically for Oracle
    Collaboration Suite. However, Oracle Collaboration Suite is affected
    by vulnerabilities in Oracle Database and Oracle Application Server,
    so sites running Oracle Collaboration suite should install fixes for
    Oracle Database and Oracle Application Server. Refer to the January
    2007 CPU for details regarding which vulnerabilities affect specific
    Oracle products and components.

    For a list of publicly known vulnerabilities addressed in the January
    2007 CPU, refer to the Map of Public Vulnerability to Advisory/Alert.
    The January 2007 CPU does not associate Vuln# identifiers (e.g., DB01)
    with other available information, even in the Map of Public
    Vulnerability to Advisory/Alert document. As more details about
    vulnerabilities and remediation strategies become available, we will
    update the individual vulnerability notes.


II. Impact

    The impact of these vulnerabilities varies depending on the product,
    component, and configuration of the system. Potential consequences
    include remote execution of arbitrary code or commands, sensitive
    information disclosure, and denial of service. Vulnerable components
    may be available to unauthenticated, remote attackers. An attacker who
    compromises an Oracle database may be able to gain access to sensitive
    information or take complete control of the host system.


III. Solution

Apply patches from Oracle

    Apply the appropriate patches or upgrade as specified in the Critical
    Patch Update - January 2007. Note that this Critical Patch Update only
    lists newly corrected vulnerabilities.

    As noted in the update, some patches are cumulative, others are not:

      The Oracle Database, Oracle Application Server, Oracle Enterprise
      Manager Grid Control, Oracle Collaboration Suite, JD Edwards
      EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise
      Portal Applications and PeopleSoft Enterprise PeopleTools patches
      in the Updates are cumulative; each Critical Patch Update contains
      the fixes from the previous Critical Patch Updates.

      Oracle E-Business Suite and Applications patches are not
      cumulative, so E-Business Suite and Applications customers should
      refer to previous Critical Patch Updates to identify previous fixes
      they want to apply.

    Vulnerabilities described in the January 2007 CPU may affect Oracle
    Database 10g Express Edition (XE). According to Oracle, Oracle
    Database XE is based on the Oracle Database 10g Release 2 code.

    Known issues with Oracle patches are documented in the
    pre-installation notes and patch readme files. Please consult these
    documents and test before making changes to production systems.


IV. References

      * US-CERT Vulnerability Notes Related to Critical Patch Update -
        January 2007 -
        <http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_jan_2007>

      * Critical Patch Update - January 2007 -

<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html>

      * Critical Patch Updates and Security Alerts -
        <http://www.oracle.com/technology/deploy/security/alerts.htm>

      * Map of Public Vulnerability to Advisory/Alert -

<http://www.oracle.com/technology/deploy/security/critical-patch-updates/public_vuln_to_advisory_mapping.html>

      * Oracle Database Security Checklist (PDF) -

<http://www.oracle.com/technology/deploy/security/pdf/twp_security_checklist_db_database.pdf>

      * Critical Patch Update Implementation Best Practices (PDF) -
        <http://www.oracle.com/technology/deploy/security/pdf/cpu_whitepaper.pdf>

      * Oracle Database 10g Express Edition -
        <http://www.oracle.com/technology/products/database/xe/index.html>

      * Details Oracle Critical Patch Update January 2007 -
        <http://www.red-database-security.com/advisory/oracle_cpu_jan_2007.html>

  ____________________________________________________________________

    The most recent version of this document can be found at:

      <http://www.us-cert.gov/cas/techalerts/TA07-017A.html>
  ____________________________________________________________________

    Feedback can be directed to US-CERT Technical Staff. Please send
    email to <cert@cert.org> with "TA07-017A Feedback VU#221788" in the
    subject.
  ____________________________________________________________________

    For instructions on subscribing to or unsubscribing from this
    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
  ____________________________________________________________________

    Produced 2007 by US-CERT, a government organization.

    Terms of use:

      <http://www.us-cert.gov/legal.html>

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================