Alert GCSA-10004 - Oracle Critical Patch Update (Gennaio 2010)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
******************************************************************
Alert ID : GCSA-10004
Data : 14 gennaio 2010
Titolo : Oracle Critical Patch Update (Gennaio 2010)
******************************************************************
:: Descrizione del problema
Oracle ha rilasciato una Critical Patch Update per il mese di
gennaio 2010. Tale aggiornamento e' una collezione di patch
nata per porre soluzione a difetti di sicurezza e non,
presenti in vari prodotti Oracle.
:: Software interessato
Oracle Database 11g, version 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
Oracle Database 10g, version 10.1.0.5
Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.4.0, 10.1.3.5, 10.1.3.5.1
Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0
Oracle Access Manager versions 7.0.4.3, 10.1.4.2
Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2
Oracle E-Business Suite Release 11i, version 11.5.10.2
PeopleSoft Enterprise HCM (TAM), versions 8.9 and 9.0
Oracle WebLogic Server 10.0 through MP2, 10.3.0 and 10.3.1
Oracle WebLogic Server 9.0 GA, 9.1 GA and 9.2 through 9.2 MP3
Oracle WebLogic Server 8.1 through 8.1 SP6
Oracle WebLogic Server 7.0 through 7.0 SP7
Oracle JRockit R27.6.5 and earlier (JDK/JRE 6, 5, 1.4.2)
Primavera P6 Enterprise Project Portfolio Management 6.1, 6.2.1 and 7.0
Primavera P6 Web Services 6.2.1, 7.0 and 7.0SP1
:: Impatto
Attacchi SQL injection
Esecuzione remota di codice arbitrario
Esposizione di informazioni sensibili
Denial of Service
L'impatto di queste vulnerabilita' varia in base alla configurazione
del sistema ed a seconda del prodotto o della componente considerata.
:: Soluzioni
Applicare le patch appropriate o procedere all'opportuno
aggiornamento secondo le istruzioni rilasciate da Oracle
(vedere il link nei Riferimenti)
:: Riferimenti
Oracle Critical Patch Updates and Security Alerts
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html
http://www.oracle.com/technology/deploy/security/alerts.htm
US-CERT
http://www.us-cert.gov/cas/techalerts/TA10-012A.html
SecurityFocus
http://www.securityfocus.com/bid/37731
http://www.securityfocus.com/bid/37735
http://www.securityfocus.com/bid/37740
Mitre's CVE ID
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1996
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3413
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0068
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0070
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0071
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0074
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0075
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0080
Vupen Security
http://www.vupen.com/english/advisories/2010/0102
-----BEGIN PGP SIGNATURE-----
iQCVAwUBS08grfOB+SpikaiRAQIAyQQA1pcAh8aC+/HLvh3HoahYy4gdgh68mr/3
b02xRCVcPWev9n6Txfh9uhLxTvM9JGmykSTAhceHiIL6JZd3YjddVC0K+yuiHQ8E
clrtFqy5R9EYWQJ42Ie+Lnd4SNik5EdVCvBim/Oy4rIMD/cBLycNapZ+kI8fmHWb
KOWsF+YYAFA=
=GCZh
-----END PGP SIGNATURE-----
Hash: SHA1
******************************************************************
Alert ID : GCSA-10004
Data : 14 gennaio 2010
Titolo : Oracle Critical Patch Update (Gennaio 2010)
******************************************************************
:: Descrizione del problema
Oracle ha rilasciato una Critical Patch Update per il mese di
gennaio 2010. Tale aggiornamento e' una collezione di patch
nata per porre soluzione a difetti di sicurezza e non,
presenti in vari prodotti Oracle.
:: Software interessato
Oracle Database 11g, version 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
Oracle Database 10g, version 10.1.0.5
Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.4.0, 10.1.3.5, 10.1.3.5.1
Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0
Oracle Access Manager versions 7.0.4.3, 10.1.4.2
Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2
Oracle E-Business Suite Release 11i, version 11.5.10.2
PeopleSoft Enterprise HCM (TAM), versions 8.9 and 9.0
Oracle WebLogic Server 10.0 through MP2, 10.3.0 and 10.3.1
Oracle WebLogic Server 9.0 GA, 9.1 GA and 9.2 through 9.2 MP3
Oracle WebLogic Server 8.1 through 8.1 SP6
Oracle WebLogic Server 7.0 through 7.0 SP7
Oracle JRockit R27.6.5 and earlier (JDK/JRE 6, 5, 1.4.2)
Primavera P6 Enterprise Project Portfolio Management 6.1, 6.2.1 and 7.0
Primavera P6 Web Services 6.2.1, 7.0 and 7.0SP1
:: Impatto
Attacchi SQL injection
Esecuzione remota di codice arbitrario
Esposizione di informazioni sensibili
Denial of Service
L'impatto di queste vulnerabilita' varia in base alla configurazione
del sistema ed a seconda del prodotto o della componente considerata.
:: Soluzioni
Applicare le patch appropriate o procedere all'opportuno
aggiornamento secondo le istruzioni rilasciate da Oracle
(vedere il link nei Riferimenti)
:: Riferimenti
Oracle Critical Patch Updates and Security Alerts
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html
http://www.oracle.com/technology/deploy/security/alerts.htm
US-CERT
http://www.us-cert.gov/cas/techalerts/TA10-012A.html
SecurityFocus
http://www.securityfocus.com/bid/37731
http://www.securityfocus.com/bid/37735
http://www.securityfocus.com/bid/37740
Mitre's CVE ID
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1996
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3410
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3411
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3412
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3413
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3414
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3415
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-3416
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0067
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0068
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0070
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0071
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0072
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0074
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0075
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0076
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0077
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0078
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0079
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-0080
Vupen Security
http://www.vupen.com/english/advisories/2010/0102
-----BEGIN PGP SIGNATURE-----
iQCVAwUBS08grfOB+SpikaiRAQIAyQQA1pcAh8aC+/HLvh3HoahYy4gdgh68mr/3
b02xRCVcPWev9n6Txfh9uhLxTvM9JGmykSTAhceHiIL6JZd3YjddVC0K+yuiHQ8E
clrtFqy5R9EYWQJ42Ie+Lnd4SNik5EdVCvBim/Oy4rIMD/cBLycNapZ+kI8fmHWb
KOWsF+YYAFA=
=GCZh
-----END PGP SIGNATURE-----