Up-to-date syndicated information on database & ERP privacy, security, audit and compliance
RSS icon Email icon Home icon

  • Oracle January 2008 CPU Patch Analysis

    Posted on February 12th, 2008 Team No comments

    Oracle Jan 2008 CPU patch seems to be impacting quite a few Oracle products.  Also, the CVVS scores for some of the vulnerabilities seems to be pretty high. However, based on the analysis of all CPU notes, here’s what the general recommendation:

    1. Database Servers
      1. Impacted Versions
        • Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
        • Oracle Database 10g, version 10.1.0.5
        • Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV

    Note: Oracle does not issue patches for the unsupported database servers

     

    b.       Summary of Vulnerabilities

    ·         8 new vulnerabilities

    ·         0 remote exploitable without authentication (Critical)

    ·         XML DB vulnerability with CVSS – 6.5

     

    c.       Patching Recommendations

                                                             i.            Apply patches to the critical prod databases that runs XML-DB immediately.  (Medium Priority)

                                                           ii.            Apply patches to all other (non critical) databases within 6 months. (Lower Priority)

     

     

     

    1. Oracle Application Server

     

    a.       Impacted Versions

    ·         Oracle Application Server 10g (9.0.4), version 9.0.4.3 to 10.1.3.3

    Note: Oracle does not issue patches for the unsupported versions

     

    b.       Summary of Vulnerabilities

    ·         6new vulnerabilities

    ·         5 remote exploitable without authentication (Critical)

    ·         Impacting components Jinitiator, Oracle Forms, OiD

     

     

    c.       Patching Recommendations

                                                             i.            Any Oracle Forms application needs to be patched immediately with Jinitiator patch (Medium Priority).

                                                           ii.            All internal impacted Oracle Application Server need to be patched within 6 months. (Lower Priority)

     

     

     

    1. Oracle E-Business Suite

     

    a.       Impacted Versions

    ·         Oracle E-Business Suite Release 11i, versions 11.5.8 – 11.5.10 CU2

    ·         Oracle E-Business Suite Release 12, versions 12.0.0 – 12.0.3

    Note: Oracle does not issue patches for the unsupported versions

     

    b.       Summary of Vulnerabilities

    ·         Imp: Oracle security patch support for eBusiness 11.5.8 expires, and 11.5.9 expires in April 2008

    ·         7 new vulnerabilities

    ·         3 remote exploitable without authentication (Critical)

    ·         Jinitiator patch fixes critical vulnerability

    ·         Impacting components Jinitiator, Oracle App Object Library,  Oracle Application Manager Oracle Control Integration,

     

    c.       Patching Recommendations

                                                             i.            All eBusiness application using Oracle Forms (Jinitator ) should be patched immediately (Medium Priority).

                                                           ii.            Other patched needs to be applied to eBusiness Server within 6 months. (Lower Priority)

     

    General

    Leave a reply

Categories

Powered by WordPress
Designed by My Mobiles