CSIRTUK advisories

ID: 3661
Date: 16/07/2008

---

Title: 3661 - Oracle Critical Patch Update Advisory - July 2008
Platform level affected:Net Application - Enterprise
Net-enabled software: Enterprise Database
Vendors affected:Oracle
Adversity source: Unknown
Attack Vector: Vulnerability exploitation
Virulence: Unknown
Warning Status: Unknown
Potential Damage: Remote access
Possible Duration: Unknown
Availability of fix: Available
Type of fix: Patch
Source: Oracle
Reliability of source: Trusted
Source URL: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
Abstract: Oracle have published information regarding the July 2008 Critical Update which contain 45 security patches affecting a range of Oracle products.

Critical patches were just released by Oracle as part of its quarterly patch release program.
According to Oracle, the following products are affected:

Oracle Database 11g, version 11.1.0.6 
Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4 
Oracle Database 10g, version 10.1.0.5 
Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV 
Oracle TimesTen In-Memory Database version 7.0.3.0.0 
Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.1.0, 10.1.3.3.0  
Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.2.0, 10.1.2.3.0    
Oracle Application Server 10g (9.0.4), version 9.0.4.3 
Oracle Hyperion BI Plus version 9.2.0.3, 9.2.1.0,and 9.3.1.0 
Oracle Hyperion Performance Suite version 8.3.2.4, and 8.5.0.3 
Oracle E-Business Suite Release 12, version 12.0.4 
Oracle E-Business Suite Release 11i, version 11.5.10.2 
Oracle Enterprise Manager Database Control 11i version 11.1.0.6 
Oracle Enterprise Manager Database Control 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4 
Oracle Enterprise Manager Database Control 10g Release 1, version 10.1.0.5 
Oracle Enterprise Manager Grid Control 10g Release 1, versions 10.1.0.5, 10.1.0.6 
Oracle PeopleSoft Enterprise PeopleTools versions 8.48.17, 8.49.11 
Oracle PeopleSoft Enterprise CRM version 8.9, 9.0 
Oracle WebLogic Server (formerly BEA WebLogic Server) 10.0 released through MP1 
Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0, 9.1, 9.2 released through MP3 
Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 released through SP6 
Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0 released through SP7 
Oracle WebLogic Server (formerly BEA WebLogic Server) 6.1 released through SP7

Additional information can be obtained from:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html

This advisory contains information released by the original author. Some of the information may have changed since it was released. If the issue affects you, it may be prudent to retrieve the advisory from the site of the original source to ensure that you receive the most current information concerning that problem. Reference to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favouring by CPNI.

The views and opinions of authors expressed within this notice shall not be used for advertising or product endorsement purposes. CPNI shall not accept responsibility for any errors or omissions contained within this advisory. In particular, they shall not be liable for any loss or damage whatsoever, arising from or in connection with the usage of information contained within this advisory.

CSIRTUK is a member of the Forum of Incident Response and Security Teams (FIRST) and has contacts with other international Incident Response Teams (IRTs) in order to foster cooperation and coordination in incident prevention, to prompt rapid reaction to incidents, and to promote information sharing amongst its members and the community at large.