P-100: Oracle Critical Patch Update

[***** Start January 2005 Critical Patch Update *****]

Critical Patch Update - January 2005

Description

This Critical Patch Update is a cumulative update (including all Oracle Security 
Alert #68 fixes) containing fixes for multiple security vulnerabilities. In 
addition, it also contains non-security fixes that are required (because of 
interdependencies) by those security fixes. 

For more information about this new process, please see the Oracle Critical 
Patch Update Program General FAQ (MetaLink Note 290738.1).

The Critical Patch Update introduces the Risk Matrix as a method to allow 
customers to gauge the severity of the vulnerabilities addressed. The matrix 
provides the following information:

-The access required to exploit the vulnerability. If a network attack is 
 possible, we will list the protocol used by the attack. The credentials and 
 additional circumstances required to exploit the vulnerability.

-The risk of the vulnerability being exploited. This is categorized by the risk 
 to confidentiality (e.g.,privacy), integrity (e.g., information modification), 
 and availability (e.g., service interruption). Each categorization indicates 
 the ease with which the vulnerability can be exploited and the potential 
 harm a successful attack can cause. The most serious vulnerabilities are Easy 
 vulnerabilities that have a Wide impact.

-The earliest supported release indicates the first product version, that is 
 still supported, affected by the vulnerability and the last affected patchset 
 indicates the last patchset for each supported release that is still affected 
 by the vulnerability. As an example:

           -A customer is using Oracle Database 10g Release 1, version 10.1.0.2, 
           and wishes to determine if they are affected by the DB06 vulnerability. 
           In the Oracle Database Server Risk Matrix, the DB06 row shows '10g' 
           in the Earliest Supported Release Affected column, and '10.1.0.3.1            
           (10g)' in the Last Affected Patch Set column. This means that all 
           supported versions of 10g up to and including 10.1.0.3.1 are affected 
           by the vulnerability. Therefore, this customer is affected.

-The component that contained the vulnerability is listed. In many cases, a 
vulnerability can be exploited solely due to the component being present on 
the system, even if it is not used. The component information should not be used 
to determine if a system is vulnerable to a given attack. This information 
is provided to aid customer testing.

-Finally, we will indicate if recommended workarounds are available, and if 
so, what they are. Workarounds that may adversely affect the operation of 
other Oracle products are not provided.

MetaLink Note 293956.1 defines the terms used in the Risk Matrix.

Please note: Oracle has analyzed each potential vulnerability separately for 
risk of exploit and impact of exploit. Oracle has performed no analysis on the 
likelihood and impact of blended attacks (i.e. the exploitation of multiple 
vulnerabilities combined in a single attack).

Policy Statement on Information Provided in Critical Patch Updates and Security 
Alerts

Oracle Corporation conducts an analysis of each security vulnerability addressed 
by a Critical Patch Update (CPU) or a Security Alert. The results of the security 
analysis are reflected in the severity of the CPU or Security Alert and the 
associated documentation describing, for example, the type of vulnerability, 
the conditions required to exploit it and the result of a successful exploit. 
Oracle provides this information, in part, so that customers may conduct their 
own risk analysis based on the particulars of their product usage.

As a matter of policy, Oracle will not provide additional information about the 
specifics of vulnerabilities beyond what is provided in the CPU or Security 
Alert notification, the pre-installation notes, the readme files, and FAQs. 
Oracle does not provide advance notification on CPU or Security Alerts to 
individual customers. Finally, Oracle does not develop or distribute active 
exploit code, nor "proof-of-conceptî code, for vulnerabilities in our products.

Critical Patch Update Availability for De-Supported Versions

Critical Patch Updates are available for customers who have purchased Extended 
Maintenance Support (EMS). De-support Notices indicate whether EMS is available 
for a particular release and platform, as well as the specific period during 
which EMS will be available.

Customers with valid licenses for product versions covered by Extended Support 
(ES) are entitled to download existing fixes; however, new issues that may 
arise from the application of patches are not covered under ES. Therefore, 
ES customers should have comprehensive plans to enable backing out any patch 
application. Oracle will not provide Critical Patch Updates for product 
versions which are no longer covered under the Extended Maintenance Support 
plan. We recommend that customers upgrade to the latest supported version 
of Oracle products in order to obtain Critical Patch Updates.

Please review the "Extended Support" section within the Technical Support 
Policies for further guidelines regarding ES & EMS.

Supported Products Affected

The following supported product releases and versions are affected by this 
Critical Patch Update:
•Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3 and 10.1.0.3.1 
 (supported for Oracle Application Server only)
•Oracle9i Database Server Release 2, versions 9.2.0.4, 9.2.0.5 and 9.2.0.6
•Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4 
 (9.0.1.5 FIPS) (supported for Oracle Application Server only)
•Oracle8i Database Server Release 3, version 8.1.7.4
•Oracle8 Database Release 8.0.6, version 8.0.6.3 (supported for E-Business 
 Suite only)
•Oracle Application Server 10g Release 2 (10.1.2)
•Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
•Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
•Oracle9i Application Server Release 1, version 1.0.2.2
•Oracle Collaboration Suite Release 2, version 9.0.4.2
•Oracle E-Business Suite and Applications Release 11i (11.5)
•Oracle E-Business Suite and Applications Release 11.0

The new database vulnerabilities addressed by this Critical Patch Update 
do not affect Oracle Database Client-only installations (installations that 
do not have the Oracle Database Server installed). Since this Critical 
Patch Update includes all fixes from Security Alert 68, the client fixes 
in this Critical Patch Update are the same as Security Alert 68. If Security 
Alert 68 has not been applied to Client-only installations, Security Alert 
68 or this Critical Patch Update must be installed on those installations 
in order to eliminate the security vulnerabilities described by Security 
Alert 68.

Unsupported products, releases and versions have not been tested for the 
presence of these vulnerabilities, nor patched, in accordance with 
section 4.3.3.3 of the Software Error Correction Support Policy (MetaLink 
Note 209768.1). However, earlier patchset levels of the affected releases 
are most likely also affected by these vulnerabilities.

Oracle Database Server

Oracle Database Server Risk Matrix
Please refer to Appendix A - Oracle Database Server Risk Matrix.

Oracle Database Patch Availability
Please see the Pre-Installation Note for the Oracle Database Server, MetaLink 
Note 293737.1 .

Oracle Enterprise Manager Grid Control

There are no new fixes for Oracle Enterprise Manager Grid Control in this 
Critical Patch Update. However, since this Critical Patch Update includes 
all fixes in Security Alert 68, the Oracle Enterprise Manager fixes in 
this Critical Patch Update are the same as Security Alert 68.

Oracle Enterprise Manager Patch Availability
Please see the Pre-Installation Note for the Oracle Enterprise Manager 
Grid Control, MetaLink Note 295108.1 .

Oracle Application Server

Oracle Application Server Risk Matrix
Please refer to Appendix B - Oracle Application Server Risk Matrix.

Oracle Application Server Patch Availability
Please see the Pre-Installation Note for the Oracle Application Server, 
MetaLink Note 293738.1


Oracle Collaboration Suite

Oracle Collaboration Suite Risk Matrix
Please refer to Appendix C - Oracle Collaboration Suite Risk Matrix.

Oracle Collaboration Suite Patch Availability
Please see the Pre-Installation Note for the Oracle Collaboration Suite, 
MetaLink Note 293740.1 

Oracle E-Business and Applications

This Critical Patch Update contains security fixes for Oracle8 Database 
Release 8.0.6 version 8.0.6.3 released in revision 3 of Alert 68 on 
December 27th, 2004. All E-business customers must apply these patches.

Oracle E-Business Risk Matrix
Please refer to Appendix D - Oracle E-Business Risk Matrix.

Oracle E-Business Patch Availability
Please see the Pre-Installation Note for the Oracle E-Business Suite, 
MetaLink Note 293741.1.

References

_ Critical Patch Update ñ January 2005 FAQ, MetaLink Note 293955.1
_ Oracle Critical Patch Update Program General FAQ, MetaLink Note 290738.1
_ Oracle Critical Patch Update Documentation Tree, MetaLink Note 294914.1
_ Security Alerts and Critical Patch Updates- Frequently Asked Questions, 
  MetaLink Note 237007.1

Credits
The following people discovered and brought security vulnerabilities 
addressed by this Critical Patch Update to Oracle’s attention: Pete 
Finnigan, Alexander Kornbrust of Red Database Security, Stephen Kost
of Integrigy, David Litchfield of NGSS Limited.

Modification History
18-JAN-05: Initial release, version 1

FOR APPENDICES and Risk Matrices:
see Critical Patch Update - January 2005 at
http://www.oracle.com/technology/deploy/security/pdf/cpu-jan-2005_advisory.pdf

[***** End January 2005 Critical Patch Update *****]

    Voice:          +1 866-941-2472 (7 x 24)
    E-mail:          doecirc@doecirc.energy.gov
    World Wide Web:  http://www.doecirc.energy.gov/