[SECURITY-L] CAIS-Alerta: Multiplas Vunerabilidades em Produtos Oracle - Julho

CSIRT - UNICAMP security em unicamp.br
Qua Jul 19 14:47:56 -03 2006 

--------------------------- Mensagem Original ----------------------------
Assunto: CAIS-Alerta: Multiplas Vunerabilidades em Produtos Oracle - Julho
De:      "Centro de Atendimento a Incidentes de Seguranca" <cais em cais.rnp.br>
Data:    Qua, Julho 19, 2006 11:13 am
Para:    rnp-alerta em cais.rnp.br
         rnp-seg em cais.rnp.br
--------------------------------------------------------------------------

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Prezados,

O CAIS esta' repassando o alerta da Oracle, intitulado "Oracle Critical
Patch Update - July 2006" , que trata de uma serie de correcoes para
multiplas vulnerabilidades em diversos produtos Oracle.

No total 65 vulnerabilidades sao cobertas por estas correcoes, que variam
de impacto limitado a grande impacto e permitem a injecao de codigo SQL
arbitrario nos sistemas afetados.


Sistemas afetados:

. Oracle Database 10g Release 2, versions 10.2.0.1, 10.2.0.2
. Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5
. Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7
. Oracle8i Database Release 3, version 8.1.7.4
. Oracle Enterprise Manager 10g Grid Control, version 10.2.0.1
. Oracle Application Server 10g Release 3, versions 10.1.3.0.0
. Oracle Application Server 10g Release 2, versions 10.1.2.0.0 -
10.1.2.0.2, 10.1.2.1.0
. Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.2, 9.0.4.3
. Oracle Collaboration Suite 10g Release 1, version 10.1.2.0
. Oracle9i Collaboration Suite Release 2, version 9.0.4.2
. Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2
. Oracle E-Business Suite Release 11.0
. Oracle Pharmaceutical Applications versions 4.5.0 - 4.5.2
. Oracle PeopleSoft Enterprise Portal Solutions, Enterprise Portal,
versions 8.4, 8.8, 8.9
. Oracle PeopleSoft Enterprise Portal Solutions, Enterprise Portal with
Enforcer Portal Pack, version 8.8
. JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95, 8.96
. Oracle Database 10g Release 1, version 10.1.0.4.2
. Oracle Application Server Portal, versions 10.1.4.0.0
. Oracle Developer Suite, versions 6i, 9.0.4.2
. Oracle Workflow, versions 11.5.1 through 11.5.9.5
. Oracle9i Database Release 1, versions 9.0.1.4
. Oracle9i Database Release 1, versions 9.0.1.5, 9.0.1.5 FIPS
. Oracle8 Database Release 8.0.6, version 8.0.6.3
. Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
. Oracle9i Application Server Release 1, version 1.0.2.2
. Oracle Database 10g Release 1, version 10.1.0.3
. Oracle9i Database Release 2, version 9.2.0.5
. Oracle Application Server 10g Release 1 (9.0.4), version 9.0.4.1


Correcoes disponiveis:

As correcoes para os produtos Oracle, estao disponiveis mediante usuario e
senha, atraves dos enderecos fornecidos abaixo:

. Oracle Database
  http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=372930.1#DBAVAIL

. Oracle Application Server
  http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=372930.1#ASMIDTIER

. Oracle Collaboration Suite
  http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=372930.1#OCSAVAIL

. Oracle E-Business Suite and Application
  http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=372931.1

. Oracle Pharmaceutical Applications
  http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=374060.1

. Oracle Enterprise Manager
  http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=372930.1#OEMAVAIL

. Oracle PeopleSoft Enterprise and JD Edwards Enterprise
  http://www.peoplesoft.com/corp/en/support/security_index.jsp


Mais informacoes:

. Oracle Critical Patch Update - July 2006
  http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2006.html

. Oracle Products Multiple Vulnerabilities
  http://secunia.com/advisories/21111/


Identificador CVE (http://cve.mitre.org):
CVE-2006-3698, CVE-2006-3699, CVE-2006-3700, CVE-2006-3701, CVE-2006-3702,
CVE-2006-3703, CVE-2006-3704, CVE-2006-3705, CVE-2006-3706, CVE-2006-3707,
CVE-2006-3708, CVE-2006-3709, CVE-2006-3710, CVE-2006-3711, CVE-2006-3712,
CVE-2006-3713, CVE-2006-3714, CVE-2006-3715, CVE-2006-3716, CVE-2006-3717,
CVE-2006-3718, CVE-2006-3719, CVE-2006-3720, CVE-2006-3721, CVE-2006-3722,
CVE-2006-3723, CVE-2006-3724



O CAIS recomenda que os administradores mantenham seus sistemas e
aplicativos sempre atualizados, de acordo com as ultimas versoes e
correcoes oferecidas pelos fabricantes.

Os Alertas do CAIS tambem sao oferecidos no formato RSS/RDF:

http://www.rnp.br/cais/alertas/rss.xml

Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.cais.rnp.br                #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iQCVAwUBRL4+Dekli63F4U8VAQKxzQP/Qo4BaRhTF0ieqcBVAdJ4pJu9CeJCVpFa
eZXeG8A/DrMRf0MFTilEI1wmLoTn+bWlkj8r5BACFZSBM3nbgKw2wcaERqhobzhO
judbJINnEl+Nv5zXUDudk0RoqFjXWDiQ/27MecorReykt1HXh7DmDhpM5FCxRe33
S1fXpAw/LaU=
=l+gY
-----END PGP SIGNATURE-----


----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L