From security em unicamp.br Wed Jan 17 16:26:36 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Wed, 17 Jan 2007 16:26:36 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA07-017A -- Oracle Releases Patches for Multiple Vulnerabilities Message-ID: <20070117182635.GE99650@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA07-017A -- Oracle Releases Patches for Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Wed, 17 Jan 2007 11:01:08 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-017A Oracle Releases Patches for Multiple Vulnerabilities Original release date: January 17, 2007 Last revised: -- Source: US-CERT Systems Affected * Oracle Database * Oracle Application Server * Oracle HTTP Server (Apache) * Oracle Identity Management * Oracle Enterprise Manager Grid Control * Oracle E-Business Suite * Oracle Collaboration Suite * Oracle PeopleSoft Enterprise PeopleTools * Oracle Life Sciences Applications (formerly Oracle Pharmaceutical Applications) For more detailed information regarding affected product versions, refer to the Oracle Critical Patch Update - January 2007. Overview Oracle has released patches to address numerous vulnerabilities in different Oracle products. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description Oracle has released the Critical Patch Update - January 2007. According to Oracle, this Critical Patch Update (CPU) contains: * 17 new security fixes for the Oracle Database, one of which is for Oracle Database client-only installations * 9 new security fixes for the Oracle HTTP Server * 12 new security fixes for the Oracle Application Server * 7 new security fixes for the Oracle E-Business Suite * 6 new security fixes for the Oracle Enterprise Manager * 3 new security fixes for the Oracle PeopleSoft Enterprise PeopleTools Many Oracle products include or share code with other vulnerable Oracle products and components. Therefore, one vulnerability may affect multiple Oracle products and components. For example, the January 2007 CPU does not contain any fixes specifically for Oracle Collaboration Suite. However, Oracle Collaboration Suite is affected by vulnerabilities in Oracle Database and Oracle Application Server, so sites running Oracle Collaboration suite should install fixes for Oracle Database and Oracle Application Server. Refer to the January 2007 CPU for details regarding which vulnerabilities affect specific Oracle products and components. For a list of publicly known vulnerabilities addressed in the January 2007 CPU, refer to the Map of Public Vulnerability to Advisory/Alert. The January 2007 CPU does not associate Vuln# identifiers (e.g., DB01) with other available information, even in the Map of Public Vulnerability to Advisory/Alert document. As more details about vulnerabilities and remediation strategies become available, we will update the individual vulnerability notes. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include remote execution of arbitrary code or commands, sensitive information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to gain access to sensitive information or take complete control of the host system. III. Solution Apply patches from Oracle Apply the appropriate patches or upgrade as specified in the Critical Patch Update - January 2007. Note that this Critical Patch Update only lists newly corrected vulnerabilities. As noted in the update, some patches are cumulative, others are not: The Oracle Database, Oracle Application Server, Oracle Enterprise Manager Grid Control, Oracle Collaboration Suite, JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications and PeopleSoft Enterprise PeopleTools patches in the Updates are cumulative; each Critical Patch Update contains the fixes from the previous Critical Patch Updates. Oracle E-Business Suite and Applications patches are not cumulative, so E-Business Suite and Applications customers should refer to previous Critical Patch Updates to identify previous fixes they want to apply. Vulnerabilities described in the January 2007 CPU may affect Oracle Database 10g Express Edition (XE). According to Oracle, Oracle Database XE is based on the Oracle Database 10g Release 2 code. Known issues with Oracle patches are documented in the pre-installation notes and patch readme files. Please consult these documents and test before making changes to production systems. IV. References * US-CERT Vulnerability Notes Related to Critical Patch Update - January 2007 - * Critical Patch Update - January 2007 - * Critical Patch Updates and Security Alerts - * Map of Public Vulnerability to Advisory/Alert - * Oracle Database Security Checklist (PDF) - * Critical Patch Update Implementation Best Practices (PDF) - * Oracle Database 10g Express Edition - * Details Oracle Critical Patch Update January 2007 - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA07-017A Feedback VU#221788" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRa5DxexOF3G+ig+rAQK39QgAuBGVS0rMyXinEtvG678WejFIBm8PlhXz CG1Bpo0AIJTWd6Ql3QAPsf+EQ1pJLlsF/Rp/DJBKspaqg7DJ7NrTfCzC8WUb6H19 vch93DVZo20qPFhRLsEWMaUV7cPuekTtwL1yuRjkXrKL+YB8/1kHw2Xpk2BbDn0r Ix00n5RbXj1zSpau3OYfps5KaLmhppXKjR2KexTe+tV7yS61dTSYdcJsbKvUj/ev nRrq+BsYHWi7aYsVXKC+XftlVrE7qTFbgPG7JVXEvyql6T3klVigZfjGQPgTT/6d UdB7dxHIvnoWnIqSFgTKWlm6JpEK0m9yiNDxGat1NW3pOHaEd5x0GA== =7oQu -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Tue Jan 23 14:24:57 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Tue, 23 Jan 2007 14:24:57 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA07-022A Message-ID: <20070123162457.GA95098@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA07-022A To: technical-alerts em us-cert.gov Date: Mon, 22 Jan 2007 14:34:59 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-022A Sun Updates for Multiple Vulnerabilities in Java Original release date: January 22, 2007 Last revised: -- Source: US-CERT Systems Affected Sun Java Runtime Environment versions * JDK and JRE 5.0 Update 9 and earlier * SDK and JRE 1.4.2_12 and earlier * SDK and JRE 1.3.1_18 and earlier Overview The Sun Java Runtime Environment contains multiple vulnerabilities that can allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system. I. Description The Sun Java Runtime Environment (JRE) allows users to run Java applications in a browser or as standalone programs. Sun has released updates to the Java Runtime Environment software to address multiple vulnerabilities. Further details about these vulnerabilities are available in the Vulnerability Notes Database. Note that exploit code is publicly available for at least one of these vulnerabilities. II. Impact By convincing a user to run a specially crafted Java application, a remote, unauthenticated attacker can execute arbitrary code on a vulnerable system. A common attack vector would be a web page that contains a Java applet. III. Solution Apply an update from Sun These issues are addressed in the following versions of the Sun Java Runtime environment: * JDK and JRE 5.0 Update 10 or later * SDK and JRE 1.4.2_13 or later * SDK and JRE 1.3.1_19 or later If you install the latest version of Java, older versions of Java may remain installed on your computer. If these versions of Java are not needed, you may wish to remove them. For instructions on how to remove older versions of Java, refer to the following instructions from Sun: http://www.java.com/en/download/faq/5000070400.xml Disable Java Disable Java in your web browser, as specified in the Securing Your Web Browser document. While this does not fix the underlying vulnerabilities, it does block the most common attack vector. IV. References * US-CERT Vulnerability Note VU#388289 - * US-CERT Vulnerability Note VU#102289 - * US-CERT Vulnerability Note VU#149457 - * US-CERT Vulnerability Note VU#939609 - * Securing Your Web Browser - * CVE-2007-0243 - * CVE-2006-6745 - * CVE-2006-6731 - * Java SE Technologies at a Glance - * Java SE Security - * Can I remove older versions of the JRE after installing a newer version? - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA07-022A Feedback VU#388289" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History January 22, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRbUP/exOF3G+ig+rAQKNOgf+Oh1aYfHntMxbpjaHSxyNk8Hofr1zBP/i wNMoYmWNLGmtvoFKHAj22BInWIJ2mKEt+ThpvmGkUmWroNZ7G6U2vNbxdJY0gc+W VNHoo4Y9NK4W44zDovNb7mVGwIjxON1U8XdvVa872HUbniVp33euiVfOJLL5beSO obCusVl9+AJDT2KWO/H4QK8hWNgnAR2ciGDU1KFgZfL5PYdT73EywcfKd+8vVVq5 ZQOriDVODZroH3unI0Hsu/VQH5W05VsvGTAbIenmvs+Rf6pW4Vut53/e7QUkckmJ nQLjcmDbpOr1xRDiHu63tDCA7fXoMpL00J5Ku/eru+lodV98m3NAvg== =QdZE -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Thu Jan 25 11:59:52 2007 From: security em unicamp.br (CSIRT - UNICAMP) Date: Thu, 25 Jan 2007 11:59:52 -0200 Subject: [SECURITY-L] US-CERT Technical Cyber Security Alert TA07-024A -- Cisco IOS is Affected by Multiple Vulnerabilities Message-ID: <20070125135951.GA26603@unicamp.br> ----- Forwarded message from US-CERT Technical Alerts ----- From: US-CERT Technical Alerts Subject: US-CERT Technical Cyber Security Alert TA07-024A -- Cisco IOS is Affected by Multiple Vulnerabilities To: technical-alerts em us-cert.gov Date: Wed, 24 Jan 2007 19:14:51 -0500 Organization: US-CERT - +1 202-205-5266 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 National Cyber Alert System Technical Cyber Security Alert TA07-024A Cisco IOS is Affected by Multiple Vulnerabilities Original release date: January 24, 2007 Last revised: -- Source: US-CERT Systems Affected * Cisco network devices running IOS in various configurations Overview Several vulnerabilities have been discovered in Cisco's Internet Operating System (IOS). A remote attacker may be able to execute arbitrary code on an affected device, cause an affected device to reload the operating system, or cause other types of denial of service. I. Description Cisco has published three advisories describing flaws in IOS with various security impacts, the most serious of which could allow a remote attacker to execute arbitrary code on an affected system. Further details are available in the following vulnerability notes: VU#217912 - Cisco IOS fails to properly process TCP packets The Cisco IOS Transmission Control Protocol listener in certain versions of Cisco IOS software contains a memory leak. This memory leak may allow an attacker to create a denial-of-service condition. VU#341288 - Cisco IOS fails to properly prcoess certain packets containing a crafted IP option A vulnerability exists in the way Cisco IOS processes a number of different types of IPv4 packets containing a specially crafted IP option. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code on an affected device or create a denial-of-service condition VU#274760 - Cisco IOS fails to properly process specially crafted IPv6 packets Cisco IOS fails to properly process IPv6 packets with specially crafted routing headers. Successful exploitation of this vulnerability may allow an attacker to execute arbitrary code on an affected device or create a denial-of-service condition. II. Impact Although the resulting impacts of these three vulnerabilities is slightly different, in the case of VU#341288 and VU#274760, a remote attacker could cause an affected device to reload the operating system. In some cases, this creates a secondary denial-of-service condition because packets are not forwarded through the affected device while it is reloading. Repeated exploitation of these vulnerabilites may result in a sustained denial-of-service condition. Because devices running IOS may transmit traffic for a number of other networks, the secondary impacts of a denial of service may be severe. Also in the case of VU#341288 and VU#274760, successful exploitation may allow a remote attacker to execute arbitrary code on an affected device. III. Solution Upgrade to a fixed version of IOS Cisco has updated versions of its IOS software to address these vulnerabilities. Please refer to the "Software Versions and Fixes" sections of the Cisco Security Advisories listed in the References section of this document for more information on upgrading. Workaround Cisco has also published practical workarounds for these vulnerabilities. Please refer to the "Workarounds" section of each Cisco Security Advisory listed in the References section of this document for more information. Sites that are unable to install an upgraded version of IOS are encouraged to implement these workarounds. IV. References * US-CERT Vulnerability Note VU#217912 - * US-CERT Vulnerability Note VU#341288 - * US-CERT Vulnerability Note VU#274760 - * Cisco Security Advisory: Crafted TCP Packet Can Cause Denial of Service - * Cisco Security Advisory: Crafted IP Option Vulnerability - * Cisco Security Advisory: Cisco Security Advisory: IPv6 Routing Header Vulnerability - ____________________________________________________________________ The most recent version of this document can be found at: ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to with "TA07-024A Feedback VU#217912" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit . ____________________________________________________________________ Produced 2007 by US-CERT, a government organization. Terms of use: ____________________________________________________________________ Revision History January 24, 2007: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBRbf06exOF3G+ig+rAQJOzgf/X7hyKuQsU4r7KzPU9K9VyX0KFFI0Yjzi 9sg630Mg2xZ+H93LSa/sTQKOYn2iDNxi6cf5cuFnbomH7ZkAvkiU5EjOseM0NrWI DGeomQJUL7zVCKf8vOMeRK4pvItSbzC9j0VWLFYVESkQOIgTEOy5fJcWeCVI/+Qp Wafo/HVcEprAbeH8E0xoOhVJxvKhC452WlE8fTYtPMJh/zUiEy1Nnovc/q056rus vYfziC1gxyxO/YvwKwwBDH6jSFMxcmcZrUhNy1ITwTNJmedCMtFyq9R2rTw5p6ry e1xukv37h3eeLgOqBPFlC7hbOo80mLvAQmZ1NOHKEZBbMEwT/DC5dA== =j9yu -----END PGP SIGNATURE----- ----- End forwarded message -----