[Other] Oracle Critical Patch Update Advisory - October 2010

—–BEGIN PGP SIGNED MESSAGE—–
Hash: SHA1

Liebe Kolleginnen und Kollegen,

soeben erreichte uns nachfolgende Warnung. Wir geben diese Informationen
unveraendert an Sie weiter.

CPUOct2010 – Schwachstellen in verschiedenen Oracle Produkten

In verschiedenen Oracle Produkten existieren 85 vom Hersteller gemeldete
Schwachstellen. Angreifer koennen abhaengig vom Oracle Produkt diese
Schwachstellen lokal oder ueber das Netz ausnutzen, um Denial of Service
Angriffe durchzufuehren, an sensible Informationen zu gelangen oder
beliebigen Code auf den betroffenen Systemen auszufuehren. Einige der
Schwachstellen lassen sich ohne vorherige Authentifikation ueber das
Netz ausnutzen.

Betroffen sind die folgenden Software Pakete und Plattformen:

Oracle Database 11g Release 2, vor Version 11.2.0.1
Oracle Database 11g Release 1, vor Version 11.1.0.7
Oracle Database 10g Release 2, vor Versionen 10.2.0.3, 10.2.0.4
Oracle Database 10g, Release 1, vor Version 10.1.0.5
Oracle Fusion Middleware, 11gR1, vor Versionen 11.1.1.1.0, 11.1.1.2.0
Oracle Application Server, 10gR3, vor Version 10.1.3.5.0
Oracle Application Server, 10gR2, vor Version 10.1.2.3.0
Oracle BI Publisher, vor Versionen 10.1.3.3.2, 10.1.3.4.0, 10.1.3.4.1
Oracle Identity Management 10g, vor Versionen, 10.1.4.0.1, 10.1.4.3
Oracle E-Business Suite Release 12, vor Versionen 12.0.4, 12.0.5,
12.0.6, 12.1.1 und 12.1.2
Oracle E-Business Suite Release 11i, vor Versionen 11.5.10, 11.5.10.2
Agile PLM, vor Version 9.3.0.0
Oracle Transportation Management, vor Versionen 5.5, 6.0, und 6.1
PeopleSoft Enterprise CRM, FMS, HCM and SCM (Supply Chain), vor
Versionen 8.9, 9.0 und 9.1
PeopleSoft Enterprise EPM, Campus Solutions, vor Versionen 8.9, 9.0
und 9.1
PeopleSoft Enterprise PeopleTools, vor Versionen 8.49 und 8.50
Siebel Core, vor Versionen 7.7, 7.8, 8.0 und 8.1
Primavera P6 Enterprise Project Portfolio Management, vor Versionen:
6.21.3.0, 7.0.1.0
Oracle Sun Product Suite
Oracle VM, vor Version 2.2.1

Alle Plattformen, fuer die betroffene Oracle Produkte verfuegbar sind

Vom Hersteller werden ueberarbeitete Pakete zur Verfuegung gestellt.

(c) der deutschen Zusammenfassung bei DFN-CERT Services GmbH; die
Verbreitung, auch auszugsweise, ist nur unter Hinweis auf den Urheber,
DFN-CERT Services GmbH, und nur zu nicht kommerziellen Zwecken
gestattet.

Mit freundlichen Gruessen,
Detlev O. Matthies

– —

Detlev O. Matthies, M.Sc. (Incident Response Team)

DFN-CERT Services GmbH, https://www.dfn-cert.de, Phone +49 40 808077-590
Sitz / Register: Hamburg, AG Hamburg, HRB 88805, Ust-IdNr.: DE 232129737
Sachsenstrasse 5, 20097 Hamburg/Germany, CEO: Dr. Klaus-Peter Kossakowski

Automatische Warnmeldungen https://www.cert.dfn.de/autowarn

Oracle Critical Patch Update Advisory – October 2010

Description

A Critical Patch Update is a collection of patches for multiple security
vulnerabilities. It also includes non-security fixes that are required (because
of interdependencies) by those security patches. Critical Patch Updates are
cumulative, except as noted below, but each advisory describes only the security
fixes added since the previous Critical Patch Update. Thus, prior Critical Patch
Update Advisories should be reviewed for information regarding earlier
accumulated security fixes. Please refer to:

Critical Patch Updates and Security Alerts for information about Oracle Security
Advisories.

Due to the threat posed by a successful attack, Oracle strongly recommends that
customers apply CPU fixes as soon as possible. This Critical Patch Update
contains 85 new security fixes across all product families listed below.

Oracle is in the process of aligning the Sun Microsystems policies with Oracle
Software Security Assurance policies and procedures. For details, please refer
to Changes in security policies for the Sun product lines.
Affected Products and Components

Security vulnerabilities addressed by this Critical Patch Update affect the
products listed in the categories below. The product are of the patches for the
listed versions is shown in the Patch Availability column corresponding to the
specified Products and Versions column. Please click on the link in the Patch
Availability column below or in the Patch Availability Table to access the
documentation for those patches.

Affected product releases and versions that are in Premier Support or Extended
Support, under the Oracle Lifetime Support Policy:
Affected Products and Versions Patch Availability
Oracle Database 11g Release 2, version 11.2.0.1 Database
Oracle Database 11g Release 1, version 11.1.0.7 Database
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4 Database
Oracle Database 10g, Release 1, version 10.1.0.5 Database
Oracle Fusion Middleware, 11gR1, versions 11.1.1.1.0, 11.1.1.2.0 Fusion
Middleware
Oracle Application Server, 10gR3, version 10.1.3.5.0 Fusion Middleware
Oracle Application Server, 10gR2, version 10.1.2.3.0 Fusion Middleware
Oracle BI Publisher, versions 10.1.3.3.2, 10.1.3.4.0, 10.1.3.4.1 Fusion
Middleware
Oracle Identity Management 10g, versions, 10.1.4.0.1, 10.1.4.3 Fusion
Middleware
Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and
12.1.2 E-Business Suite
Oracle E-Business Suite Release 11i, versions 11.5.10, 11.5.10.2
E-Business Suite
Agile PLM, version 9.3.0.0 Oracle Supply Chain
Oracle Transportation Management, versions 5.5, 6.0, and 6.1 Oracle Supply
Chain
PeopleSoft Enterprise CRM, FMS, HCM and SCM (Supply Chain), versions 8.9, 9.0
and 9.1 PeopleSoft
PeopleSoft Enterprise EPM, Campus Solutions, versions 8.9, 9.0 and 9.1
PeopleSoft
PeopleSoft Enterprise PeopleTools, versions 8.49 and 8.50 PeopleSoft
Siebel Core, versions 7.7, 7.8, 8.0 and 8.1 Siebel
Primavera P6 Enterprise Project Portfolio Management, Versions: 6.21.3.0,
7.0.1.0 Primavera Suite
Oracle Sun Product Suite Oracle Sun Product Suite
Oracle VM, version 2.2.1 Oracle VM

Patch Availability Table and Risk Matrices
Products with Cumulative Patches

The Oracle Database, Oracle Fusion Middleware, Oracle Enterprise Manager Grid
Control, Oracle E-Business Suite Applications (Releases 11.5.10 CU2, 12.0 and
12.1), JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft
Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools and Siebel
Enterprise, Oracle Industry Applications and Oracle VM patches in the Updates
are cumulative; patches for any of these products included in a Critical Patch
Update will include all fixes for that product from the previous Critical Patch
Updates.
Products with Non-Cumulative Patches

Critical Update Patches for the base Oracle E-business Suite Release 11.5.10 are
not cumulative. For more information, refer to Oracle E-Business Suite Critical
Patch Update Note for October 2010, My Oracle Support Note 987438.1.

Oracle Collaboration Suite patches were cumulative up to and including the fixes
provided in the July 2007 Critical Patch Update. From the October 2007 Critical
Patch Update on, Oracle Collaboration Suite security fixes are delivered using
the one-off patch infrastructure normally used by Oracle to deliver single bug
fixes to customers.

For each administered Oracle product, consult the documentation for patch
availability information and installation instructions referenced from the
following table. For an overview of the Oracle product documentation related to
this Critical Patch Update, please refer to the Oracle Critical Patch Update
October 2010 Documentation Map, My Oracle Support Note 1210564.1.
Patch Availability Table

Product Group Risk Matrix Patch Availability and Installation Information
Oracle Database Oracle Database Risk Matrix Patch Set Update and
Critical Patch Update October 2010 Availability Document, My Oracle Support Note
1159443.1
Oracle Fusion Middleware Oracle Fusion Middleware Risk Matrix Patch
Set Update and Critical Patch Update October 2010 Availability Document, My
Oracle Support Note 1159443.1
Oracle Enterprise Manager Oracle Enterprise Manager Risk Matrix Patch
Set Update and Critical Patch Update October 2010 Availability Document, My
Oracle Support Note 1159443.1
Oracle Applications – E-Business Suite Oracle Applications, E-Business Risk
Matrix Oracle E-Business Suite Critical Patch Update Note for October 2010, My
Oracle Support Note 987438.1
Oracle Applications – Oracle PeopleSoft Enterprise, Oracle Supply Chain and
Siebel Product Suite Oracle Applications, PeopleSoft, Oracle Supply Chain and
Siebel Products Risk Matrix Critical Patch Update Knowledge Document for
PeopleSoft Enterprise, JD Edwards EnterpriseOne, Siebel and Oracle Supply Chain
Suite Products, My Oracle Support Note 1210593.1
Oracle Primavera Suite Oracle Primavera Product Suite Risk Matrix Critical
Patch Update October 2010 Patch Delivery Document for Oracle Primavera Product
Suite, My Oracle Support Note 1212734.1
Oracle Sun Products Suite Oracle Sun Products Suite Risk Matrix Critical
Patch Update October 2010 Patch Delivery Document for Oracle Sun Product Suite
Oracle VM Oracle VM Risk Matrix Patch Delivery Document for Oracle VM

Risk Matrix Content

Risk matrices list only security vulnerabilities that are newly fixed by the
patches associated with this advisory. Risk matrices for previous security fixes
can be found in previous Critical Patch Update advisories.

Several vulnerabilities addressed in this Critical Patch Update affect multiple
products. A vulnerability that affects multiple products will appear with the
same CVE# in all risk matrices. Italics indicate vulnerabilities in code
included from other product areas.

Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS
Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an
analysis of each security vulnerability addressed by a Critical Patch Update
(CPU). Oracle does not disclose information about the security analysis, but the
resulting Risk Matrix and associated documentation provide information about the
type of vulnerability, the conditions required to exploit it, and the potential
result of a successful exploit. Oracle provides this information, in part, so
that customers may conduct their own risk analysis based on the particulars of
their product usage. As a matter of policy, Oracle does not disclose detailed
information about an exploit condition or results that can be used to conduct a
successful exploit. Oracle will not provide additional information about the
specifics of vulnerabilities beyond what is provided in the CPU or Security
Alert notification, the Patch Availability Matrix, the readme files, and FAQs.
Oracle does not provide advance notification on CPUs or Security Alerts to
individual customers. Finally, Oracle does not distribute exploit code or
?proof-of-concept? code for product vulnerabilities. For more information, see
Oracle vulnerability disclosure policies.
Workarounds

Due to the threat posed by a successful attack, Oracle strongly recommends that
customers apply CPU fixes as soon as possible. Until you apply the CPU fixes, it
may be possible to reduce the risk of successful attack by blocking network
protocols required by an attack. For attacks that require certain privileges or
access to certain packages, removing the privileges or the ability to access the
packages from users that do not need the privileges may help reduce the risk of
successful attack. Both approaches may break application functionality, so
Oracle strongly recommends that customers test changes on non-production
systems. Neither approach should be considered a long-term solution as neither
corrects the underlying problem.
Skipped Critical Patch Updates

Oracle strongly recommends that customers apply security fixes as soon as
possible. For customers that have skipped one or more Critical Patch Updates and
are concerned about products that do not have security fixes announced in this
CPU, please review previous Critical Patch Update advisories to determine
appropriate actions.
Product Dependencies

Oracle products may have dependencies on other Oracle products. Hence security
vulnerability fixes announced in this Critical Patch Update may affect one or
more dependent Oracle products. For details regarding these dependencies and to
apply patches to dependent products, please refer to Patch Set Update and
Critical Patch Update October 2010 Availability Document, My Oracle Support Note
1159443.1.
Unsupported Products and Versions

Critical Patch Update patches are not provided for product versions that are no
longer covered under the Premier Support or Extended Support phases of the
Lifetime Support Policy.

We recommend that customers upgrade to a supported version of Oracle products in
order to obtain patches. Unsupported products, releases and versions are not
tested for the presence of vulnerabilities addressed by this Critical Patch
Update. However, it is likely that earlier versions of affected releases are
also affected by these vulnerabilities.
Products in Extended Support

Critical Patch Update patches are available to customers who have purchased
Extended Support under the Lifetime Support Policy. Customers must have a valid
Extended Support service contract to download Critical Patch Update patches for
products in the Extended Support Phase.

Supported Database, Fusion Middleware, EM Grid Control and Collaboration Suite
products are patched in accordance with the Software Error Correction Support
Policy explained in My Oracle Support Note 209768.1. Please review the Technical
Support Policies for further guidelines regarding support policies and phases of
support.
On Request Model

Oracle proactively creates patches only for platform/version combinations that,
based on historical data, customers are likely to download for the next Critical
Patch Update. Patches for historically inactive platform/version combinations of
the Oracle Database, Oracle Application Server and Enterprise Manager will be
created only if requested by customers.

Refer to Patch Set Update and Critical Patch Update October 2010 Availability
Document, My Oracle Support Note 1159443.1 for further details regarding the On
Request patches.
Credit Statement

The following people or organizations reported security vulnerabilities
addressed by this Critical Patch Update to Oracle: Aditya K Sood of SecNiche
Security; Adrian Pastor of ProCheckUp; Alexander Kornbrust of Red Database
Security; Alexandr Polyakov of Digital Security; CERT/CC; David Litchfield
formerly of NGS Software; Esteban Martinez Fayo of Application Security, Inc.;
Frank Rei_ner of Siberas; Frank Stuart; John S.; JPCERT/CC Vulnerability
Handling Team; Juan Pablo Perez Etchegoyen of Onapsis; Karan Saberwal; Marc
Schoenefeld of Red Hat; NCC Group; Nahuel Grisolia of Bonsai Information
Security; Nicolas Joly of VUPEN Security; Ofer Maor of Hacktics; Okan Basegmez
of DORASEC Consulting; Rich Lowe; River Tarnell of Wikimedia Deutschland;
Roberto Suggi Liverani of Security-Assessment.com; Sami Koivu of TippingPoint’s
Zero Day Initiative; Sebastian Apelt of Siberas; Tony Fogarty of DNV;
Vulnerability Research Team, Digital Defense, Inc.; Will Dormann of CERT/CC;
Yaniv Azaria of Imperva, Inc.; Yaniv Miron of ilhack.org; and Zack Ma.
Security-In-Depth Contributors

Oracle provides recognition to people that have contributed to our
Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth
contributions if they provide information, observations or suggestions
pertaining to security vulnerability issues that result in significant
modification of Oracle code or documentation in future releases, but are not of
such a critical nature that they are distributed in Critical Patch Updates.

For this Critical Patch Update, Oracle recognizes Alexander Kornbrust of Red
Database Security; Amichai Shulman of Imperva, Inc.; CERT/CC; David Litchfield
formerly of NGS Software; Hugo Contreras of Resource IT; iDefense; Jack Kanter
of Integrigy; Jeremy Brown through iSIGHT Partners GVP; John S.; Okan Basegmez
of DORASEC Consulting; and Stephen Kost of Integrigy for contributions to
Oracle’s Security-In-Depth program.
Critical Patch Update Schedule

Critical Patch Updates are historically released on the Tuesday closest to the
15th day of January, April, July and October. The scheduled dates for the
release of the next Critical Patch Updates will be on the Tuesday closest to the
17th day of January, April, July and October. The next four dates are:

* 18 January 2011
* 19 April 2011
* 19 July 2011
* 18 October 2011

References

* Oracle Critical Patch Updates and Security Alerts main page [ Oracle
Technology Network ]
* Critical Patch Update – October 2010 Documentation Map [ My Oracle
Support Note 1210564.1 ]
* Oracle Critical Patch Updates and Security Alerts – Frequently Asked
Questions [ CPU FAQ ]
* Risk Matrix definitions [ Risk Matrix Definitions ]
* Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle
CVSS Scoring ]
* List of public vulnerabilities fixed in Critical Patch Updates and
Security Alerts [ Oracle Technology Network ]
* Software Error Correction Support Policy [ My Oracle Support Note
209768.1 ]

Modification History

Date Comments
2010-October-12 Rev 1. Initial Release

Appendix – Oracle Database Server

Oracle Database Server Executive Summary

This Critical Patch Update contains 7 new security fixes for the Oracle Database
Server. 1 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without the need for a
username and password. None of these fixes are applicable to client-only
installations, i.e., installations that do not have the Oracle Database Server
installed.

Oracle Database Server Risk Matrix

Notes:

1. Vulnerability is in Database Control component.
2. Fixed in all supported releases. Need to upgrade to any supported release
patchset.

Appendix – Oracle Fusion Middleware

Oracle Fusion Middleware Executive Summary

This Critical Patch Update contains 8 new security fixes for Oracle Fusion
Middleware. 6 of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without the need for a
username and password.

Oracle Fusion Middleware products include Oracle Database components that are
affected by the vulnerabilities listed in the Oracle Database section. The
exposure of Oracle Fusion Middleware products is dependent on the Oracle
Database version being used. Oracle Database security fixes are not listed in
the Oracle Fusion Middleware risk matrix. However, since vulnerabilities
affecting Oracle Database versions may affect Oracle Fusion Middleware products,
Oracle recommends that customers apply the October 2010 Critical Patch Update to
the Oracle Database components of Oracle Fusion Middleware products. For
information on what patches need to be applied to your environments, refer to
Critical Patch Update October 2010 Patch Availability Document for Oracle
Products, My Oracle Support Note 1159443.1.

Oracle Fusion Middleware Risk Matrix

Notes:

1. Vulnerability is in Application Server Control component.
2. Fixed in all supported releases. Need to upgrade to any supported release
patchset.

Appendix – Oracle Enterprise Manager Grid Control

Oracle Enterprise Manager Grid Control Executive Summary

This Critical Patch Update contains 1 new security fix for Oracle Enterprise
Manager Grid Control. This vulnerability is remotely exploitable without
authentication, i.e., may be exploited over a network without the need for a
username and password. This fix is not applicable to client-only installations,
i.e., installations that do not have Oracle Enterprise Manager Grid Control
installed.

Oracle Enterprise Manager products include Oracle Database and Oracle Fusion
Middleware components that are affected by the vulnerabilities listed in the
Oracle Database and Fusion Middleware sections. The exposure of Oracle
Enterprise Manager products is dependent on the Oracle Database and Fusion
Middleware versions being used. Oracle Database and Fusion Middleware security
fixes are not listed in the Oracle Enterprise Manager risk matrix. However,
since vulnerabilities affecting Oracle Database and Fusion Middleware versions
may affect Oracle Enterprise Manager products, Oracle recommends that customers
apply the October 2010 Critical Patch Update to the Oracle Database and Fusion
Middleware components of Oracle Enterprise Manager. For information on what
patches need to be applied to your environments, refer to Critical Patch Update
October 2010 Patch Availability Document for Oracle Products, My Oracle Support
Note 1159443.1.

Oracle Enterprise Manager Grid Control Risk Matrix

Notes:

1. Patch is only applicable to AS Control (Application Server patch) and DB
Control (Database patch)

Appendix – Oracle Applications

Oracle Applications Executive Summary

This Critical Patch Update contains 33 new Security fixes for the Oracle
Applications divided as follows:

* 6 new security fixes for the Oracle E-Business Suite. 5 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without the need for a username and password.
* 2 new security fixes for the Oracle Supply Chain Products Suite. 1 of
these vulnerabilities may be remotely exploitable without authentication, i.e.,
may be exploited over a network without the need for a username and password.
* 21 new security fixes for the Oracle PeopleSoft and JDEdwards Suite. 1 of
these vulnerabilities may be remotely exploitable without authentication, i.e.,
may be exploited over a network without the need for a username and password.
* 4 new security fixes for the Oracle Siebel Suite. None of these
vulnerabilities may be remotely exploitable without authentication, i.e., none
may be exploited over a network without the need for a username and password.

Oracle E-Business Suite products include Oracle Database and Oracle Fusion
Middleware components that are affected by the vulnerabilities listed in the
Oracle Database and Fusion Middleware sections. The exposure of Oracle
E-Business Suite products is dependent on the Oracle Database and Fusion
Middleware versions being used. Oracle Database and Fusion Middleware security
fixes are not listed in the Oracle E-Business Suite risk matrix. However, since
vulnerabilities affecting Oracle Database and Fusion Middleware versions may
affect Oracle E-Business Suite products, Oracle recommends that customers apply
the October 2010 Critical Patch Update to the Oracle Database and Fusion
Middleware components of Oracle E-Business Suite. For information on what
patches need to be applied to your environments, refer to Oracle E-Business
Suite Critical Patch Update for October 2010, My Oracle Support Note 987438.1.
Oracle E-Business Suite Risk Matrix

CVE-2010-2404 Oracle iRecruitment HTTP Account No 3.5
Network Medium Single None Partial None 11.5.10.2,
12.0.6, 12.1.2

Oracle Supply Chain Products Suite Executive Summary

This Critical Patch Update contains 2 new security fixes for the Oracle Supply
Chain Products Suite. 1 of these vulnerabilities may be remotely exploitable
without authentication, i.e., may be exploited over a network without the need
for a username and password.

Oracle Supply Chain Products Suite Risk Matrix

Oracle PeopleSoft and JDEdwards Suite Executive Summary

This Critical Patch Update contains 21 new security fixes for the Oracle
PeopleSoft and JDEdwards Suite. 1 of these vulnerabilities may be remotely
exploitable without authentication, i.e., may be exploited over a network
without the need for a username and password.

Oracle PeopleSoft and JDEdwards Suite Risk Matrix

CVE# Component Protocol Package and/or Privilege Required
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix
Definitions) Last Affected Patch set (per Supported Release) Notes
Base Score Access Vector Access Complexity Authen-
tication Confiden-
tiality Integrity Avail-
ability
CVE-2010-3532 PeopleSoft Enterprise CRM – Order Capture HTTP None
No 5.5 Network Low Single Partial Partial
None 9.0 Bundle #28, 9.1 Bundle #4
CVE-2010-3527 PeopleSoft Enterprise FMS – AM HTTP None No 5.5
Network Low Single None Partial Partial 8.9
Bundle #38, 9.0 Bundle #31, 9.1 Bundle #6
CVE-2010-3537 PeopleSoft Enterprise FMS – AM HTTP None No 5.5
Network Low Single Partial Partial None 8.9
Bundle #38, 9.0 Bundle #31, 9.1 Bundle #6
CVE-2010-3529 PeopleSoft Enterprise FMS – Cash Management HTTP None
No 5.5 Network Low Single Partial Partial
None 8.9 Bundle #38, 9.0 Bundle #31, 9.1 Bundle #6
CVE-2010-3538 PeopleSoft Enterprise FMS – GL HTTP None No 5.5
Network Low Single Partial Partial None 8.9
Bundle #38, 9.0 Bundle #31, 91. Bundle #6
CVE-2010-3539 PeopleSoft Enterprise FMS – GL HTTP None No 5.5
Network Low Single Partial Partial None 8.9
Bundle #38, 9.0 Bundle #31, 9.1 Bundle #6
CVE-2010-3531 PeopleSoft Enterprise FMS ESA – RM HTTP None No
5.5 Network Low Single Partial Partial None
8.9 Bundle #38, 9.0 Bundle #31, 9.1 Bundle #6
CVE-2010-3525 PeopleSoft Enterprise FMS, SCM, EPM, CRM, Campus Solutions
HTTP None No 5.5 Network Low Single Partial
Partial None 8.9 9.0, 9.1 See Note 1
CVE-2010-3520 PeopleSoft Enterprise HCM – GP France HTTP None No
5.5 Network Low Single Partial Partial None
8.81 SP1 Bundle #12, 8.9 GP Update 2010-E, 9.0 GP Update 2010-E, 9.1 GP Update
2010-E
CVE-2010-3530 PeopleSoft Enterprise HCM – HR HTTP None No 5.5
Network Low Single Partial Partial None 9.0
Bundle #13, 9.1 Bundle #3
CVE-2010-3518 PeopleSoft Enterprise HCM GP – Japan HTTP None No
5.5 Network Low Single Partial Partial None
8.81 SP1 Bundle #13, 8.9 GP Update 2010-E, 9.0 GP Update 2010-E, 9.1 GP Update
2010-E
CVE-2010-3521 PeopleSoft Enterprise HCM ePay HTTP None No 5.5
Network Low Single Partial Partial None 9.0 thur
Payroll Update 10-C, 9.1 thru Payroll Update 10-C
CVE-2010-3536 PeopleSoft Enterprise SCM HTTP None No 5.5
Network Low Single Partial Partial None 8.9
Bundle #38, 9.0 Bundle #31, 9.1 Bundle #6
CVE-2010-3526 PeopleSoft Enterprise SCM – PO HTTP None No 5.5
Network Low Single Partial Partial None 8.9
Bundle #38, 9.0 Bundle #31, 9.1 Bundle #6
CVE-2010-3524 PeopleSoft Enterprise SCM – Strategic Sourcing HTTP None
No 5.5 Network Low Single Partial Partial
None 8.9 Bundle #38, 9.0 Bundle #31, 9.1 Bundle #6
CVE-2010-3533 PeopleSoft Enterprise SCM OM and CRM Order Capture HTTP
None No 5.5 Network Low Single Partial Partial
None 8.9, 9.0, 9.1 See Note 1
CVE-2010-3547 PeopleSoft FMS ESA – EX HTTP None No 5.5
Network Low Single Partial Partial None 8.9
Bundle #38, 9.0 Bundle #31, 9.1 Bundle #6
CVE-2010-3523 PeopleSoft Enterprise PeopleTools HTTP None Yes
5.0 Network Low None None Partial None 8.49.28,
8.50.12
CVE-2010-3528 PeopleSoft Enterprise CRM – Common Components HTTP None
No 4.0 Network Low Single Partial None None
8.9 Bundle #41, 9.0 Bundle #28, 9.1 Bundle #4
CVE-2010-3519 PeopleSoft Enterprise PeopleTools HTTP None No
4.0 Network Low Single None Partial None 8.49.28,
8.50.12
CVE-2010-3522 PeopleSoft Enterprise PeopleTools HTTP None No
4.0 Network Low Single Partial None None 8.49.28,
8.50.12

Notes:

1. Please refer to Product Pre-Installation documentation for patchset
information.

Oracle Siebel Suite Executive Summary

This Critical Patch Update contains 4 new security fixes for the Oracle Siebel
Suite. None of these vulnerabilities may be remotely exploitable without
authentication, i.e., none may be exploited over a network without the need for
a username and password.

Oracle Siebel Suite Risk Matrix

Appendix – Oracle Primavera Products Suite

Oracle Primavera Products Suite Executive Summary

This Critical Patch Update contains 1 new security fix for the Oracle Primavera
Products Suite. This vulnerability is not remotely exploitable without
authentication, i.e., may not be exploited over a network without the need for a
username and password.

Oracle Primavera Products Suite Risk Matrix

Appendix – Oracle Sun Products Suite

Oracle Sun Products Suite Executive Summary

This Critical Patch Update contains 31 new Security fixes for the Oracle Sun
Products Suite divided as follows:

* 26 new security fixes for the Oracle Sun Products Suite. 11 of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without the need for a username and password.
* 5 new security fixes for the Oracle Open Office Suite. All of these
vulnerabilities may be remotely exploitable without authentication, i.e., may be
exploited over a network without the need for a username and password.

CVE-2010-3578 OpenSolaris HTTP Depot Server Yes 9.0 Network
Low None Partial+ Partial+ Complete OpenSolaris

CVE-2010-3507 Solaris None Live Upgrade No 6.6 Local
Medium None Partial Complete Complete 8, 9, 10

CVE-2010-3577 OpenSolaris SMB Kernel/CIFS Yes 6.4 Network
Low None Partial+ Partial+ None OpenSolaris
CVE-2010-3575 Oracle Communications Messaging Server (Sun Java System
Messaging Server) HTTP Web Mail Yes 6.4 Network
Low None Partial Partial None 6.0, 6.2, 6.3, 7.0

CVE-2010-3564 Oracle Communications Messaging Server (Sun Java System
Messaging Server) HTTP Webmail Yes 6.4 Network
Low None Partial Partial None 7.0
CVE-2010-3579 Sun Convergence 1, Sun Java Communications Suite 7 HTTP
Webmail Yes 6.4 Network Low None Partial
Partial None 1.0, 7.0
CVE-2010-3503 Solaris None su No 6.3 Local Medium
None Complete Complete None 10, OpenSolaris
CVE-2010-3544 Oracle iPlanet Web Server (Sun Java System Web Server) HTTP
Administration Yes 5.8 Network Medium None None Partial+
Partial+ 7.0
CVE-2010-3545 Oracle iPlanet Web Server (Sun Java System Web Server) HTTP
Administration Yes 5.8 Network Medium None Partial
Partial None 7.0
CVE-2010-3546 Sun Java System Identity Manager None None Yes
5.8 Network Medium None Partial Partial None
8.1
CVE-2010-3517 Solaris None Kernel/X86 No 4.9 Local
Low None None None Complete 10, OpenSolaris
CVE-2010-3580 Solaris None Kernel/File System No 4.6
Local Low Single None None Complete OpenSolaris
CVE-2010-3535 Directory Server Enterprise Edition None Identity
Synchronization for Windows No 4.4 Local Medium None Partial+
Partial+ Partial+ 6.0, 6.1, 6.2, 6.3
CVE-2010-3514 Oracle iPlanet Web Server (Sun Java System Web Server) HTTP
Web Container Yes 4.3 Network Medium None None Partial
None 6.1, 7.0
CVE-2010-3515 Solaris None Kernel/Disk Driver No 4.0
Local High None None None Complete 9, 10, OpenSolaris

CVE-2010-3516 Solaris uDAPL InfiniBand No 4.0 Local
High None None None Complete 10, OpenSolaris
CVE-2010-3540 Solaris None ZFS No 4.0 Local High
None None None Complete 10, OpenSolaris
CVE-2010-3576 Solaris None SCSI enclosure services device driver
No 3.6 Local Low None None Partial+ Partial+
8, 9, 10, OpenSolaris
CVE-2010-3512 Oracle iPlanet Web Server (Sun Java System Web Server) HTTP
WebDAV No 3.5 Network Medium Single Partial+ None
None 7.0u8
CVE-2010-3508 Solaris None Solaris Zones No 3.2 Local
Low Single Partial Partial None 10
CVE-2010-3506 Oracle Explorer (Sun Explorer) None None No 3.0
Local Medium Single Partial Partial None 6.4
CVE-2010-3511 Solaris None Tooltalk No 2.6 Local
High None None Partial Partial OpenSolaris
CVE-2010-2414 Sun Convergence 1, Sun Java Communications Suite 7 HTTP
Authentication mechanism Yes 2.6 Network High None
Partial+ None None 1.0, 7.0
CVE-2010-3513 Solaris None Device Drivers No 2.4 Local
High Single None Partial Partial 9, 10, OpenSolaris

CVE-2010-3542 Solaris None USB No 1.9 Local Medium
None Partial None None 8, 9, 10, OpenSolaris

Oracle Open Office Suite Executive Summary

This Critical Patch Update contains 5 new security fixes for the Oracle Open
Office Suite. All of these vulnerabilities may be remotely exploitable without
authentication, i.e., may be exploited over a network without the need for a
username and password.

Oracle Open Office Suite Risk Matrix

CVE# Component Protocol Sub-
component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk
Matrix Definitions) Last Affected Patch set (per Supported Release)
Notes
Base Score Access Vector Access Complexity Authen-
tication Confiden-
tiality Integrity Avail-
ability
CVE-2009-3301 StarOffice, StarSuite TCP/IP Microsoft Word Attachments
Yes 9.3 Network Medium None Complete Complete
Complete 7, 8, 9 See Note 1
CVE-2009-3302 StarOffice, StarSuite TCP/IP Microsoft Word Attachments
Yes 9.3 Network Medium None Complete Complete
Complete 7, 8, 9 See Note 1
CVE-2009-2949 StarOffice, StarSuite TCP/IP XPM Attachments Yes
9.3 Network Medium None Complete Complete Complete
7, 8, 9 See Note 1
CVE-2009-2950 StarOffice, StarSuite TCP/IP GIF Attachments Yes
9.3 Network Medium None Complete Complete Complete
7, 8, 9 See Note 1
CVE-2010-0395 StarOffice, StarSuite TCP/IP python in .odt Attachments
Yes 9.3 Network Medium None Complete Complete
Complete 9 See Note 1

Notes:

1. The CVSS Base Score is 9.3 when opening malicious attachments as
root/administrator. The impacts for Confidentiality, Integrity and Availability
are Complete. The CVSS Base Score is 6.8 when opening with limited privileges.
The impacts for Confidentiality, Integrity and Availability are Partial+.

Appendix – Oracle VM

Oracle VM Executive Summary

This Critical Patch Update contains 4 new security fixes for Oracle VM. None of
these vulnerabilities may be remotely exploitable without authentication, i.e.,
none may be exploited over a network without the need for a username and
password.

Oracle VM Risk Matrix

CVE# Component Protocol Sub-
component Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk
Matrix Definitions) Last Affected Patch set (per Supported Release)
Notes
Base Score Access Vector Access Complexity Authen-
tication Confiden-
tiality Integrity Avail-
ability
CVE-2010-3582 OracleVM xmlrpc, tcp/ip ovs-agent No 9.0
Network Low Single Complete Complete Complete
2.2.1
CVE-2010-3583 OracleVM xmlrpc, tcp/ip ovs-agent No 9.0
Network Low Single Complete Complete Complete
2.2.1
CVE-2010-3585 OracleVM xmlrpc, tcp/ip ovs-agent No 9.0
Network Low Single Complete Complete Complete
2.2.1
CVE-2010-3584 Oracle VM None ovs-agent No 4.3 Local
Low Single Partial+ Partial+ Partial+ 2.2.1

—–BEGIN PGP SIGNATURE—–
Version: GnuPG v2.0.9 (GNU/Linux)

iEYEARECAAYFAky4FZAACgkQWmhIvjFb90V3JgCePM+WMF002DxFeIhlqFno0K48
XZIAn2kHQvndIxmKjUGZQ08uspRhL7Np
=Jow9
—–END PGP SIGNATURE—–

[Other] Oracle Critical Patch Update Advisory - October 2010 - CPUOct2010

LMP003 Chemnitzer Linux-Tage 2026

[Other] Oracle Critical Patch Update Advisory – October 2010 – CPUOct2010

[Other] Oracle Critical Patch Update Advisory - October 2010 - CPUOct2010