SANS ISC: Oracle (and BEA, Hyperion and TimesTen) critical patch update July 15th, 2008

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

Today, July 15th, Oracle will release its quarterly critical patch update. They have now published the pre-release announcement. The highest CVSS score of all vulnerabilities patched is 6.8 (6.5 is the maximum for the Oracle Database itself).

Below is the list of software planned to be affected, quoted from their announcement:

• Oracle Database 11g, version 11.1.0.6
• Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
• Oracle Database 10g, version 10.1.0.5
• Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
• Oracle Database 9i, version 9.0.1.5 FIPS+
• Oracle TimesTen In-Memory Database version 7.0.3.0.0
• Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.1.0, 10.1.3.3.0
• Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.2.0, 10.1.2.3.0
• Oracle Application Server 10g (9.0.4), version 9.0.4.3
• Oracle Application Server 9i Release 1, version 1.0.2.2
• Oracle Hyperion BI Plus versions 9.2.0.3, 9.2.1.0, and 9.3.1.0
• Oracle Hyperion Performance Suite versions 8.3.2.4, and 8.5.0.3
• Oracle E-Business Suite Release 12, version 12.0.4
• Oracle E-Business Suite Release 11i, version 11.5.10.2
• Oracle Enterprise Manager Database Control 11i version 11.1.0.6
• Oracle Enterprise Manager Database Control 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
• Oracle Enterprise Manager Database Control 10g Release 1, version 10.1.0.5
• Oracle Enterprise Manager Grid Control 10g Release 1, versions 10.1.0.5, 10.1.0.6
• Oracle PeopleSoft Enterprise PeopleTools versions 8.48.18, 8.49.12
• Oracle PeopleSoft Enterprise CRM version 8.9, 9.0
• Oracle WebLogic Server 10.0 released through MP1
• Oracle WebLogic Server 9.0, 9.1, 9.2 released through MP3
• Oracle WebLogic Server 8.1 released through SP6
• Oracle WebLogic Server 7.0 released through SP7
• Oracle WebLogic Server 6.1 released through SP7

Oracle notes that this is the first time patches for BEA, Hyperion and TimesTen technology are included in the release. If you are running software from these recently-acquired vendors, please be aware.

It should be noted that the CVSS for application software vulnerabilities such as a database are generally lower, but not necessarily less critical in specific environments. A bug may not give access to the underlying operating system, but in the case of a database we tend to be more worried about the data housed there than other software running on the same system.

We recommend reviewing the pre-release announcement, and subsequent release, closely, and prioritize patching according to your specific environment's requirements.