__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle Database Server Vulnerabilities [Oracle Alert #68] August 31, 2004 20:00 GMT Number O-209 [REVISED 02 Sep 2004] [REVISED 29 Dec 2004] [REVISED 15 Jul 2005] [REVISED 22 Sep 2005] ______________________________________________________________________________ PROBLEM: Oracle has released patches for vulnerabilities in the Portal and iSQL*Plus components of the Oracle Application Server. Patches are also released for vulnerabilities in the Oracle Enterprise Manager. SOFTWARE: · Oracle Database 10g Release 1, version 10.1.0.2 · Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5 · Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.1.5 FIPS(1) · Oracle8i Database Server Release 3, version 8.1.7.4 · Oracle8 Database Release 8.0.6, version 8.0.6.3(2) · Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2 · Oracle Enterprise Manager Database Control 10g, version 10.1.0.2 · Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1 · Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1 · Oracle9i Application Server Release 1, version 1.0.2.2 (1) 9.0.1.5 FIPS was formerly known as Oracle9i Database Server Release 1, version 9.0.4.0 (2)Only supported for E-Business Suite customers SunMC 3.5 update 1 or update 1a (for Solaris 8) without patch 118828-04 SunMC 3.5 update 1 or update 1a (for Solaris 9) without patch 118829-04 SunMC 3.5 update 1a (for Solaris 10) without patch 118829-04 DAMAGE: Oracle does not give descriptions of the vulnerabilities on this alert. However, see Additional Links below. SOLUTION: Apply the appropriate Oracle patches. ______________________________________________________________________________ VULNERABILITY Oracle rates this as a HIGH. "Exploiting some of the ASSESSMENT: vulnerabilities requires network access, but no valid user account." ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-209.shtml ORIGINAL BULLETIN: http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf ADDITIONAL LINKS: Application Security, Inc. - Vulnerability Descriptions http://www.appsecinc.com/resources/alerts/oracle/2004-0001/ Sun Alert ID: 101782 http://sunsolve.sun.com/search/printfriendly.do?assetkey= 1-26-101782-1 ______________________________________________________________________________ REVISION HISTORY: 09/02/2004 - added a link to Application Security, Inc. website which gives details of some 40 vulnerabilities for which Oracle released their patches. 12/29/2004 - added note that Oracle revised its Alert #68 to include information for patches on Oracle 8 Database Release 8.0.6, version 8.0.6.3 available to E-Business Suite customers. 07/15/2005 - added a link to Sun Alert ID: 101782 that provides patches for Sun Management Center server software. 09/22/2005 - revised to reflect change made to Sun Alert 101782. A change was made to the Contributing Factors section. [***** Start Oracle Alert #68 *****] Revised: December 27, 2004 Severity: 1 Alert #68: Oracle Security Update Description This security alert addresses security vulnerabilities in Oracleís server products. Supported Products Affected · Oracle Database 10g Release 1, version 10.1.0.2 · Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5 · Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.1.5 FIPS(1) · Oracle8i Database Server Release 3, version 8.1.7.4 · Oracle8 Database Release 8.0.6, version 8.0.6.3(2) · Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2 · Oracle Enterprise Manager Database Control 10g, version 10.1.0.2 · Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1 · Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1 · Oracle9i Application Server Release 1, version 1.0.2.2 (1) 9.0.1.5 FIPS was formerly known as Oracle9i Database Server Release 1, version 9.0.4.0 (2)Only supported for E-Business Suite customers The following product releases and versions, and all future releases and versions are not affected: · Oracle Database 10g Release 1, version 10.1.0.3 · Oracle Enterprise Manager Grid Control 10g, version 10.1.0.3 · Oracle Application Server 10g (9.0.4), version 9.0.4.2 (not yet available) Unsupported products, releases and versions have not been tested for the presence of these vulnerabilities, nor patched, in accordance with section 4.3.3.3 of the Software Error Correction Support Policy (Note 209768.1). Unsupported Database releases are releases prior to 8.1.7, releases of 8.1.7 on several platforms(for the complete list see Desupport notice 250629.1), patch levels of 9.0.1 prior to 9.0.1.4, and patch levels of 9.2 prior to 9.2.0.4. If you are running one of these releases, you must upgrade to a supported release, and install the latest patch set to get to a supported patch level. Oracle Database Server Vulnerabilities The available patches eliminate vulnerabilities in the Database Server and the Listener. The unpatched exposure risk is high; exploiting some of these vulnerabilities requires network access, but no valid user account. Oracle Application Server Vulnerabilities The available patches eliminate vulnerabilities in the Oracle HTTP Server components of Oracle Application Server. The unpatched exposure risk is high; exploiting these vulnerabilities requires network access, but no valid user account. Oracle Enterprise Manager Vulnerabilities The available patches eliminate a vulnerability in Oracle Enterprise Manager. The unpatched exposure risk is medium; exploiting this vulnerability requires a valid operating system user account on the Enterprise Manager host. Oracle Collaboration Suite Impact All Collaboration Suite customers should apply the Oracle Database patches to their Information Storage database and the Oracle Application Server-embedded database. Collaboration Suite customers should also apply the application server patch to the Oracle Application Server infrastructure installation and to each Collaboration Suite middle tier installation. Collaboration Suite customers that have upgraded their Information Storage database to version Oracle Database 10g Release 1, version 10.1.0.2 should also apply the Enterprise Manager patch. E-Business Suite 11i Impact E-Business Suite Release 11i customers should apply the available Oracle Database patches to theircurrent Oracle Database Servers, which should be one of the following: · Oracle8i Database Server Release 3, version 8.1.7.4 · Oracle9i Database Server Release 2, version 9.2.0.4 · Oracle9i Database Server Release 2, version 9.2.0.5 E-Business Suite Release 11i customers should also apply the following patches to every node: · Oracle 9i Application Server Release 1, version 1.0.2.2 [Note: Apply this patch to the Oracle HTTP Server Oracle home, called "iAS"] · Oracle8 Database Release 8.0.6, version 8.0.6.3 [Note: Apply this patch to the Oracle Developer 6i Oracle home, called "8.0.6"] E-Business Suite Release 11i Early Adopter customers implementing MetaLink note 233436.1 "Installing Oracle Application Server 10g with Oracle E-Business Suite Release 11i" should apply the Oracle Application Server patch to their Oracle Application Server release: · Oracle Application Server 10g (9.0.4.0.0) Oracle Applications 11.0 Impact Oracle Applications 11.0 customers should apply the available Oracle Database patches to their current Oracle Database Servers, which should be the following: · Oracle8i Database Server Release 3, version 8.1.7.4 The Oracle Application Server delivered with release 11.0 does not require patching because the affected components did not exist. How to Minimize Risk There are no workarounds that fully address the security vulnerabilities that are the subject of this alert. Oracle strongly recommends that customers apply the available patches without delay. Please see http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf for a definition of severity ratings. NOTE: Oracle has received notification that there are published exploits for some of the issues addressed in this alert. Patch Availability Please see MetaLink Document ID 281189.1: http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=281189.1 for the patch download procedures and for the Patch Availability Matrix for this Oracle Security Alert. Please review MetaLink, or check with Oracle Support Services periodically for patch availability if the patch for your platform is unavailable. Oracle strongly recommends that you comprehensively test the stability of your system upon application of any patch prior to deleting any original files that are replaced by the patch. References · http://www.securityfocus.com/bid/10871 · http://www.kb.cert.org/vuls/id/316206 General Oracle Security Resources · Alert 68 FAQ, MetaLink Document ID 282108.1 · Security Alert FAQ, MetaLink Document ID 237007.1 · http://otn.oracle.com/products/ias/pdf/best_practices/security_best_practices.pdf · http://otn.oracle.com/deploy/security/oracle9ias/ · http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf · http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf · http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf Credits The following people discovered and brought these security vulnerabilities to Oracle's attention: Cesar Cerrudo, Esteban MartĖnez FayÛ, Pete Finnigan, Jonathan Gennick, Alexander Kornbrust of Red Database Security, Stephen Kost of Integrigy, David Litchfield of NGSS Limited, Matt Moore of PenTest Limited,Andy Rees of QinetiQ, Christian Schaller of Siemens CERT. Modification History 31-AUG-04: Initial release, version 1 24-SEP-04: Updated E-Business Suite information. 27-DEC-04: Supported Products Affected and E-Business Suite information updated to include information for patches on Oracle8 Database Release 8.0.6, version 8.0.6.3. This version is supported only for EBusiness Suite customers, but has been added for completeness. [***** End Oracle Alert #68 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Oracle Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-199: Cisco IOS Malformed OSPF Packet Causes Reload O-200: Updated PAM Packages O-201: Qt Package Vulnerabilities O-202: Buffer Overflow in the CDE Mailer dtmail(1X) O-203: Cisco Secure Access Control Server Vulnerabilities O-204: Netscape NSS Library Suite Remote Buffer Overflow O-205: Adobe Acrobat Reader Uuencoding Buffer Overflow O-206: Entrust LibKmp Library Vulnerabilities O-207: Cisco IOS Telnet Denial of Service Vulnerability O-208: Kerberos krb5 Vulnerabilities