Descrizione del problema
Oracle ha rilasciato una Critical Patch Update Ottobre 2008.
Tale aggiornamento e’ una collezione di patch nata per porre
soluzione a 36 difetti di sicurezza presenti in vari prodotti
Oracle.
:: Software interessato
Oracle Database 11g, version 11.1.0.6
Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
Oracle Database 10g, version 10.1.0.5
Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
Oracle Application Server 10g Release 3 (10.1.3), versions
10.1.3.3.0, 10.1.3.4.0
Oracle Application Server 10g Release 2 (10.1.2), versions
10.1.2.2.0, 10.1.2.3.0
Oracle Application Server 10g (9.0.4), version 9.0.4.3
Oracle E-Business Suite Release 12, version 12.0.4
Oracle E-Business Suite Release 11i, version 11.5.10.2
Oracle PeopleSoft Enterprise PeopleTools versions 8.48.18, 8.49.14
Oracle PeopleSoft Enterprise Portal versions 8.9, 9.0
Oracle WebLogic Server (formerly BEA WebLogic Server) 10.0 released
through MP1, 10.3 GA
Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0 GA, 9.1 GA,
9.2 released through MP3
Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 released
through SP6
Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0 released
through SP7
Oracle WebLogic Server (formerly BEA WebLogic Server) 6.1 released
through SP7
Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 10.0
released through MP1, 10.2 GA, 10.3 GA
Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 9.0,
9.1, 9.2 released through MP3
Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 8.1
released through SP6
:: Impatto
Security Bypass
Exposure of sensitive information
Privilege escalation
DoS
System access
L’impatto delle vulnerabilita’ varia in base alla configurazione
del sistema, del prodotto o della componente considerata.
:: Soluzioni
Applicare le patch appropriate o procedere all’opportuno
aggiornamento secondo le istruzioni rilasciate da Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
:: Riferimenti
Oracle Critical Patch Updates and Security Alerts
http://www.oracle.com/technology/deploy/security/alerts.htm
SecurityFocus
http://www.securityfocus.com/bid/31683
Mitre’s CVE ID
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4008
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4009
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4010
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4011
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4012
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4013
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4000
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4001
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4002
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4003
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4004
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3985
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3998
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3619
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3993
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3975
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3977
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3588
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3986
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3987
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3989
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3996
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3992
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3976
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3982
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3983
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3984
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3994
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3980
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4005
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2625
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3990
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-3991