Oracle Critical Patch Update Advisory - April 2010

Number: AV10-012
Date: 14 April 2010

Purpose

The purpose of this advisory is to bring attention to the following critical patch update for Oracle products.

Assessment

Oracle has released 47 new security fixes, which affect all product families listed below:

• Oracle Database 11g R2, v11.2.0.1  [Database]
• Oracle Database 11g R1, v11.1.0.7  [Database]
• Oracle Database 10g R2, v10.2.0.3, 10.2.0.4  [Database]
• Oracle Database 10g, v10.1.0.5  [Database]
• Oracle Database 9i R2, v9.2.0.8, 9.2.0.8DV  [Database]
• Oracle Application Server 10gR2, ver:10.1.2.3.0  [Fusion Middleware]
• Oracle Identity Management 10g, ver:10.1.4.0.1 and 10.1.4.3  [Fusion Middleware]
• Oracle Collaboration Suite 10g, ver:10.1.2.4  [Collaboration Suite]
• Oracle E-Business Suite R12,v12.0.4,12.0.5,12.0.6,12.1.1&12.1.2  [E-Business Suite] 
• Oracle E-Business Suite R11i,v11.5.10,11.5.10.2  [E-Business Suite] 
• Oracle Transportation Manager, Ver:5.5.05.07,5.5.06.00,6.0.03  [Oracle Transportation Management] 
• Oracle Agile - Engineering Data Management, Ver:6.1.1.0  [Agile-Engineering Data Management] 
• PeopleSoft Enterprise PeopleTools, ver: 8.49 & 8.50  [PeopleSoft/JDE] 
• Oracle Communications Unified Inventory Management version 7.1  [Communications Industry Suite] 
• Oracle Clinical Remote Data Capture Option 4.5.3,4.6  [Life Sciences Industry Suite] 
• Oracle Thesaurus Management System 4.5.2,4.6,4.6.1  [Life Sciences Industry Suite] 
• Oracle Retail Markdown Optimization ver13.1  [Retail Industry Suite] 
• Oracle Retail Place In-Season ver:12.2  [Retail Industry Suite] 
• Oracle Retail Plan In-Season ver:12.2  [Retail Industry Suite] 
• Oracle Sun Product Suite  [Oracle Sun Product Suite]

CVE Reference: CVE-2010-0851, CVE-2010-0852, CVE-2010-0853, CVE-2010-0854, CVE-2010-0860, CVE-2010-0866, CVE-2010-0867, CVE-2010-0870

Suggested action

Oracle states that "Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible."

CCIRC recommends that administrators identify affected products, assess the need to update and identify potential dependencies.

References:

• http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2010.html
• http://securitytracker.com/alerts/2010/Apr/1023858.html

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca