Original CPU Apr-2011 URL: http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html
Oracle does not want to disclose any information that an attacker might use to develop a successful exploit against an Oracle product. For this reason, there is no clue that what the security vulnerabilities exactly are.
Important Section (1):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
| Affected Products and Versions | Patch Availability |
| Oracle Database 11g Release 2, versions 11.2.0.1, 11.2.0.2 | |
| Oracle Database 11g Release 1, version 11.1.0.7 | |
| Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5 |
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Above section indicates affected product releases and versions that are in Premier Support or Extended Support. If your database version is not there, it could be 2 reasons: 1) it's not affected. 2) it's affected, but the version is not under premier/extended support, one example is 11.1.0.6 and 10.2.0.1.
Important Section (2):
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Appendix - Oracle Database Server
Oracle Database Server Executive Summary
This Critical Patch Update contains 6 new security fixes for the Oracle Database Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Database Server installed.
Oracle Database Server Risk Matrix
| CVE# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
| Base Score | Access Vector | Access Complexity | Authen- | Confiden- | Integrity | Avail- | |||||||
| CVE-2011-0792 | Oracle Warehouse Builder | Oracle Net | Dimensional Data Modeling | No | 6.5 | Network | Low | Single | Partial+ | Partial+ | Partial+ | 10.2.0.5 (OWB), 11.1.0.7 | |
| CVE-2011-0799 | Oracle Warehouse Builder | Oracle Net | Oracle Warehouse Builder User Account | No | 6.5 | Network | Low | Single | Partial+ | Partial+ | Partial+ | 10.2.0.5 (OWB), 11.1.0.7, 11.2.0.1 | |
| CVE-2009-3555 (Oracle Fusion Middleware) | Oracle Security Service | SSL/HTTPS | C Oracle SSL API | Yes | 5.8 | Network | Medium | None | None | Partial | Partial | 10.1.0.5, 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, 11.2.0.2 | |
| CVE-2011-0787 (Oracle Enterprise Manager Grid Control) | Application Service Level Management | HTTP | Service Level Agreements | No | 5.5 | Network | Low | Single | Partial+ | Partial+ | None | 11.1.0.7 | |
| CVE-2011-0806 | Network Foundation | Oracle Net | None | Yes | 5.0 | Network | Low | None | None | None | Partial+ | 10.1.0.5, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, 11.2.0.2 | See Note 1 |
| CVE-2011-0785 (Oracle Fusion Middleware) | Oracle Help | HTTP | - | Yes | 4.3 | Network | Medium | None | None | Partial | None | See note | See Note 2 |
| CVE-2011-0805 | UIX | HTTP | None | Yes | 4.3 | Network | Medium | None | None | Partial | None | 10.1.0.5, 10.2.0.4, 11.1.0.7, 11.2.0.1 | |
| CVE-2011-0793 | Database Vault | Oracle Net | SYSDBA | No | 3.6 | Network | High | Single | None | Partial | Partial | 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1 | |
| CVE-2011-0804 | Database Vault | Oracle Net | Valid Account | No | 3.6 | Network | High | Single | Partial | Partial | None | 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.1, 11.2.0.2 | |
Notes:
1. Applicable to Windows servers only.
2. Fixed in all supported Releases and Patchsets.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
To interpret above table:
CVE#: This is the industry standard identifier of the vulnerability and is provided by the Common Vulnerability and Exposures group at http://cve.mitre.org/
Component: This is the high level component affected by the vulnerability.
Protocol: This is the protocol over which the vulnerability can be exploited. Reported protocols typically include TCP/IP such as HTTP or Oracle Net. If the attack is launched via the Operating System then the reported protocol is designated "Local" or "Local Login". In some instances, it is possible to mitigate the vulnerability on the affected systems by blocking or limiting connections using the reported protocol.
Package and/or Privilege Required: This is either a subcomponent under the component or the privilege required to launch an attack. When this column contains a privilege, the nature of the privilege required will often be very important in determining risk. For example, if the privilege required is "Session only", meaning that only a logon is required, the risk is much greater than if the privilege was reported as "create table".
Remote Exploit without Auth.?: remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password
Base Score: The CVSS base score defines the severity of the vulnerability and ranges between 0.0 and 10.0, where 10.0 represents the highest severity. Each risk matrix is ordered using this value, with the most severe vulnerability at the top of each risk matrix.
Access Vector: The values reported by Oracle are "Network", which means an attack can occur over the network, and "Local", which means that only local attacks are possible (i.e. attacker has physical access to the machine). Generally, local only attacks may be considered lower risk in instanced where the IT staff is trusted (and has been properly vetted).
Access Complexity: This column reports on the difficulty of launching an attack that has already been created. Low means easy access and typically requires no or low levels of privilege.
Authentication: This column indicates whether authentication is required in order to exploit the vulnerability. Possible values are : "None", "Single Authentication" or "Multiple Authentications".
Confidentiality: Unauthorized disclosure of data
Integrity: Unauthorized create/update/delete of data
Availability: Unauthorized denial of service
Supported Versions Affected: Affected version, only list these version under premier/extended support
No comments:
Post a Comment