Oracle Critical Patch Update Pre-Release Announcement - July 2007

Description

This Critical Patch Update Pre-Release Announcement provides advance information about the Oracle Critical Patch Update for July 2007 which will be released on Tuesday, July 17, 2007. While this Pre-Release Announcement is as accurate as possible at the time of publication, the information it contains may change before publication of the Critical Patch Update advisory.

A Critical Patch Update is a collection of patches for multiple security vulnerabilities. This Critical Patch Update contains 46 security fixes across all products. Some of the vulnerabilities addressed in this Critical Patch Update affect multiple products.

Vulnerabilities fixed by Critical Patch Updates are scored using the standard CVSS scoring (see MetaLink note 394486.1). The highest CVSS base score of vulnerabilities across all products is 4.8.

Supported Products Affected

Security vulnerabilities addressed by this Critical Patch Update affect the following products:

* Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
* Oracle Database 10g, version 10.1.0.5
* Oracle9i Database Release 2, versions 9.2.0.7, 9.2.0.8, 9.2.0.8DV
* Oracle Application Express (formerly called HTML DB), versions 1.5 - 2.2
* Oracle Secure Enterprise Search 10g, versions 10.1.6, 10.1.8
* Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0, 10.1.3.3.0
* Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.1 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
* Oracle Application Server 10g (9.0.4), version 9.0.4.3
* Oracle10g Collaboration Suite, version 10.1.2
* Oracle E-Business Suite Release 11i, versions 11.5.8 - 11.5.10 CU2
* Oracle E-Business Suite Release 12, versions 12.0.0, 12.0.1
* Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48, 8.49
* Oracle PeopleSoft Enterprise Human Capital Management versions 8.9, 9.0
* Oracle PeopleSoft Enterprise Customer Relationship Management versions 8.9, 9.0

Executive Summaries

Oracle Database Executive Summary

This Critical Patch Update contains 20 new security fixes for the Oracle Database including 1 new security fix for Application Express. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e. they may be exploited over a network without the need for a username and password. None of these fixes are applicable to Oracle Database client-only installations, i.e. installations that do not have the Oracle Database installed.

The highest CVSS base score of vulnerabilities affecting Oracle Database products is 4.2.

The Oracle Database components affected by vulnerabilities that are fixed in this Critical Patch Update are:

* Advanced Queuing
* Application Express
* DataGuard
* JavaVM
* Oracle Data Mining
* Oracle Internet Directory
* Oracle Text
* PL/SQL
* Progam Interface
* Rules Manager
* Spatial
* SQL Compiler


Oracle Application Server Executive Summary

his Critical Patch Update contains 4 new security fixes for Oracle Application Server. 3 of these vulnerabilities may be remotely exploitable without authentication, i.e. they may be exploited over a network without the need for a username and password. 2 new fixes are applicable to client-only installations, i.e. installations that do not have Oracle Application Server installed.

Oracle Application Server products that are bundled with the Oracle Database are affected by Oracle Database vulnerabilities fixed in this CPU.

The highest CVSS base score of vulnerabilities affecting Oracle Application Server products is 2.3.

The Oracle Application Server components affected by vulnerabilities that are fixed in this Critical Patch Update are:

* Oracle Internet Directory
* Oracle Jdeveloper
* Oracle Single Sign On

Oracle Collaboration Suite Executive Summary

There is 1 new Oracle Collaboration Suite specific fix in this Critical Patch Update in its Instant Messaging/Presence component. It is not remotely exploitable without authentication.

This Critical Patch Update contains 4 Oracle Application Server vulnerabilities that are in code included in Oracle Collaboration Suite.

Oracle Collaboration Suite bundles the Oracle Database. All Oracle Database fixes included in this CPU are applicable.

The highest CVSS base score of Oracle Application Server vulnerabilities affecting Oracle Collaboration Suite is 2.3.

Oracle E-Business Suite and Applications Executive Summary

This Critical Patch Update contains 14 new security fixes for the Oracle E-Business Suite. 6 of these vulnerabilities may be remotely exploited without authentication, i.e. they may be exploited over a network without the need for a username and password.

Oracle E-Business Suite products include an Oracle Database which has vulnerabilities fixed in this CPU. These Oracle Database vulnerabilities should be patched (the documentation released with the Critical Patch Update will provide details).

Oracle Life Sciences Applications (previously known as Oracle Pharmaceutical Applications) includes Oracle Application Server and Oracle Database Software components which should be patched (the documentation released with the Critical Patch Update will provide details).

The highest CVSS base score of vulnerabilities affecting E-Business Suite products is 4.7.

The Oracle E-Business Suite components affected by vulnerabilities that are fixed in this Critical Patch Update are:

* Oracle Application Object Library
* Oracle Configurator
* Oracle Customer Intelligence
* Oracle Human Resources
* Oracle iExpenses
* Oracle iRecruitment
* Oracle Payables
* Oracle Payments

Oracle Enterprise Manager Executive Summary
This Critical Patch Update contains no new Oracle Enterprise Manager fixes. Please refer to the April 2007 Critical Patch Update for the latest Oracle Enterprise Manager fixes and related information.

Oracle Enterprise Manager includes Oracle Database and Oracle Application components which have vulnerabilities fixed in this CPU. These Oracle Database and Application Server vulnerabilities should be patched (the documentation released with the Critical Patch Update will provide details).

Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Executive Summary

This Critical Patch Update contains 3 new security fixes for Oracle PeopleSoft Enterprise PeopleTools, 2 new security fixes for PeopleSoft Enterprise Customer Relationship Management, and 2 new security fixes for PeopleSoft Enterprise Human Capital Management. 1 of the security vulnerabilities affecting Oracle PeopleSoft Enterprise PeopleTools may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. There are no new security fixes affecting JD Edwards products.

The highest CVSS base score of vulnerabilities affecting Oracle PeopleSoft Enterprise products is 4.8 for two vulnerabilities.

The Oracle PeopleSoft Enterprise components affected by vulnerabilities that are fixed in this Critical Patch Update are:

* Customer Relationship Management Online Marketing
* Human Capital Management
* PeopleTools