August 31st, 2004
Severity:1

Alert #68: Oracle Security Update

Description

This security alert addresses security vulnerabilities in Oracle's server products.

The Patches for this alert are available on ITEC’s ftp site (ftp.itec.suny.edu).  They’re in the alert68 folder.  If you need the patches and do not know the username/password to get into the ftp site, please open a Remedy ticket requesting the username/password.  We’ve posted most of the patches for the more common versions of Oracle products on the more common operating systems.  If you need a patch that’s not on our ftp site, please open a Remedy ticket and we’ll be more than happy to get the patch for you.    The naming convention used for the patches is the

{Patch # }_{oracleproduct}_{operating system}.zip

for example one of the patches for  Oracle RDBMS 10.1.0.2 Linux is 3811942.   The file would have the following name:

3811942_10102_LINUX.zip

If you have any question about which patch you should be using, please open a Remedy ticket.

Included below are two Oracle Notes, one with the patch matrix and the other an alert #68 FAQ.

 

Supported Products Affected

  • Oracle Database 10g Release 1, version 10.1.0.2
  • Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
  • Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, and 9.0.4
  • Oracle8i Database Server Release 3, version 8.1.7.4
  • Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
  • Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
  • Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
  • Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
  • Oracle9i Application Server Release 1, version 1.0.2.2

The following product releases and versions, and all future releases and versions are not affected:

  • Oracle Database 10g Release 1, version 10.1.0.3
  • Oracle Enterprise Manager Grid Control 10g, version 10.1.0.3 (not yet available)
  • Oracle Application Server 10g (9.0.4), version 9.0.4.2 (not yet available)

Unsupported products, releases and versions have not been tested for the presence of these vulnerabilities, nor patched, in accordance with section 4.3.3.3 of the Software Error Correction Support Policy:

Oracle Database Server Vulnerabilities

The available patches eliminate vulnerabilities in the Database Server and the Listener. The unpatched exposure risk is high; exploiting some of these vulnerabilities requires network access, but no valid user account.

Oracle Application Server Vulnerabilities

The available patches eliminate vulnerabilities in the Portal and iSQL*Plus components of Oracle Application Server.  The unpatched exposure risk is high; exploiting some of these vulnerabilities requires network access, but no valid user account.

Oracle Enterprise Manager Vulnerabilities

The available patches eliminate vulnerabilities in Oracle Enterprise Manager.  The unpatched exposure risk is medium; exploiting these vulnerabilities requires a valid operating system user account on the Enterprise Manager host.

Oracle Collaboration Suite Impact  

All Collaboration Suite customers should apply the Oracle Database patches to their Information Storage database and the Oracle Application Server-embedded database.  Collaboration Suite customers should also apply the application server patch to the Oracle Application Server infrastructure installation and to each Collaboration Suite middle tier installation.

Collaboration Suite customers that have upgraded their Information Storage database to version Oracle Database 10g Release 1, version 10.1.0.2 should also apply the Enterprise Manager patch.

E-Business Suite 11i Impact

E-Business Suite Release 11i customers should apply the available Oracle Database patches to their current Oracle Database Servers, which should be one of the following:

  • Oracle8i Database Server Release 3, version 8.1.7.4
  • Oracle9i Database Server Release 2, version 9.2.0.4
  • Oracle9i Database Server Release 2, version 9.2.0.5

E-Business Suite Release 11i customers should also apply the Oracle Application Server patch to their current Oracle Application Server releases, which should be one of the following:

·         Oracle9i Application Server Release 1, version 1.0.2.2

·         Oracle Application Server 10g (9.0.4), version 9.0.4.0

How to Minimize Risk

There are no workarounds that fully address the security vulnerabilities that are the subject of this alert.  Oracle strongly recommends that customers apply the available patches without delay. Please see http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf for a definition of severity ratings.

Patch Availability

 

 

Oracle Security Alert #68 (Patch Availability Matrix)
Oracle Critical Security Update

Patch Availability Matrix

The patches listed in the Patch Availability Matrix fix the potential vulnerabilities identified in Oracle Security Alert #68. Future releases of the products affected will contain the fixes by default.

Patches are available for the following affected products:

  • Oracle Database 10g Release 1, version 10.1.0.2
  • Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
  • Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, and 9.0.4
  • Oracle8i Database Server Release 3, version 8.1.7.4
  • Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
  • Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
  • Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
  • Oracle9i Application Server Release 1, version 1.0.2.2

The patches in this Security Alert include the fixes for previous Security Alerts.  If you are running the latest version of OPatch, and it detected a conflict with the patch(es) for previous Security Alert(s), ignore the conflict and continue with the install, or use the force option if it is available.

Oracle strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch prior to deleting any of the original file(s) that are replaced by the patch.

NOTE: Please review the patch issues listed in <Note 282108.1> FAQ for Security Alert 68 before applying the patches.

Oracle Database Products

Platform

8.1.7.4

9.0.1.4

9.0.1.5

9.0.4

9.2.0.4

9.2.0.5

10.1.0.2

Data General AViiON ix86 Unix

3811838
---

---
---

---
---

---
---

---
---

---
---

---
---

Fujitsu-Siemens Reliant UNIX

3811838
---

---
---

---
---

---
---

---
---

---
---

---
---

Hitachi 3050/R Risc UNIX

---
---

---
---

---
---

---
---

---
ECD:Sept 2004

---
---

---
---

HP TRU-64 Unix

3811838
3835952

3811857
3835955

3811865
3835959

ECD:Sept 2004
ECD:Sept 2004

3811887
3835963

3811906
3835964

3811942
3838804

HP-UX (32-bit)

3811838
3835952

---
---

---
---

---
---

---
---

---
---

---
---

HP-UX 64-bit

3811838
3835952

3811857
3835955

3811865
3835959

ECD:Sept 2004
ECD:Sept 2004

3811887
3835963

3811906
3835964

3811942
3838804

HP-UX IA64

---
---

---
---

---
---

---
---

3811887
3835963

3811906
3835964

3811942
3838804

IBM AIX Based Systems 4.3.3 and 5L (32-bit)

3811838
3835952

---
---

---
---

---
---

---
---

---
---

---
---

IBM AIX Based Systems (64-bit)

3811838
---

3811857
---

---
---

---
---

3811887
---

3811906
---

---
---

IBM AIX Based Systems 5L (64-bit)

---
---

3811857
3835955

3811865
3835959

ECD:Sept 2004
ECD:Sept 2004

3811887
3835963

3811906
3835964

3811942
3838804

IBM NUMA-Q DYNIX/ptx

3811838
---

---
---

---
---

---
---

---
---

---
---

---
---

OPENVMS

3811838
---

---
---

---
---

---
---

3811887
---

3811906
---

---
---

OS/390

3811838
---

3811857
---

---
---

---
---

3811887
---

3811906
---

3811942
---

Linux /390

---
---

---
---

---
---

---
---

3811887
3835963

3811906
3835964

---
3838804

Linux Itanium

---
---

---
---

---
---

---
---

3811887
3835963

3811906
3835964

3811942
3838804

Linux x86

3811838
3835952

3811857
3835955

3811865
3835959

ECD:Sept 2004
ECD:Sept 2004

3811887
3835963

3811906
3835964

3811942
3838804

Linux x86-64 AMD

---
---

---
---

---
---

---
---

ECD:Sept 2004
---

---
---

---
---

NEC EWS4800/UP4800 Series Unix

ECD:Sept 2004
---

---
---

---
---

---
---

---
---

---
---

---
---

SGI IRIX (64-bit)

3811838
---

---
---

---
---

---
---

---
---

---
---

---
---

Solaris 32-bit

3811838
3835952

3811857
3835955

3811865
3835959

ECD:Sept 2004
ECD:Sept 2004

3811887
3835963

3811906
3835964

3811942
---

Solaris (x86)

3811838
ECD:Sept 2004

---
---

---
---

---
---

---
---

---
---

---
---

Solaris 64-bit

3811838
---

3811857
---

---
---

---
---

3811887
---

3811906
---

3811942
3838804

UnixWare

3811838
---

---
---

---
---

---
---

---
---

---
---

---
---

Windows (64-bit)

---
---

---
---

---
---

---
---

---
---

3811906
---

3811942
---

Windows NT/2000

3820881
---

3836293
3835955

3815663
3835959

ECD:Sept 2004
ECD:Sept 2004

---
---

3738339
3835964

3768706
3838804


If a table cell contains two patch numbers, both need to be applied, but it does not matter in which order they are applied.

The Oracle 9.0.4 Database is only released with Oracle Application Server 10g (9.0.4).



Oracle Application Server Products

Platform

1.0.2.2

9.0.2.3

9.0.3.1

9.0.4.0

9.0.4.1

HP-UX PA-RISC (32-bit)

3835781

---

---

---

---

HP-UX 64-bit 11.0 and 11.11

3835781

3828011

3828018

3828022

3828024

HP Tru64 UNIX

3835781

3828011

3828018

3828022

---

IBM AIX-based Systems 5L 64-bit

---

3828011

3828018

3828022

3828024

IBM AIX Based Systems (32-bit)

3835781

3828011

3828018

---

---

Linux x86

3835781

3828011

3828018

3828022

3828024

Sun SPARC Solaris

3835781

3828011

3828018

3828022

3828024

Windows NT/2000

3835781

3828011

3828018

3828022

---

 

 

1.  Readme of the patch for security Alert #68 contains a typo.

The patch post installation instructions include to run the following:
# cd $ORACLE_HOME/rdbms/admin
# sqlplus "/ as sysdba"
# > @dbmspexp.sql
# > @prvtexp.plb

The last comment is a typo. Instead of running 'prvtexp.plb', you should run 'prvtpexp.plb'. <Bug:3867336> and <Note:282090.1> has been created for this.

Update: All the patch readme has been corrected and re-uploaded.

2.  Why is patch not available for Oracle Database Server 9.2.0.3 or other earlier patch sets?

In accordance with section 4.3.3.3 of Doc 209768.1 Database and iAS Software Error Correction Support Policy, Oracle will proactively create patches for the current and previous patch sets of supported releases. The exception is when the last patch set for a release has been out for 6 months or more and in that case only the last patch set will get a patch. For example, in April 2003, a security patch would be created for DB versions 8.1.7 ps 4 (8.1.7.4), 9.0.1 ps 3 (9.0.1.4), and 9.2.0 ps 1 and 2 (9.2.0.2 and 9.2.0.3). Also, patches will be created for versions supported under EMS but only for platforms for which we have actually sold EMS

In addition, unsupported products, releases and versions have not been tested for the presence of these vulnerabilities, nor patched.  However the vulnerabilities fixed in the patches for this alert are also likely to affect these unsupported releases.  If your databases are running on versions 9201, 9202, 9203, 9012, 9013, 8170, 8171, 8172 or 8173,  Please upgrade to a supported release/version first by installing the appropriate patchset, then if you are on a supported release, apply the relevant fixes.

3.  Does Alert 68 include the fixes for Security Alert 64?

Yes.  Question 13 of <Note:237007.1> "FAQ for Security Alert" was updated to include this new security alert.

4.  Why is OEM 9.2 is not listed?

The security issues were not applicable to OEM 9.2.

5.  Why is there no patch for Enterprise Manager DB Control?

The fix for DB control is delivered as part of the DB patch.

6.  Conflict reported with previous Oracle Security Alerts.  What should I do?

The patches in Security Alert 68 include the fixes for previous Security Alerts.  For details, please review Question 13 of <Note:237007.1>.  If you are running the latest version of OPatch, and it detected a conflict with the patch(es) for previous Security Alert(s), you can just ignore the conflict and continue with the install, or use the force option if it is available.  

However, if the conflict reported is not related to a Security Alert, please file an iTAR to request a merge patch.

7.  The patch for Oracle 9.2.0.4 on Windows is missing.

Oracle 9.2.0.4 is no longer patched on Windows.  Windows customers on Oracle 9.2.0.4 will have to upgrade to 9.2.0.5 first, then apply 3738339, 3835964 as indicated in <Note:281189.1>.

Update:  Exception has been granted.  Patches for 9.2.0.4 for Windows 32-bit and 64-bit will be available soon.  Please check <Note:281189.1> for the patch availability.

8.  Are there details available about exploiting the vulnerabilities covered in Security Alert#68?

As pointed out in <Note:280399.1> "FAQ on Oracle Security Vulnerabilities reported by the Press":

The security alert will provide all customers with general information about the issues addressed by the patch, as well as the severity of bugs (and how the severity was determined) and any applicable workaround information. To protect the security of customer systems, precise details or "roadmaps" of the vulnerabilities are not disclosed in security alerts. 

Oracle does not discuss these in public and also internally they are not widely known (if any).

According to reports, several buffer overflow, format string, SQL injection and other types of vulnerabilities were discovered and reported to Oracle.  Some of the US-CERT references are:

http://www.us-cert.gov/cas/techalerts/TA04-245A.html
US-CERT Vulnerability Note VU#170830 - http://www.kb.cert.org/vuls/id/170830
US-CERT Vulnerability Note VU#316206 - http://www.kb.cert.org/vuls/id/316206
US-CERT Vulnerability Note VU#435974 - http://www.kb.cert.org/vuls/id/435974

9.  Security Alert 68 says patch for 9.2.0.4 is not available for Windows but Patch 3835964 says it can be applied to any 9.2.0.x db for Windows.  What is right?

Patch 3835964 fixes only one bug. The fix is in mod_plsql binary and some OWA packages. The binary (.dll) is compatible with all versions of 9.2.0.x and so are the OWA packages.  Hence the note in the readme. Strictly, since we are not patching 9.2.0.4 on Windows, the note probably should not be there, but it is technically correct.

10.  For OracleAS  patch 3828022 and 3828024, should this be applied to midtier or infra or both?

Oracle AS 9.0.4 patch is for the midtier. The component 3828022_ssl.zip is therefore for the midtier only. DO NOT APPLY THIS ON THE  INFRA DB.

11.  There is no CTXSYS schema in any of my databases.  Can I skip the steps in the README associated with CTXSYS?

When the user CTXSYS doesn't exist, patch installation will return the following errors:

File /oracle/product/8.1.7/ctx/admin/driload.pkh is missing
File /oracle/product/8.1.7/ctx/admin/driload.pkh is not writable 
File /oracle/product/8.1.7/ctx/admin/dr0out.plb is missing 
File /oracle/product/8.1.7/ctx/admin/dr0out.plb is not writable 
Patch can not be installed.

Work around is: 

% touch /oracle/product/8.1.7/ctx/admin/driload.pkh 
% touch /oracle/product/8.1.7/ctx/admin/dr0out.plb 
and then reapply the patch

If you downloaded the 8.1.7.4 patches after Sept 2nd, the problem has been corrected.

12.  Why is there a separate 9.0.4 database patch?

The Oracle 9.0.4 Database is only released with Oracle Application Server 10g (9.0.4).  If the infrastructure database was installed from the OAS 9.0.4 releases distribution, then wait for the DB 9.0.4 patch to be available.  If the infrastructure database was upgraded from 9.0.2 or 9.0.3 to 9.0.1.5, then apply the DB 9.0.1.5 patch.  

Furthermore, for Metadata Repository only setup, database patch for the corresponding version   should be applied.

13.  Do I have to apply the patches even I don't have installed the Oracle Text component, iAS, or use HTTP server, etc?

This is a severity 1 security alert, which means the vulnerability is high risk and requires little specialized knowledge to exploit. Apply the patch and/or workaround to the affected products with the highest priority.  If you have the database, then the first patch matrix is appropriate.  If you have AS, then the second is also needed.  If they have EM (even if you do not use it) then the third patch should be applied.

Although the installation steps involve commands for specific components, the patches include fixes for other components also.  For some vulnerabilities, the fact that the component exists on the system is enough to be vulnerable; it does not have to be used.

14.  What needs to be done if I am running E-Business Suite Release 11.0.3?

E-Business Suite Release 11.0 and 11i customers should apply the available Oracle Database
patches to their current Oracle Database Servers, which should be one of the following:

Oracle Database Release 8.1.7.4 
Oracle 9i Database Release 2, 9.2.0.4 
Oracle 9i Database Release 2, 9.2.0.5

15.  I cannot download the patch from Metalink, is there a problem?

Due to high demand, we may have a resource problem on our download servers, please try again at a later time.

16.  Is there a risk my applications are affected after I install the fixes?

Although details of vulnerabilities are not disclosed, you can imagine the fixes deal with boundary checks on input values and in general closing 'holes' that may typically be abused by malicious parties. So well behaved application code is not affected, these do not depend on undocumented hacks. You must not confuse the severity of the vulnerability with the impact of the fix.

17.  Do I need to run catpatch.sql after installing these security patches?

You may but it is not necessary, there are no data dictionary changes involved in this patch so there's no need to run catpatch.sql. However, you must run a few scripts as indicated in the README.txt that comes with the patch.

18.  I have previously installed the patches for sec alert 68 on my 9.2.0.4 database, now I want to apply the 9.2.0.5 patchset, do I have to re-apply the sec. patches of alert 68 on top of 9.2.0.5 again?

Yes, these fixes are not in the 9.2.0.5 patchset, download the fixes again and now for 9.2.0.5 and apply them again, therefore it is recommended to first apply 9.2.0.5 and then the sec. patches for 9.2.0.5, this saves work.

19.  Where to find opatch?

Get opatch here: http://updates.oracle.com/download/2617419.html. Also check out: <Note:242993.1> 'OPATCH FAQ'.

20.  My Oracle database 8174 is up-to-date with security patches before Security Alert 68. Can I apply #68 patches 3811838 and 3835952 without destroying these earlier patches?

The security patches are cumulative, so they can be applied without fear of destroying previous security alert fixes.  Please also review Question 6 above.

21.  Is the Client install (8.1.7.x) equally vulnerable?

Yes, according to Development.  All database clients have to be patched also.

Furthermore, patching the client aims at protecting the client, so it is important to apply the patch on the middle tier. While the db patch includes fixes to the client shared library files (lib/libclient9.a and lib32/libclient9.a), it is of no consequence to the security of the database if they are not installed on remote end-user client installs (PC's in general).  The security of the database is and must be enforced on the database (a hacker would get an old copy of client software anyway) so patching the client is irrelevant to database security.

22.  The patch README file mentioned "You must have NO OTHER PATCHES installed on your Oracle Server since the latest patch set (or base release x.y.z if you have no patch sets installed)."  What do I do if I have applied any one-off patches?

We put in this warning as a standard practice with the readmes of ALL interim (one-off) patches, because the application of any patch can add risk to the processing environment. Interim patches are not tested as extensively as patchsets. The customers need to know that there is always a possibility of a file conflicts with a previous patch that was applied since the last patchset.

However, the customer should still try to apply the patch with opatch. If conflict reported and the conflict is not pointing to a previous security alert, the customer should request a merge patch. Otherwise, they can ignore the conflict report.

23.  There is no patch available for 8174 on IBM AIX Based Systems 5L (64-bit), is it not required or it's not there?

8.1.7.4 runs in 32-bit mode on an IBM AIX Based Systems 5L (64-bit) platform.  If your database is running in this setup, please download the patch for IBM AIX Based Systems (32-bit).

24.  How to find corresponding versions of Apache, iAS and APPS installs?

<Note:260449.1> Everything You Wanted to Know About The Apache-Based OHS Version

25.  Does patch 3835781 applies to 1.0.2.2.2 also?

Yes.    

26.  The README file for applying patch has the following instruction in section "Patch Special Instructions": "After installing the patch, load driload.pkh and dr0out.plb into the ctxsys schema from sqlplus". What are the specific steps to do this?

cd $ORACLE_HOME/ctx/admin 
Connect SYS as SYSDBA 
> alter session set current_schema=CTXSYS; 
> @driload.pkh 
> @dr0out.plb

27.  The detailed information regarding this alert is available on some 3rd party sites.  Why can't Oracle release the information?

The information on any 3rd party pages are not approved by Oracle.  Some sites offer misleading information by providing only a small part of the vulnerabilities covered by the alert.  On the other hand, some sites provide a large amount of info that is unrelated to the Alert and patches that Oracle issued.  As mentioned in Q8 above, Oracle does not discuss the vulnerabilities in public and also internally they are not widely known (if any).

28.  I am confused while installing the modplsql part of the security patches in a multi version environment, what to do?

In general,  run the midtier part of patch.csh (step 6. of README.TXT) in the home with the version corresponding to the patch version. 

Run the sysobjects part (step 4b.) in any database SERVICED by this Apache/modplsql server regardless of the database version.

29.  Could I bring the instances all down to apply the patches, then bring the instances all up again for users to use, and then do the post-processing on those databases over the next several days?

No.. The patches are merge of several fixes and some of the fixes require that the post-install actions be done immediately after applying the patches.

30.  The readme's state that you must have no other patches since the latest patchset (or base release).  If one-off patches have been applied to the database, should I not apply the patches for Security Alert 68? 

Oracle put in this warning as a standard practice with the readmes of ALL interim (one-off) patches, not just Security patches, because the application of any patch can add risk to the processing environment. Interim patches are not tested as extensively as patchsets. The customers need to know that there is always a possibility of a file conflicts with a previous patch that was applied since the last patchset. Security patch is just another one-off or bundled patch. The only difference is security patches are done proactively. As always,customers should test the patch before applying it to the production system or move up to the next patchset if it exists. If the customer experienced problem and discovered conflicts, they should create a SR to report the problem so Support Engineers can file a merged patch request. 

31.  Can Security patches be used in a Rolling Upgrade?

No. Security Patches, unless otherwise noted in the Alert, CANNOT be used in a Rolling Upgrade.  They are not tested in such a configuration.

it is confirmed and a merge patch is filed, this question

 

###

.