Vulnerabilities in Oracle E-Business Suite 11i - Critical Patch Update October 2005

["Integrigy Security" <alerts () integrigy com>]

Integrigy Security Advisory
______________________________________________________________________
 
Vulnerabilities in Oracle E-Business Suite 11i
Oracle Critical Patch Update - October 2005
October 18, 2005
______________________________________________________________________
 
Summary:

Oracle today released its fourth Critical Patch Update (October 2005).   The
patches contained in the Critical Patch Update will correct numerous
security bugs in the Oracle Database, Oracle Application Server, and Oracle
E-Business Suite.  Some of the vulnerabilities in the Critical Patch Update
are high risk and a few can be exploited remotely using a web browser.

Almost all the security bugs fixed in this Critical Patch Update are
exploitable in Oracle E-Business Suite environments and the appropriate
patches should be applied as soon as possible.  Patches for the Oracle
Database, Oracle Application Server, Oracle Developer 6i, and Oracle
E-Business Suite 11i must be applied -- almost all implementations will have
to apply at least 12 patches.  Customers with Internet-facing
implementations of the Oracle E-Business Suite are at most risk and should
consider applying these patches quickly.

The Oracle E-Business Suite patches involved with this Critical Patch Update
are much more complex as compared to the previous CPUs and will require
additional functional testing in our opinion.  In addition, the Oracle
E-Business Suite security patches are not cumulative, therefore, all the
patches specified in this CPU and previous CPUs must be applied. 

Integrigy has released additional guidance to help our clients in
determining the relevance and priority of these patches for their Oracle
E-Business Suite implementations.  The Integrigy analysis for the this
Critical Patch Update is available at --

http://www.integrigy.com/analysis.htm

______________________________________________________________________
 
For more information or questions regarding this security advisory, please
contact us at alerts () integrigy com.
 
Integrigy has included checks for these vulnerabilities in AppSentry, a
vulnerability scanner for Oracle Applications, and AppDefend, an application
intrusion prevention system for Oracle Applications.
 
Credit:
 
Some of the vulnerabilities fixed in the Critical Patch Update October 2005
were discovered and reported to Oracle by Stephen Kost of Integrigy
Corporation.
______________________________________________________________________
 
About Integrigy Corporation (www.integrigy.com)
 
Integrigy Corporation is a leader in application security for large
enterprise, mission critical applications. Our application vulnerability
assessment tool, AppSentry, assists companies in securing their largest and
most important applications. AppDefend is an intrusion prevention system for
Oracle Applications and blocks common types of attacks against application
servers. Integrigy Consulting offers security assessment services for
leading ERP and CRM applications.
 
For more information, visit www.integrigy.com.