Guest

Cisco Web Collaboration Option

Field Notice: Cisco Contact Center Products Security Patch update for Products utilizing Oracle Database


October 25, 2004


Products Affected

  • Cisco Collaboration Server - 5.0, all service releases

  • Cisco eMail Manager - 5.0, all service releases

Problem Description

On August 31, 2004, revised September 24, 2004, Oracle released the following security update:

Oracle Security Vulnerability #68

Several buffer overflow, format string, SQL injection and other types of vulnerabilities expose some Oracle products. Additional information provided in the links below.

Security Alerts

Oracle Security Update (Alert #68, Rev 2, September 24, 2004)

Patches are available on MetaLink.

CERT

Some articles:

"Oracle Releases Delayed Security Patches"

"U.S. Government, Companies Warn of Critical Oracle Flaws"

Affected Software:

  • Oracle Database 10g Release 1, version 10.1.0.2

  • Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5

  • Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4

  • Oracle8i Database Server Release 3, version 8.1.7.4

  • Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2

  • Oracle Enterprise Manager Database Control 10g, version 10.1.0.2

  • Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1

  • Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1

  • Oracle9i Application Server Release 1, version 1.0.2.2

The following product releases and versions, and all future releases and versions are not affected:

  • Oracle Database 10g Release 1, version 10.1.0.3

  • Oracle Enterprise Manager Grid Control 10g, version 10.1.0.3

  • Oracle Application Server 10g (9.0.4), version 9.0.4.2 (not yet available)

Background

Cisco evaluates security patches from all vendors for potential impact to Cisco Contact Center products. The qualification process results in one of four categorical ratings being applied to a given update: Impacting, Not Impacting, Deferred, or Not Applicable.

The four ratings are defined in the Cisco Customer Contact Software Policy for use of Third-Party Software and Security Updates document.

For the security updates listed in the Problem Description of this bulletin, Cisco has assigned the updates to the following categories:

Impacting

Oracle Security Update (Alert #68, Rev 2, September 24, 2004)

Customers should follow the vendor's guidelines regarding when and how they should apply these updates. Refer to the vendor's website for complete details of the potential exposure.

Problem Symptoms

It is important to point out that Cisco Contact Center Support has not had any cases pertaining to this threat recorded from our customer base as of September 24, 2004.

Workaround/Solution

Cisco has assessed, and where deemed appropriate, validated the vendor's security patches addressed in this bulletin.

Cisco recommends that Contact Center customers separately assess all vendor security patches and install those deemed appropriate for their environments.

Cisco will continue to provide a service of separately assessing and where necessary, validating higher severity security patches that may be relevant to the Contact Center Enterprise software products.

Visit the vendor's website to acquire the fixes. Keep in mind, you should download the appropriate fixes based on the version of the software and operating system deployed in your environment and service pack level.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.