10 - TA08-017A

Executive Summary

Summary
Title	Oracle Updates for Multiple Vulnerabilities

Informations
Name	TA08-017A	First vendor Publication	2008-01-17
Vendor	US-CERT	Last vendor Modification	2008-01-17
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

I. Description

Oracle has released Critical Patch Update - January 2008. This update addresses 26 vulnerabilities in different Oracle products and components.

The Critical Patch Update provides information about affected components, access and authorization required, and the impact from the vulnerabilities on data confidentiality, integrity, and availability.
MetaLink customers should refer to MetaLink Note 467880.1 (login required) for more information on terms used in the Critical Patch Update.

According to Oracle, none of the vulnerabilities corrected in the Oracle Critical Patch Update affect Oracle Database Client-only installations.

In most cases, Oracle does not associate Vuln# identifiers (e.g., DB01) with other available information. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database.

II. Impact

The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to gain access to sensitive information.

III. Solution

Apply a patch

Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update - January 2008. Note that this Critical Patch Update only lists newly corrected issues. Updates to patches for previously known issues are not listed.

As noted in the update, some patches are cumulative, others are not:

The Oracle Database, Oracle Application Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications (Release
12 only), JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications and PeopleSoft Enterprise PeopleTools patches in the Updates are cumulative; patches for any product included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates.

Oracle E-Business Suite Applications Release 11i patches are not cumulative, so Oracle E-Business Suite Applications customers should refer to previous Critical Patch Updates to identify previous security fixes they want to apply. Oracle Collaboration Suite patches were cumulative up to and including the fixes provided in the April 2007 Critical Patch Update. From the July
2007 Critical Patch Update on, Oracle Collaboration Suite security fixes are delivered using the one-off patch infrastructure normally used by Oracle to deliver single bug fixes to customers.

Patches for some platforms and components were not available when the Critical Patch Update was published on January 17, 2008. Please see MetaLink Note 467880.1 (login required) for more information.

Known issues with Oracle patches are documented in the pre-installation notes and patch readme files. Please consult these documents specific to your system before applying patches.

Appendix A. Vendor Information

Oracle

Please see Oracle Critical Patch Update - January 2008 and Critical Patch Updates and Security Alerts.

Appendix B.

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA08-017A.html

CPE : Common Platform Enumeration

Type	Description	Count
Application	Oracle Application Server cpe:2.3:a:oracle:application_server:10.1.3.3.0:::::::* cpe:2.3:a:oracle:application_server:10.1.3.3:::::::* cpe:2.3:a:oracle:application_server:10.1.3.1.0:::::::* cpe:2.3:a:oracle:application_server:10.1.3.1:::::::* cpe:2.3:a:oracle:application_server:10.1.3.0.0:::::::* cpe:2.3:a:oracle:application_server:10.1.2.2.0:::::::* cpe:2.3:a:oracle:application_server:10.1.2.2:::::::* cpe:2.3:a:oracle:application_server:10.1.2.1.0:::::::* cpe:2.3:a:oracle:application_server:10.1.2.0.2:::::::* cpe:2.3:a:oracle:application_server:9.0.4.3:::::::* cpe:2.3:a:oracle:application_server:1.1.8.26:::::::* cpe:2.3:a:oracle:application_server:1.0.2.2:::::::*	12
Application	Oracle Application Server 9I cpe:2.3:a:oracle:application_server_9i:10.1.2.0.2:::::::* cpe:2.3:a:oracle:application_server_9i:9.0.4.3:::::::*	2
Application	Oracle Collaboration Suite cpe:2.3:a:oracle:collaboration_suite:10.1.2:::::::*	1
Application	Oracle Database Server cpe:2.3:a:oracle:database_server:11.1.0.6:::::::* cpe:2.3:a:oracle:database_server:10.2.0.3:::::::* cpe:2.3:a:oracle:database_server:10.2.0.2:::::::* cpe:2.3:a:oracle:database_server:10.1.0.5:::::::* cpe:2.3:a:oracle:database_server:9.2.0.8dv:::::::* cpe:2.3:a:oracle:database_server:9.2.0.8:::::::* cpe:2.3:a:oracle:database_server:9.0.1.5::fips:::::	7
Application	Oracle E-Business Suite cpe:2.3:a:oracle:e-business_suite:12.0.3:::::::* cpe:2.3:a:oracle:e-business_suite:12.0.2:::::::* cpe:2.3:a:oracle:e-business_suite:12.0.1:::::::* cpe:2.3:a:oracle:e-business_suite:12.0.0:::::::* cpe:2.3:a:oracle:e-business_suite:11.5.9:::::::* cpe:2.3:a:oracle:e-business_suite:11.5.10.2:::::::* cpe:2.3:a:oracle:e-business_suite:11.5.10:::::::*	7
Application	Oracle E-Business Suite 11I cpe:2.3:a:oracle:e-business_suite_11i:11.5.10.2:::::::*	1
Application	Oracle Peoplesoft Enterprise Peopletools cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.49:::::::* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.48:::::::* cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.47:::::::*	3

SAINT Exploits

Description	Link
Oracle XDB component PITRIG_TRUNCATE buffer overflow	More info here

OpenVAS Exploits

Date	Description
2011-12-07	Name : Oracle Application Server Unspecified Vulnerability File : nvt/gb_oracle_appln_server_unspecified_vuln.nasl
2011-12-07	Name : Oracle Database Server Multiple Unspecified Vulnerabilities - Jan 08 File : nvt/gb_oracle_database_mult_unspecified_vuln_jan08.nasl
2011-12-07	Name : Oracle Database Server and Application Server Ultra Search Component Unspecif... File : nvt/gb_oracle_database_n_appln_server_ultra_serach_comp_unspecified_vuln.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
41689	Oracle Database Core RDBMS Dictionary Selection Unspecified Issue
40306	Oracle Database Spatial Unspecified Remote Issue (DB07)
40305	Oracle Database Spatial Unspecified Remote Issue (DB06)
40304	Oracle Database Upgrade/Downgrade Unspecified Remote Issue
40303	Oracle Database Spatial MDSYS.SDO_CATALOG Unspecified Remote Issue
40302	Oracle Database Advanced Queuing SYS.DBMS_PRVTAQIP Unspecified Remote Issue
40301	Oracle Database Advanced Queuing SYS.DBMS_PRVTAQIM Unspecified Remote Issue
40300	Oracle Database XML DB XDB.XDB_PITRIG_PKG Package PITRIG_TRUNCATE Function Ov...
40298	Oracle Application Server Internet Directory LDAP Unspecified Remote Informat...
40297	Oracle Application Server JDeveloper Unspecified Remote Issue
40296	Oracle Application Server Forms Unspecified Remote Issue
40295	Oracle Application Server BPEL Worklist Application Unspecified Remote Issue
40294	Oracle Application Server Jinitiator Unspecified Remote Issue (AS02)
40293	Oracle Application Server Jinitiator Unspecified Remote Issue (AS01)
40290	Oracle E-Business Suite Applications Technology Stack Unspecified Remote Issue
40289	Oracle E-Business Suite Application Object Library Unspecified Remote Issue (...
40288	Oracle E-Business Suite CRM Technical Foundation Unspecified Remote Issue
40287	Oracle E-Business Suite Applications Manager Unspecified Remote Information D...
40286	Oracle E-Business Suite Applications Framework Unspecified Remote Information...
40285	Oracle E-Business Suite Application Object Library Unspecified Remote Issue (...
40284	Oracle E-Business Suite Mobile Application Server Unspecified Remote Issue
40283	Oracle PeopleSoft PeopleTools PeopleCode Unspecified Logging Remote Informati... PeopleSoft PeopleTools contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered via the logging of sensitive information in PeopleCode occurs, which could disclose said sensitive information resulting in a loss of confidentiality.
40282	Oracle PeopleSoft PeopleTools PIA Unspecified XSS (PSE03) PeopleSoft PeopleTools contains a flaw that allows a remote cross site scripting attack. The flaw exists in the PeopleSoft Internet Architecture (PIA). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. No further details have been provided.
40281	Oracle PeopleSoft PeopleTools Unspecified Remote XSS (PSE02) PeopleSoft PeopleTools contains a flaw that allows a remote cross site scripting attack. This flaw exists in the CRM component. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. No further details have been provided.
40280	Oracle PeopleSoft PeopleTools PIA Unauthenticated XSS PeopleSoft PeopleTools contains a flaw that allows a remote unauthenticated cross site scripting attack. The flaw exists in the PeopleSoft Internet Architecture (PIA). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. No further details have been provided.
40279	Oracle Collaboration Suite Ultra Search Unspecified Remote Issue

Snort® IPS/IDS

Date	Description
2014-01-10	XDB.XDB_PITRIG_PKG buffer overflow attempt RuleID : 17722 - Revision : 10 - Type : SERVER-ORACLE
2014-01-10	Oracle XDB.XDB_PITRIG_PKG sql injection attempt RuleID : 13551 - Revision : 10 - Type : SERVER-ORACLE

Nessus® Vulnerability Scanner

Date	Description
2012-01-24	Name : The remote web server may be affected by multiple vulnerabilities. File : oracle_application_server_pci.nasl - Type : ACT_GATHER_INFO
2011-11-16	Name : The remote database server is affected by multiple vulnerabilities. File : oracle_rdbms_cpu_jan_2008.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
CPE ID(s)	33
Saint Exploit(s)	1
osvdb(s)	26
Openvas Exploit(s)	3
Snort® Rule(s)	2
Nessus® Exploit(s)	2

	Related
10	CVE-2008-0349
10	CVE-2008-0348
10	CVE-2008-0347
10	CVE-2008-0346
10	CVE-2008-0345
10	CVE-2008-0344
10	CVE-2008-0343
10	CVE-2008-0342
10	CVE-2008-0341
10	CVE-2008-0340
10	CVE-2008-0339
9.3	CVE-2008-7233
6.8	CVE-2008-7234
6	CVE-2008-7238
5	CVE-2008-7239
4.3	CVE-2008-7236
4.3	CVE-2008-7235
4	CVE-2008-7237
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 18 more Alert(s)

10 - TA08-017A

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CPE : Common Platform Enumeration

SAINT Exploits

OpenVAS Exploits

Open Source Vulnerability Database (OSVDB)

Snort® IPS/IDS

Nessus® Vulnerability Scanner

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU