Executive Summary

Summary
Title Oracle Updates for Multiple Vulnerabilities
Informations
Name TA09-105A First vendor Publication 2009-04-15
Vendor US-CERT Last vendor Modification 2009-04-15
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score 10 Attack Range Network
Cvss Impact Score 10 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

I. Description

The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components. The document provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability.

Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database.

II. Impact

The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to access sensitive information.

III. Solution

Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed.

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA09-105A.html

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-255 Credentials Management

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 6
Application 4
Application 5
Application 11
Application 3
Application 2
Application 2
Application 7
Application 2
Application 1
Application 3
Application 15
Application 1

ExploitDB Exploits

id Description
2009-04-21 Oracle RDBMS 10.2.0.3/11.1.0.6 - TNS Listener PoC
2009-04-16 Oracle APEX 3.2 Unprivileged DB users can see APEX password hashes

OpenVAS Exploits

Date Description
2009-06-05 Name : Ubuntu USN-763-1 (xine-lib)
File : nvt/ubuntu_763_1.nasl
2009-06-05 Name : Ubuntu USN-776-2 (kvm)
File : nvt/ubuntu_776_2.nasl
2009-04-20 Name : Ubuntu USN-757-1 (gs-gpl)
File : nvt/ubuntu_757_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
53767 Oracle BEA WebLogic Portal Unspecified Remote Issue

53766 Oracle BEA WebLogic Server Plug-ins for Apache Certificate Handling Remote Ov...

53765 Oracle BEA WebLogic Server Plug-ins for Web Servers Unspecified Remote Overflow

53764 Oracle BEA WebLogic Server Web Services Unspecified Remote Issue

53763 Oracle BEA WebLogic Server Servlet Container Unspecified Remote Issue (CVE-20...

53762 Oracle BEA WebLogic Server Servlet Container Unspecified Remote Issue (CVE-20...

53761 Oracle BEA JRockit Unspecified Remote Compromise

53760 Oracle BEA Oracle Data Service Integrator (AquaLogic Data Services Platform)

53759 Oracle Peoplesoft Enterprise PeopleTools Unspecified XSS

PeopleTools contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified parameters. This could allow an attacker to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
53758 Oracle Peoplesoft Enterprise HRMS eBenefits

HRMS contains a flaw that may allow a malicious user to gain unauthorized access to eBenefits. No further details are available.
53757 Oracle Peoplesoft Enterprise PeopleTools Business Interlink Unspecified Auth...

PeopleTools contains a flaw that may allow a malicious user to use Business Interlink without authentication. No further details are provided by the vendor.
53756 Oracle Peoplesoft Enterprise PeopleTools Unspecified Unauthenticated Remote I...

PeopleTools contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to the node password when an unspecified, remote, unauthenticated condition occurs, which may lead to a loss of confidentiality and integrity.
53755 Oracle E-Business Suite Applications Technology Stack Multiple Default Creden...

53754 Oracle E-Business Suite Applications Framework Unspecified Remote Issue

53753 Oracle E-Business Suite Application Object Library Unspecified Remote Issue

53752 Oracle Application Server Portal Unspecified Remote Issue (CVE-2009-0983)

53751 Oracle Application Server Portal Unspecified Remote Issue (CVE-2009-0974)

53750 Oracle Outside In Technology Microsoft Office File Optional Data Stream Parsi...

53749 Oracle Outside In Technology Microsoft Office Spreadsheet Record Handling Ove...

53748 Oracle Outside In Technology Microsoft Excel Spreadsheet Record Handling Remo...

53747 Oracle Outside In Technology HTML Export Unspecified Issue (CVE-2009-1008)

53746 Oracle Application Server BI Publisher Unspecified Remote Information Disclos...

53745 Oracle Application Server BI Publisher Unspecified Remote Information Disclos...

53744 Oracle Application Server BI Publisher Unspecified Remote Information Disclos...

53743 Oracle Application Server BI Publisher Unspecified Remote Issue (CVE-2009-0990)

53742 Oracle Application Server BI Publisher Unspecified Remote Issue (CVE-2009-0989)

53741 Oracle Application Server Oracle Process Manager and Notification (opmn) Daem...

53740 Oracle Database Password History Policy Failure Re-use Weakness

53739 Oracle Database Vault DBMS_SYS_SQL Unspecified Information Disclosure

53738 Oracle Database Application Express (APEX) FLOWS_030000.WWV_FLOW_USER User Pa...

53737 Oracle Database Listener oranro11.dll ncrfintn() Function Remote DoS

53736 Oracle Database Cluster Ready Services Unspecified Remote DoS

53735 Oracle Database Workspace Manager Procedure Creation Unspecified Issue

53734 Oracle Database Workspace Manager LT.ROLLBACKWORKSPACE SQL Injection

Oracle Database contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to Workspace Manager not properly sanitizing user-supplied input to the LT.ROLLBACKWORKSPACE procedure. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
53733 Oracle Database Workspace Manager LTADM Unspecified Remote Issue

53732 Oracle Database Workspace Manager Unspecified Remote Issue (CVE-2009-0975)

53731 Oracle Database SQLX Functions GGXQIMP Unspecified Remote Issue

53730 Oracle Database Vault DBMS_SYS_SQL Unspecified SQL Injection

53729 Oracle Database Advanced Queuing DBMS_AQIN DEQ_EXEJOB Procedure SQL Injection

53728 Oracle Database Advanced Queuing DBMS_AQADM_SYS GRANT_TYPE_ACCESS Procedure S...

53727 Oracle Database Workspace Manager Unspecified Remote Issue (CVE-2009-0972)

53726 Oracle Database Core RDBMS IMP_FULL_DATABASE Role Unspecified Remote Compromise

53725 Oracle Database Resource Manager Plan Name Parameter Remote Overflow

Snort® IPS/IDS

Date Description
2014-01-10 Oracle Application Server 10g OPMN service format string vulnerability exploi...
RuleID : 17669 - Revision : 11 - Type : SERVER-ORACLE
2014-01-10 Oracle Database DBMS TNS Listener denial of service attempt
RuleID : 17055 - Revision : 7 - Type : SERVER-ORACLE
2014-01-10 BEA WebLogic Server Plug-ins Certificate overflow attempt
RuleID : 16606 - Revision : 14 - Type : SERVER-ORACLE
2014-01-10 Application Server 10g OPMN service format string vulnerability exploit attempt
RuleID : 15554 - Revision : 12 - Type : SERVER-ORACLE
2014-01-10 Oracle Database Server RollbackWorkspace SQL injection attempt
RuleID : 15515 - Revision : 8 - Type : SERVER-ORACLE
2014-01-10 Oracle Database Application Express Component APEX password hash disclosure a...
RuleID : 15488 - Revision : 8 - Type : SERVER-ORACLE
2014-01-10 Oracle Database DBMS_AQADM_SYS package GRANT_TYPE_ACCESS procedure SQL inject...
RuleID : 11204 - Revision : 8 - Type : SERVER-ORACLE

Nessus® Vulnerability Scanner

Date Description
2013-02-20 Name : The remote host is running a vulnerable version of Oracle Apex.
File : oracle_apex_CVE-2009-0981.nasl - Type : ACT_GATHER_INFO
2012-01-24 Name : The remote web server may be affected by multiple vulnerabilities.
File : oracle_application_server_pci.nasl - Type : ACT_GATHER_INFO
2011-11-16 Name : The remote database server is affected by multiple vulnerabilities.
File : oracle_rdbms_cpu_apr_2009.nasl - Type : ACT_GATHER_INFO