Executive Summary
Summary | |
---|---|
Title | Oracle Updates for Multiple Vulnerabilities |
Informations | |||
---|---|---|---|
Name | TA09-105A | First vendor Publication | 2009-04-15 |
Vendor | US-CERT | Last vendor Modification | 2009-04-15 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description The Oracle Critical Patch Update Advisory - April 2009 addresses 43 Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. III. Solution Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed. |
Original Source
Url : http://www.us-cert.gov/cas/techalerts/TA09-105A.html |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-255 | Credentials Management |
CPE : Common Platform Enumeration
ExploitDB Exploits
id | Description |
---|---|
2009-04-21 | Oracle RDBMS 10.2.0.3/11.1.0.6 - TNS Listener PoC |
2009-04-16 | Oracle APEX 3.2 Unprivileged DB users can see APEX password hashes |
OpenVAS Exploits
Date | Description |
---|---|
2009-06-05 | Name : Ubuntu USN-763-1 (xine-lib) File : nvt/ubuntu_763_1.nasl |
2009-06-05 | Name : Ubuntu USN-776-2 (kvm) File : nvt/ubuntu_776_2.nasl |
2009-04-20 | Name : Ubuntu USN-757-1 (gs-gpl) File : nvt/ubuntu_757_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
53767 | Oracle BEA WebLogic Portal Unspecified Remote Issue |
53766 | Oracle BEA WebLogic Server Plug-ins for Apache Certificate Handling Remote Ov... |
53765 | Oracle BEA WebLogic Server Plug-ins for Web Servers Unspecified Remote Overflow |
53764 | Oracle BEA WebLogic Server Web Services Unspecified Remote Issue |
53763 | Oracle BEA WebLogic Server Servlet Container Unspecified Remote Issue (CVE-20... |
53762 | Oracle BEA WebLogic Server Servlet Container Unspecified Remote Issue (CVE-20... |
53761 | Oracle BEA JRockit Unspecified Remote Compromise |
53760 | Oracle BEA Oracle Data Service Integrator (AquaLogic Data Services Platform) |
53759 | Oracle Peoplesoft Enterprise PeopleTools Unspecified XSS PeopleTools contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified parameters. This could allow an attacker to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. |
53758 | Oracle Peoplesoft Enterprise HRMS eBenefits HRMS contains a flaw that may allow a malicious user to gain unauthorized access to eBenefits. No further details are available. |
53757 | Oracle Peoplesoft Enterprise PeopleTools Business Interlink Unspecified Auth... PeopleTools contains a flaw that may allow a malicious user to use Business Interlink without authentication. No further details are provided by the vendor. |
53756 | Oracle Peoplesoft Enterprise PeopleTools Unspecified Unauthenticated Remote I... PeopleTools contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to the node password when an unspecified, remote, unauthenticated condition occurs, which may lead to a loss of confidentiality and integrity. |
53755 | Oracle E-Business Suite Applications Technology Stack Multiple Default Creden... |
53754 | Oracle E-Business Suite Applications Framework Unspecified Remote Issue |
53753 | Oracle E-Business Suite Application Object Library Unspecified Remote Issue |
53752 | Oracle Application Server Portal Unspecified Remote Issue (CVE-2009-0983) |
53751 | Oracle Application Server Portal Unspecified Remote Issue (CVE-2009-0974) |
53750 | Oracle Outside In Technology Microsoft Office File Optional Data Stream Parsi... |
53749 | Oracle Outside In Technology Microsoft Office Spreadsheet Record Handling Ove... |
53748 | Oracle Outside In Technology Microsoft Excel Spreadsheet Record Handling Remo... |
53747 | Oracle Outside In Technology HTML Export Unspecified Issue (CVE-2009-1008) |
53746 | Oracle Application Server BI Publisher Unspecified Remote Information Disclos... |
53745 | Oracle Application Server BI Publisher Unspecified Remote Information Disclos... |
53744 | Oracle Application Server BI Publisher Unspecified Remote Information Disclos... |
53743 | Oracle Application Server BI Publisher Unspecified Remote Issue (CVE-2009-0990) |
53742 | Oracle Application Server BI Publisher Unspecified Remote Issue (CVE-2009-0989) |
53741 | Oracle Application Server Oracle Process Manager and Notification (opmn) Daem... |
53740 | Oracle Database Password History Policy Failure Re-use Weakness |
53739 | Oracle Database Vault DBMS_SYS_SQL Unspecified Information Disclosure |
53738 | Oracle Database Application Express (APEX) FLOWS_030000.WWV_FLOW_USER User Pa... |
53737 | Oracle Database Listener oranro11.dll ncrfintn() Function Remote DoS |
53736 | Oracle Database Cluster Ready Services Unspecified Remote DoS |
53735 | Oracle Database Workspace Manager Procedure Creation Unspecified Issue |
53734 | Oracle Database Workspace Manager LT.ROLLBACKWORKSPACE SQL Injection Oracle Database contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to Workspace Manager not properly sanitizing user-supplied input to the LT.ROLLBACKWORKSPACE procedure. This may allow an attacker to inject or manipulate SQL queries in the back-end database. |
53733 | Oracle Database Workspace Manager LTADM Unspecified Remote Issue |
53732 | Oracle Database Workspace Manager Unspecified Remote Issue (CVE-2009-0975) |
53731 | Oracle Database SQLX Functions GGXQIMP Unspecified Remote Issue |
53730 | Oracle Database Vault DBMS_SYS_SQL Unspecified SQL Injection |
53729 | Oracle Database Advanced Queuing DBMS_AQIN DEQ_EXEJOB Procedure SQL Injection |
53728 | Oracle Database Advanced Queuing DBMS_AQADM_SYS GRANT_TYPE_ACCESS Procedure S... |
53727 | Oracle Database Workspace Manager Unspecified Remote Issue (CVE-2009-0972) |
53726 | Oracle Database Core RDBMS IMP_FULL_DATABASE Role Unspecified Remote Compromise |
53725 | Oracle Database Resource Manager Plan Name Parameter Remote Overflow |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | Oracle Application Server 10g OPMN service format string vulnerability exploi... RuleID : 17669 - Revision : 11 - Type : SERVER-ORACLE |
2014-01-10 | Oracle Database DBMS TNS Listener denial of service attempt RuleID : 17055 - Revision : 7 - Type : SERVER-ORACLE |
2014-01-10 | BEA WebLogic Server Plug-ins Certificate overflow attempt RuleID : 16606 - Revision : 14 - Type : SERVER-ORACLE |
2014-01-10 | Application Server 10g OPMN service format string vulnerability exploit attempt RuleID : 15554 - Revision : 12 - Type : SERVER-ORACLE |
2014-01-10 | Oracle Database Server RollbackWorkspace SQL injection attempt RuleID : 15515 - Revision : 8 - Type : SERVER-ORACLE |
2014-01-10 | Oracle Database Application Express Component APEX password hash disclosure a... RuleID : 15488 - Revision : 8 - Type : SERVER-ORACLE |
2014-01-10 | Oracle Database DBMS_AQADM_SYS package GRANT_TYPE_ACCESS procedure SQL inject... RuleID : 11204 - Revision : 8 - Type : SERVER-ORACLE |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-02-20 | Name : The remote host is running a vulnerable version of Oracle Apex. File : oracle_apex_CVE-2009-0981.nasl - Type : ACT_GATHER_INFO |
2012-01-24 | Name : The remote web server may be affected by multiple vulnerabilities. File : oracle_application_server_pci.nasl - Type : ACT_GATHER_INFO |
2011-11-16 | Name : The remote database server is affected by multiple vulnerabilities. File : oracle_rdbms_cpu_apr_2009.nasl - Type : ACT_GATHER_INFO |