10 - TA09-105A

Executive Summary

Summary
Title	Oracle Updates for Multiple Vulnerabilities

Informations
Name	TA09-105A	First vendor Publication	2009-04-15
Vendor	US-CERT	Last vendor Modification	2009-04-15
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C)
Cvss Base Score	10	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	10	Authentication	None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

I. Description

The Oracle Critical Patch Update Advisory - April 2009 addresses 43
vulnerabilities in various Oracle products and components. The document provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability.

Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database.

II. Impact

The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers.
An attacker who compromises an Oracle database may be able to access sensitive information.

III. Solution

Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed.

Original Source

Url : http://www.us-cert.gov/cas/techalerts/TA09-105A.html

CWE : Common Weakness Enumeration

%	Id	Name
100 %	CWE-255	Credentials Management

CPE : Common Platform Enumeration

Type	Description	Count
Application	Ibm Websphere Portal cpe:2.3:a:ibm:websphere_portal:8.0.0.0:::::::* cpe:2.3:a:ibm:websphere_portal:7.0.0.0:::::::* cpe:2.3:a:ibm:websphere_portal:6.1.5.0:::::::* cpe:2.3:a:ibm:websphere_portal:6.1.0.0:::::::* cpe:2.3:a:ibm:websphere_portal:6.0.1.0:::::::* cpe:2.3:a:ibm:websphere_portal:6.0.0.0:::::::*	6
Application	Oracle Application Server cpe:2.3:a:oracle:application_server:10.1.4.2.0:::::::* cpe:2.3:a:oracle:application_server:10.1.3.4:::::::* cpe:2.3:a:oracle:application_server:10.1.3.3.3:::::::* cpe:2.3:a:oracle:application_server:10.1.3.2.1:::::::* cpe:2.3:a:oracle:application_server:10.1.2.3.0:::::::* cpe:2.3:a:oracle:application_server:8.3.0:::::::* cpe:2.3:a:oracle:application_server:8.2.2:::::::* cpe:2.3:a:oracle:application_server:8.1.9:::::::* cpe:2.3:a:oracle:application_server:5.6.2:::::::*	9
Application	Oracle Bea Product Suite cpe:2.3:a:oracle:bea_product_suite:10.3.0:::::::* cpe:2.3:a:oracle:bea_product_suite:10.3:::::::* cpe:2.3:a:oracle:bea_product_suite:10.0:mp1:::::: cpe:2.3:a:oracle:bea_product_suite:9.2:mp3:::::: cpe:2.3:a:oracle:bea_product_suite:9.1:::::::* cpe:2.3:a:oracle:bea_product_suite:9.0:::::::* cpe:2.3:a:oracle:bea_product_suite:8.1:sp6:::::: cpe:2.3:a:oracle:bea_product_suite:7.0:sp7:::::: cpe:2.3:a:oracle:bea_product_suite:3.2:::::::* cpe:2.3:a:oracle:bea_product_suite:3.0.1:::::::* cpe:2.3:a:oracle:bea_product_suite:3.0:::::::*	11
Application	Oracle Database 10G cpe:2.3:a:oracle:database_10g:10.2.0.4:::::::* cpe:2.3:a:oracle:database_10g:10.2.0.3:::::::* cpe:2.3:a:oracle:database_10g:10.1.0.5:::::::*	3
Application	Oracle Database 11G cpe:2.3:a:oracle:database_11g:11.1.0.7:::::::* cpe:2.3:a:oracle:database_11g:11.1.0.6:::::::*	2
Application	Oracle Database 9I cpe:2.3:a:oracle:database_9i:9.2.0.8dv:::::::* cpe:2.3:a:oracle:database_9i:9.2.0.8:::::::*	2
Application	Oracle Database Server cpe:2.3:a:oracle:database_server:11.1.0.7:::::::* cpe:2.3:a:oracle:database_server:11.1.0.6:::::::* cpe:2.3:a:oracle:database_server:10.2.0.4:::::::* cpe:2.3:a:oracle:database_server:10.2.0.3:::::::* cpe:2.3:a:oracle:database_server:10.1.0.5:::::::* cpe:2.3:a:oracle:database_server:9.2.0.8dv:::::::* cpe:2.3:a:oracle:database_server:9.2.0.8:::::::*	7
Application	Oracle E-Business Suite cpe:2.3:a:oracle:e-business_suite:12.0.6:::::::* cpe:2.3:a:oracle:e-business_suite:11i10cu2:::::::*	2
Application	Oracle E-Business Suite 12 cpe:2.3:a:oracle:e-business_suite_12:12.0.6:::::::*	1
Application	Oracle Jd Edwards Enterpriseone cpe:2.3:a:oracle:jd_edwards_enterpriseone:9.0.8:::::::* cpe:2.3:a:oracle:jd_edwards_enterpriseone:8.9.18:::::::* cpe:2.3:a:oracle:jd_edwards_enterpriseone:8.49.19:::::::*	3
Application	Oracle Jrockit cpe:2.3:a:oracle:jrockit:r27.6.2:::::::* cpe:2.3:a:oracle:jrockit:r27.6.1:::::::* cpe:2.3:a:oracle:jrockit:r27.6.0:::::::* cpe:2.3:a:oracle:jrockit:r27.6:::::::* cpe:2.3:a:oracle:jrockit:r27.5:::::::* cpe:2.3:a:oracle:jrockit:r27.4:::::::* cpe:2.3:a:oracle:jrockit:r27.3.1:::::::* cpe:2.3:a:oracle:jrockit:r27.3:::::::* cpe:2.3:a:oracle:jrockit:r27.2:::::::* cpe:2.3:a:oracle:jrockit:r27.1:::::::* cpe:2.3:a:oracle:jrockit:r26.4:::::::* cpe:2.3:a:oracle:jrockit:r26.3:::::::* cpe:2.3:a:oracle:jrockit:r26.2:::::::* cpe:2.3:a:oracle:jrockit:r26.1:::::::* cpe:2.3:a:oracle:jrockit:r26.0:::::::*	15
Application	Oracle Peoplesoft Enterprise cpe:2.3:a:oracle:peoplesoft_enterprise::::::::	1

ExploitDB Exploits

id	Description
2009-04-21	Oracle RDBMS 10.2.0.3/11.1.0.6 - TNS Listener PoC
2009-04-16	Oracle APEX 3.2 Unprivileged DB users can see APEX password hashes

OpenVAS Exploits

Date	Description
2009-06-05	Name : Ubuntu USN-763-1 (xine-lib) File : nvt/ubuntu_763_1.nasl
2009-06-05	Name : Ubuntu USN-776-2 (kvm) File : nvt/ubuntu_776_2.nasl
2009-04-20	Name : Ubuntu USN-757-1 (gs-gpl) File : nvt/ubuntu_757_1.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
53767	Oracle BEA WebLogic Portal Unspecified Remote Issue
53766	Oracle BEA WebLogic Server Plug-ins for Apache Certificate Handling Remote Ov...
53765	Oracle BEA WebLogic Server Plug-ins for Web Servers Unspecified Remote Overflow
53764	Oracle BEA WebLogic Server Web Services Unspecified Remote Issue
53763	Oracle BEA WebLogic Server Servlet Container Unspecified Remote Issue (CVE-20...
53762	Oracle BEA WebLogic Server Servlet Container Unspecified Remote Issue (CVE-20...
53761	Oracle BEA JRockit Unspecified Remote Compromise
53760	Oracle BEA Oracle Data Service Integrator (AquaLogic Data Services Platform)
53759	Oracle Peoplesoft Enterprise PeopleTools Unspecified XSS PeopleTools contains a flaw that allows a remote cross site scripting attack. This flaw exists because the application does not validate unspecified parameters. This could allow an attacker to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity.
53758	Oracle Peoplesoft Enterprise HRMS eBenefits HRMS contains a flaw that may allow a malicious user to gain unauthorized access to eBenefits. No further details are available.
53757	Oracle Peoplesoft Enterprise PeopleTools Business Interlink Unspecified Auth... PeopleTools contains a flaw that may allow a malicious user to use Business Interlink without authentication. No further details are provided by the vendor.
53756	Oracle Peoplesoft Enterprise PeopleTools Unspecified Unauthenticated Remote I... PeopleTools contains a flaw that may lead to an unauthorized password exposure. It is possible to gain access to the node password when an unspecified, remote, unauthenticated condition occurs, which may lead to a loss of confidentiality and integrity.
53755	Oracle E-Business Suite Applications Technology Stack Multiple Default Creden...
53754	Oracle E-Business Suite Applications Framework Unspecified Remote Issue
53753	Oracle E-Business Suite Application Object Library Unspecified Remote Issue
53752	Oracle Application Server Portal Unspecified Remote Issue (CVE-2009-0983)
53751	Oracle Application Server Portal Unspecified Remote Issue (CVE-2009-0974)
53750	Oracle Outside In Technology Microsoft Office File Optional Data Stream Parsi...
53749	Oracle Outside In Technology Microsoft Office Spreadsheet Record Handling Ove...
53748	Oracle Outside In Technology Microsoft Excel Spreadsheet Record Handling Remo...
53747	Oracle Outside In Technology HTML Export Unspecified Issue (CVE-2009-1008)
53746	Oracle Application Server BI Publisher Unspecified Remote Information Disclos...
53745	Oracle Application Server BI Publisher Unspecified Remote Information Disclos...
53744	Oracle Application Server BI Publisher Unspecified Remote Information Disclos...
53743	Oracle Application Server BI Publisher Unspecified Remote Issue (CVE-2009-0990)
53742	Oracle Application Server BI Publisher Unspecified Remote Issue (CVE-2009-0989)
53741	Oracle Application Server Oracle Process Manager and Notification (opmn) Daem...
53740	Oracle Database Password History Policy Failure Re-use Weakness
53739	Oracle Database Vault DBMS_SYS_SQL Unspecified Information Disclosure
53738	Oracle Database Application Express (APEX) FLOWS_030000.WWV_FLOW_USER User Pa...
53737	Oracle Database Listener oranro11.dll ncrfintn() Function Remote DoS
53736	Oracle Database Cluster Ready Services Unspecified Remote DoS
53735	Oracle Database Workspace Manager Procedure Creation Unspecified Issue
53734	Oracle Database Workspace Manager LT.ROLLBACKWORKSPACE SQL Injection Oracle Database contains a flaw that may allow an attacker to carry out an SQL injection attack. The issue is due to Workspace Manager not properly sanitizing user-supplied input to the LT.ROLLBACKWORKSPACE procedure. This may allow an attacker to inject or manipulate SQL queries in the back-end database.
53733	Oracle Database Workspace Manager LTADM Unspecified Remote Issue
53732	Oracle Database Workspace Manager Unspecified Remote Issue (CVE-2009-0975)
53731	Oracle Database SQLX Functions GGXQIMP Unspecified Remote Issue
53730	Oracle Database Vault DBMS_SYS_SQL Unspecified SQL Injection
53729	Oracle Database Advanced Queuing DBMS_AQIN DEQ_EXEJOB Procedure SQL Injection
53728	Oracle Database Advanced Queuing DBMS_AQADM_SYS GRANT_TYPE_ACCESS Procedure S...
53727	Oracle Database Workspace Manager Unspecified Remote Issue (CVE-2009-0972)
53726	Oracle Database Core RDBMS IMP_FULL_DATABASE Role Unspecified Remote Compromise
53725	Oracle Database Resource Manager Plan Name Parameter Remote Overflow

Snort® IPS/IDS

Date	Description
2014-01-10	Oracle Application Server 10g OPMN service format string vulnerability exploi... RuleID : 17669 - Revision : 11 - Type : SERVER-ORACLE
2014-01-10	Oracle Database DBMS TNS Listener denial of service attempt RuleID : 17055 - Revision : 7 - Type : SERVER-ORACLE
2014-01-10	BEA WebLogic Server Plug-ins Certificate overflow attempt RuleID : 16606 - Revision : 14 - Type : SERVER-ORACLE
2014-01-10	Application Server 10g OPMN service format string vulnerability exploit attempt RuleID : 15554 - Revision : 12 - Type : SERVER-ORACLE
2014-01-10	Oracle Database Server RollbackWorkspace SQL injection attempt RuleID : 15515 - Revision : 8 - Type : SERVER-ORACLE
2014-01-10	Oracle Database Application Express Component APEX password hash disclosure a... RuleID : 15488 - Revision : 8 - Type : SERVER-ORACLE
2014-01-10	Oracle Database DBMS_AQADM_SYS package GRANT_TYPE_ACCESS procedure SQL inject... RuleID : 11204 - Revision : 8 - Type : SERVER-ORACLE

Nessus® Vulnerability Scanner

Date	Description
2013-02-20	Name : The remote host is running a vulnerable version of Oracle Apex. File : oracle_apex_CVE-2009-0981.nasl - Type : ACT_GATHER_INFO
2012-01-24	Name : The remote web server may be affected by multiple vulnerabilities. File : oracle_application_server_pci.nasl - Type : ACT_GATHER_INFO
2011-11-16	Name : The remote database server is affected by multiple vulnerabilities. File : oracle_rdbms_cpu_apr_2009.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
CWE ID(s)	1
CPE ID(s)	62
osvdb(s)	43
ExploitDB Exploit(s)	2
Openvas Exploit(s)	3
Snort® Rule(s)	7
Nessus® Exploit(s)	3

	Related
10	CVE-2009-1012
10	CVE-2009-1006
9	CVE-2009-0979
8.5	CVE-2009-1016
7.5	CVE-2009-1000
7.5	CVE-2009-0993
7.1	CVE-2009-0985
6.8	CVE-2009-0999
6.5	CVE-2009-0972
6.4	CVE-2009-1013
5.8	CVE-2009-1014
5.8	CVE-2009-1002
5.5	CVE-2009-1001
5.5	CVE-2009-0998
5.5	CVE-2009-0992
5.5	CVE-2009-0990
5.5	CVE-2009-0989
5.5	CVE-2009-0984
5.5	CVE-2009-0980
5.5	CVE-2009-0978
5.5	CVE-2009-0977
5.5	CVE-2009-0976
5.5	CVE-2009-0975
5.4	CVE-2009-0986
5	CVE-2009-1003
5	CVE-2009-0991
5	CVE-2009-0973
4.4	CVE-2009-1011
4.4	CVE-2009-1010
4.4	CVE-2009-1009
4.4	CVE-2009-1008
4.3	CVE-2009-0995
4.3	CVE-2009-0983
4.3	CVE-2009-0974
4.1	CVE-2009-1005
4	CVE-2009-1017
4	CVE-2009-1004
4	CVE-2009-0997
4	CVE-2009-0996
4	CVE-2009-0994
4	CVE-2009-0982
4	CVE-2009-0981
2.1	CVE-2009-0988
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 43 more Alert(s)