HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2008-05
Multiple Vulnerabilities in various Oracle products

Original issue date: January 24, 2008

Severity Rating: High

Systems Affected

•  Oracle Database 11 g , version 11.1.0.6
•  Oracle Database 10 g Release 2, versions 10.2.0.2, 10.2.0.3
•  Oracle Database 10 g , version 10.1.0.5
•  Oracle Database 9 i Release 2, versions 9.2.0.8, 9.2.0.8DV
•  Oracle Application Server 10 g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0, 10.1.3.3.0 •  Oracle Application Server 10 g Release 2 (10.1.2), versions 10.1.2.0.1 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0 •  Oracle Application Server 10g (9.0.4), version 9.0.4.3
•  Oracle Collaboration Suite 10 g , version 10.1.2
•  Oracle E-Business Suite Release 12, versions 12.0.0 - 12.0.3
•  Oracle E-Business Suite Release 11 i , versions 11.5.9 - 11.5.10 CU2
•  Oracle Enterprise Manager Grid Control 10 g Release 1, versions 10.1.0.5, 10.1.0.6
•  Oracle PeopleSoft Enterprise People Tools versions 8.22, 8.47, 8.48, 8.49
•  Oracle PeopleSoft Enterprise Human Capital Management versions 8.9, 9.0 (Absence Management Module)

Overview

Multiple Vulnerabilities are exists in various Oracle products, which could be exploited by malicious user locally or remotely to cause denial-of-service , conduct SQL injection and cross site scripting attacks or bypass certain security restrictions.

Description

Multiple vulnerabilities are exists in oracle products varies depending on the product, component, and configuration of the system. An attacker can exploits these vulnerabilities to execute the arbitrary code result in information disclosure. Authorization is not required for exploiting these vulnerabilities. Successful exploitation may result in disclosure of sensitive information, denial-of-service conditions, conduct SQL injection and cross site scripting attacks or bypass certain security restrictions.

Solution

Apply patches as mentioned in Oracle Advisory:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html

Vendor Information

Oracle Corporation
http://www.oracle.com/

References

SecurityFocus:
http://www.securityfocus.com/bid/27229

Secunia:
http://secunia.com/advisories/28518

Security tracker:
http://securitytracker.com/alerts/2008/Jan/1019218.html

CVE –Name
CVE-2008-0339
CVE-2008-0340
CVE-2008-0341
CVE-2008-0342
CVE-2008-0343
CVE-2008-0344
CVE-2008-0345
CVE-2008-0346
CVE-2008-0347
CVE-2008-0348
CVE-2008-0349

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003