HOME > ADVISORIES


   ADVISORY

CERT-In Advisory CIAD-2008-37
Multiple Vulnerabilities in various Oracle products

Original issue date: July 16, 2008

Severity Rating: High

Systems Affected

  • Oracle Database 11g, version 11.1.0.6
  • Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
  • Oracle Database 10g, version 10.1.0.5
  • Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
  • Oracle TimesTen In-Memory Database version 7.0.3.0.0
  • Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.1.0, 10.1.3.3.0
  • Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.2.0, 10.1.2.3.0
  • Oracle Application Server 10g (9.0.4), version 9.0.4.3
  • Oracle Hyperion BI Plus version 9.2.0.3, 9.2.1.0,and 9.3.1.0
  • Oracle Hyperion Performance Suite version 8.3.2.4, and 8.5.0.3
  • Oracle E-Business Suite Release 12, version 12.0.4
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle Enterprise Manager Database Control 11i version 11.1.0.6
  • Oracle Enterprise Manager Database Control 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
  • Oracle Enterprise Manager Database Control 10g Release 1, version 10.1.0.5
  • Oracle Enterprise Manager Grid Control 10g Release 1, versions 10.1.0.5, 10.1.0.6
  • Oracle PeopleSoft Enterprise PeopleTools versions 8.48.17, 8.49.11
  • Oracle PeopleSoft Enterprise CRM version 8.9, 9.0
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 10.0 released through MP1
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0, 9.1, 9.2 released through MP3
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 released through SP6
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0 released through SP7
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 6.1 released through SP7
  • Oracle Database 9i, version 9.0.1.5 FIPS+
  • Oracle Application Server 9i Release 1, version 1.0.2.2

Overview

Multiple Vulnerabilities have been reported in various Oracle products, which could be exploited by local or remote attacker to cause denial of service, disclosure of system information, modification of user information or modification of system information.

Description

 Multiple vulnerabilities have been reported in Oracle products, the severity of which varies depending on the product, component, and configuration of the system. Authentication is not required for exploiting some of these vulnerabilities. Successful exploitation may result in disclosure of sensitive information or cause denial of service attack.

Solutions

Apply patches as mentioned in Oracle Advisory
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html

Vendor Information

Oracle Corporation
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
http://blogs.oracle.com/security/2008/07/15

References

AusCERT
http://www.auscert.org.au/render.html?it=9592

SecurityFocus
http://www.securityfocus.com/bid/28725/

SecurityTracker
http://securitytracker.com/alerts/2008/Jul/1020493.html
http://securitytracker.com/alerts/2008/Jul/1020494.html
http://securitytracker.com/alerts/2008/Jul/1020495.html
http://securitytracker.com/alerts/2008/Jul/1020496.html
http://securitytracker.com/alerts/2008/Jul/1020497.html
http://securitytracker.com/alerts/2008/Jul/1020498.html
http://securitytracker.com/alerts/2008/Jul/1020499.html

CVE Name
CVE-2008-2577   
CVE-2008-2578
CVE-2008-2579    
CVE-2008-2580    
CVE-2008-2581    
CVE-2008-2582
CVE-2007-1359
CVE-2008-2583     
CVE-2008-2585
CVE-2008-2586     
CVE-2008-2587     
CVE-2008-2589     
CVE-2008-2590     
CVE-2008-2591     
CVE-2008-2592     
CVE-2008-2593    
CVE-2008-2594     
CVE-2008-2595     
CVE-2008-2596   
CVE-2008-2597 
CVE-2008-2598  
CVE-2008-2599
CVE-2008-2600    
CVE-2008-2601
CVE-2008-2602   
CVE-2008-2603    
CVE-2008-2604
CVE-2008-2605      
CVE-2008-2606      
CVE-2008-2607     
CVE-2008-2608     
CVE-2008-2609     
CVE-2008-2610   
CVE-2008-2611    
CVE-2008-2612
CVE-2008-2613     
CVE-2008-2614    
CVE-2008-2615    
CVE-2008-2616   
CVE-2008-2617    
CVE-2008-2618
CVE-2008-2619    
CVE-2008-2620    
CVE-2008-2621

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003