HOME > ADVISORIES


   ADVISORY

CERT-In Advisory CIAD-2008-50
Multiple Vulnerabilities in various Oracle products

Original issue date: October 15, 2008

Severity Rating: High

Systems Affected

  • Oracle Database 11g, version 11.1.0.6
  • Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
  • Oracle Database 10g, version 10.1.0.5
  • Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
  • Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.3.0,10.1.3.4.0
  • Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.2.0, 10.1.2.3.0
  • Oracle Application Server 10g (9.0.4), version 9.0.4.3
  • Oracle E-Business Suite Release 12, version 12.0.4
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle PeopleSoft Enterprise PeopleTools versions 8.48.18, 8.49.14
  • Oracle PeopleSoft Enterprise Portal versions 8.9, 9.0
  • Oracle JD Edwards EnterpriseOne Tools versions 8.97, 8.98
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 10.0 released through MP1, 10.3 GA
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0 GA, 9.1 GA, 9.2 released through MP3
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 released through SP6
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0 released through SP7
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 6.1 released through SP7
  • Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 10.0 released through MP1, 10.2 GA, 10.3 GA
  • Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 9.0, 9.1, 9.2 released through MP3
  • Oracle Workshop for WebLogic (formerly BEA WebLogic Workshop) 8.1 released through SP6

Overview

Multiple vulnerabilities have been reported in various Oracle products, which could be exploited by remote attacker to cause denial of service, affect the confidentiality and integrity of data on the target system and the availability of the target system.

Description

Multiple vulnerabilities have been reported in Oracle products, the severity of which varies depending on the product, component, and configuration of the system. Authentication is not required for exploiting some of these vulnerabilities. Successful exploitation may affect the availability of the target system , the confidentiality and integrity of data on the target system or cause denial of service conditions.

Solution

Apply patches as mentioned in Oracle Advisory
http://www.oracle.com/technology/deploy/security/critical-patch-
updates/cpuoct2008.html

Vendor Information

Oracle Corporation
http://www.oracle.com/technology/deploy/security/critical-patch-
updates/cpuoct2008.html
http://blogs.oracle.com/security/2008/10/14


References

 SecurityFocus
http://www.securityfocus.com/bid/31683

SecurityTracker
http://securitytracker.com/alerts/2008/Oct/1021050.html

BEA
https://support.bea.com/application_content/product_portlets/
securityadvisories/index.html

CVE Name
CVE-2008-3996
CVE-2008-3992
CVE-2008-3976
CVE-2008-3982
CVE-2008-3983
CVE-2008-3984
CVE-2008-3994
CVE-2008-3980
CVE-2008-4005
CVE-2008-2625
CVE-2008-3990
CVE-2008-3991
CVE-2008-3975
CVE-2008-3977
CVE-2008-2619
CVE-2008-2588
CVE-2008-3986
CVE-2008-3987
CVE-2008-3985
CVE-2008-3988
CVE-2008-3998
CVE-2008-2619
CVE-2008-3993
CVE-2008-4000
CVE-2008-4001
CVE-2008-4003
CVE-2008-4002
CVE-2008-4004
CVE-2008-4008
CVE-2008-4013
CVE-2008-4010
CVE-2008-4009
CVE-2008-4012
CVE-2008-4011

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003