HOME > ADVISORIES


   ADVISORY

CERT-In Advisory CIAD-2009-01
Multiple Vulnerabilities in various Oracle products

Original issue date: January 14, 2009

Severity Rating: High

Systems Affected

  • Oracle Database 11g, version 11.1.0.6
  • Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
  • Oracle Database 10g, version 10.1.0.5
  • Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
  • Oracle Secure Backup version 10.2.0.2, 10.2.0.3
  • Oracle Secure Backup version 10.1.0.1, 10.1.0.2, 10.1.0.3
  • Oracle TimesTen In-Memory Database version 7.0.5.1.0, 7.0.5.2.0, 7.0.5.3.0, 7.0.5.4.0
  • Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.3.0
  • Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.2.0, 10.1.2.3.0
  • Oracle Collaboration Suite 10g, version 10.1.2
  • Oracle E-Business Suite Release 12, version 12.0.6
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle Enterprise Manager Grid Control 10g Release 4, versions 10.2.0.4
  • PeopleSoft Enterprise HRMS versions: 8.9 and 9.0
  • JD Edwards Tools version 8.97
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 10.0 released through MP1, 10.3 GA
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 9.0 GA, 9.1 GA, 9.2 released through MP3
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 8.1 released through SP6
  • Oracle WebLogic Server (formerly BEA WebLogic Server) 7.0 released through SP7
  • Oracle WebLogic Portal (formerly BEA WebLogic Portal) 10.0 released through MP1, 10.2 GA, 10.3 GA
  • Oracle WebLogic Portal (formerly BEA WebLogic Portal) 9.2 released through MP3
  • Oracle WebLogic Portal (formerly BEA WebLogic Portal) 8.1 released through SP6

Overview

Multiple vulnerabilities have been reported in various Oracle products, which could be exploited by remote or local attacker to cause denial of service, affect the confidentiality, integrity and availability of data on the target system.

Description

Multiple vulnerabilities have been reported in Oracle products, the severity of which varies depending on the product, component, and configuration of the system. Specific details of each of these vulnerabilities are not available currently.Authentication is not required for exploiting some of these vulnerabilities. Successful exploitation may affect the availability of the target system, the confidentiality and integrity of data on the target system or cause denial of service conditions.

Solution

Apply patches as mentioned in Oracle Advisory
http://www.oracle.com/technology/deploy/security/
critical-patch-updates/cpujan2009.html

Vendor Information

Oracle Corporation
http://www.oracle.com/technology/deploy/security/
critical-patch-updates/cpujan2009.html
http://blogs.oracle.com/security/2009/01/13/


References

 SecurityFocus
www.securityfocus.com/bid/33177

iDefense Labs
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=767
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=768
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=769

Oracle bea
https://support.bea.com/application_content/product_portlets/
securityadvisories/2809.html
https://support.bea.com/application_content/product_portlets/
securityadvisories/2808.html
https://support.bea.com/application_content/product_portlets/
securityadvisories/2807.html
https://support.bea.com/application_content/product_portlets/
securityadvisories/2810.html
https://support.bea.com/application_content/product_portlets/
securityadvisories/2811.html

CVE Name
CVE-2008-5440
CVE-2008-4006
CVE-2008-5444
CVE-2008-5448
CVE-2008-5449
CVE-2008-3981
CVE-2008-5441
CVE-2008-5442
CVE-2008-5443
CVE-2008-5445
CVE-2008-4017
CVE-2008-4014
CVE-2008-5438
CVE-2008-2623
CVE-2008-4016
CVE-2008-5458
CVE-2008-5454
CVE-2008-5446
CVE-2008-5450
CVE-2008-5447
CVE-2008-4007
CVE-2008-5452
CVE-2008-5463 
CVE-2008-5456
CVE-2008-5455  
CVE-2008-5451   
CVE-2008-5457
CVE-2008-5462
CVE-2008-5461
CVE-2008-5459
CVE-2008-5460

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003