HOME > ADVISORIES


   ADVISORY

CERT-In Advisory CIAD-2009-20
Multiple Vulnerabilities in various Oracle products

Original issue date: April 17, 2009

Severity Rating: High

Systems Affected

  • Oracle Database 11g, version 11.1.0.6, 11.1.0.7
  • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
  • Oracle Database 10g, version 10.1.0.5
  • Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
  • Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0
  • Oracle Outside In SDK HTML Export 8.2.2, 8.3.0
  • Oracle XML Publisher 5.6.2, 10.1.3.2, 10.1.3.2.1
  • Oracle BI Publisher 10.1.3.3.0 10.1.3.3.1, 10.1.3.3.2, 10.1.3.3.3, 10.1.3.4
  • Oracle E-Business Suite Release 12, version 12.0.6
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • PeopleSoft Enterprise PeopleTools versions: 8.49
  • PeopleSoft Enterprise HRMS versions: 8.9 and 9.0
  • Oracle WebLogic Server 10.3
  • Oracle WebLogic Server 9.0 GA, 9.1 GA, 9.2 through 9.2 MP3
  • Oracle WebLogic Server 8.1 through 8.1 SP6
  • Oracle WebLogic Server 7.0 through 7.0 SP7
  • Oracle WebLogic Portal 8.1 through 8.1 SP6
  • Oracle Data Service Integrator 10.3.0 and Oracle AquaLogic Data Services Platform (formerly BEA ALDSP) 3.2, 3.0.1, 3.0
  • Oracle JRockit (formerly BEA JRockit) R27.6.2 and earlier (JDK/JRE 6, 5, 1.4.2)

Overview

Multiple vulnerabilities have been reported in various Oracle and BEA products, which could be exploited by remote or local attacker to cause a denial of service, read and manipulate certain data, disclose sensitive information, conduct SQL injection attacks, bypass security restrictions, or execute arbitrary commands.

Description

These issues are caused by errors in the Resource Manager, Core RDBMS, Workspace Manager, Advanced Queuing, Database Vault, SQLX Functions, Cluster Ready Services, Listener, Application Express, Password Policy, OPMN, BI Publisher, Outside In Technology, Portal, Oracle Application Object Library, Oracle Applications Framework, Oracle Applications Technology Stack, PeopleSoft Enterprise PeopleTools, PeopleSoft Enterprise HRMS - eBenefits, JRockit, WebLogic Server, WebLogic Portal, and Oracle Data Service Integrator (AquaLogic Data Services Platform).

Solution

Apply patches as mentioned in Oracle Advisory

Vendor Information

Oracle Corporation
http://www.oracle.com/technology/deploy/security/critical-patch
-updates/cpuapr2009.html

References

 Oracle Corporation
http://www.oracle.com/technology/deploy/security/critical-patch
-updates/cpuapr2009.html
http://blogs.oracle.com/security/2009/04/14/

SecurityFocus
http://www.securityfocus.com/bid/34461
http://www.securityfocus.com/archive/1/502683

SecurityTracker
http://securitytracker.com/alerts/2009/Apr/1022059.html
http://www.securitytracker.com/alerts/2009/Apr/1022058.html
http://www.securitytracker.com/alerts/2009/Apr/1022057.html
http://www.securitytracker.com/alerts/2009/Apr/1022056.html
http://www.securitytracker.com/alerts/2009/Apr/1022055.html
http://securitytracker.com/alerts/2009/Apr/1022052.html

ZDI
http://www.zerodayinitiative.com/advisories/ZDI-09-017/

CVE Name
CVE-2009-0979
CVE-2009-0985
CVE-2009-0972
CVE-2009-0977
CVE-2009-0992
CVE-2009-0984
CVE-2009-0980
CVE-2009-0975
CVE-2009-0976
CVE-2009-0978
CVE-2009-0986
CVE-2009-0973
CVE-2009-0991
CVE-2009-0981
CVE-2009-0997
CVE-2009-0988
CVE-2009-0993
CVE-2009-0989
CVE-2009-0990
CVE-2009-1008
CVE-2009-1009
CVE-2009-1010
CVE-2009-1011
CVE-2009-0974
CVE-2009-0983
CVE-2009-0994
CVE-2009-0996
CVE-2009-1017
CVE-2009-0999
CVE-2009-0995
CVE-2009-1000
CVE-2009-1013
CVE-2009-1014
CVE-2009-0998
CVE-2009-0982
CVE-2009-1006
CVE-2009-1012
CVE-2009-1016
CVE-2009-1002
CVE-2009-1001
CVE-2009-1003
CVE-2009-1005
CVE-2009-1004

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003