HOME > ADVISORIES


   ADVISORY

 

CERT-In Advisory CIAD-2010-10
Multiple Vulnerabilities in various Oracle products

Original Issue Date: February 12, 2010

Severity Rating:High

System Affected

  • Oracle Database 11g, version 11.1.0.7
  • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
  • Oracle Database 10g, version 10.1.0.5
  • Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
  • Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.4.0, 10.1.3.5*, 10.1.3.5.1*
  • Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0
  • Oracle Access Manager versions 7.0.4.3, 10.1.4.2
  • Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • PeopleSoft Enterprise HCM (TAM), versions 8.9 and 9.0.
  • Oracle WebLogic Server 10.0 through MP2, 10.3.0 and 10.3.1
  • Oracle WebLogic Server 9.0 GA, 9.1 GA and 9.2 through 9.2 MP3
  • Oracle WebLogic Server 8.1 through 8.1 SP6
  • Oracle WebLogic Server 7.0 through 7.0 SP7
  • Oracle JRockit R27.6.5 and earlier (JDK/JRE 6, 5, 1.4.2)
  • Primavera P6 Enterprise Project Portfolio Management 6.1, 6.2.1 and 7.0
  • Primavera P6 Web Services 6.2.1, 7.0 and 7.0SP1

Overview

Multiple vulnerabilities have been reported in various Oracle products, which could be exploited by remote or local attacker. The impact of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

Description

Multiple vulnerabilities have been reported in Oracle products, the severity of which varies depending on the product, component, and configuration of the system. Specific details of each of these vulnerabilities are not available currently. Authentication is not required for exploiting some of these vulnerabilities. Successful exploitation may affect the availability of the target system, the confidentiality and integrity of data on the target system.

1. Oracle Database server (CVE-2010-0071 , CVE-2009-3414 ,     CVE-2009-1996 CVE-2009-3410 , CVE-2009-3413 ,
    CVE-2009-3412)

Multiple vulnerabilities have been reported in various components of Oracle Database Server(Listener,Oracle OLAP,Application Express Application Builder,Oracle Data Pump,Oracle Spatial,Logical Standby,RDBMS,Unzip) .One of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

2. Vulnerability in Oracle Secure Backup (CVE-2010-0072)

Oracle Secure Backup provides centralized tape backup management protecting distributed, heterogeneous file system data and the Oracle database including features such as backup encryption, dynamic drive sharing and tape vaulting. A vulnerability has been reported in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 .  The vulnerability can be exploited by an remote attacker without authentication, i.e., may be exploited over a network without the need for a username.

3. Vulnerability in Oracle PeopleSoft Enterprise and JD     Edwards EnterpriseOne (CVE-2010-0080)

A vulnerability has been reported in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne in component (PeopleSoft Enterprise HCM - eProfile). The vulnerability can be exploited by an remote attacker without authentication, i.e., may be exploited over a network without the need for a username and password. 

4. Vulnerabilities in BEA Product Suite (CVE-2010-0079 ,
    CVE-2010-0068 , CVE-2010-0074 , CVE-2010-0078
    CVE-2010-0069)

Multiple vulnerabilities have been reported in components of BEA Product Suite (JRockit, WebLogic Server). All of these vulnerabilities can be exploited by an remote attacker without authentication, i.e., may be exploited over a network without the need for a username.

5. Vulnerabilities in Oracle Primavera Product Suite  
    (CVE-2009-2625)

Two vulnerabilities have been reported in components of Oracle Primavera Product Suite (Primavera P6 Enterprise Project Portfolio Management, Primavera Web Services). All of these vulnerabilities cannot be exploited by an remote attacker without authentication.

6. Oracle WebLogic Server Node Manager Security Bypass     Vulnerability (CVE-2010-0073)

A Security Bypass vulnerability has been reported in the Node Manager Component of Oracle WebLogic Server. This can be exploited to obtain full control of the system without a need for logon credentials. Oracle Application Server 7.0.4.3 and 10.1.4.2 Access Manager Identity Server

7. Oracle Application Server 7.0.4.3 and 10.1.4.2 Access     Manager Identity Server Component Remote Code
    Execution Vulnerability (CVE-2010-0066)

A vulnerability has been reported in the Access Manager Identity Server component in Oracle Application Server 7.0.4.3 and 10.1.4.2 could allow remote code execution.

8. Oracle Application Server 10.1.2.3 and 10.1.3.4 Oracle     Containers for J2EE Component Remote Code Execution     Vulnerability (CVE-2010-0067)

A remote code execution vulnerability has been reported in the Oracle Containers for J2EE component in Oracle Application Server10.1.2.3 and 10.1.3.4 could allow remote code execution .

9. Remote Code Execution Vulnerability in Oracle Containers     for J2EE Component in Oracle Application Server 10.1.2.3     and 10.1.3.4 (CVE-2010-0070)

A vulnerability has been reported in the Oracle Containers for J2EE component in Oracle Application Server 10.1.2.3 and 10.1.3.4 could allow remote code execution.

10. Remote Code Execution Vulnerability in Oracle CRM       Technical Foundation (Mobile) Component in Oracle
      E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2
      (CVE-2010-0077)

A vulnerability has been reported in the CRM Technical Foundation (mobile) component in Oracle E-Business

Suite 11.5.10.2, 12.0.6, and 12.1.2 could allow remote code execution.

11. Remote Code Execution Vulnerability in Oracle HRMS (Self       Service) Component in Oracle E-Business Suite 11.5.10.2,       12.0.6,and 12.1.1 (CVE-2010-0075)

A vulnerability has been reported in the HRMS (Self Service) component in Oracle E-Business Suite 11.5.10.2,12.0.6, and 12.1.1 could allow remote code execution.

12. Vulnerability in Oracle Database OLAP Component
      (CVE-2009-3415)

A vulnerability has been reported in the OLAP component of Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5,10.2.0.3 could result in the unwanted disclosure of information or a denial of service. The flaw is an unspecified vulnerability that could allow the unauthorized disclosure of information, unauthorized modification, or disruption of service.

13. Remote Code Execution Vulnerability in Oracle Application      Object Library Component in Oracle E-Business Suite      11.5.10.2, 12.0.6,and 12.1.1 (CVE-2009-3416)

A vulnerability has been reported in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.1 could allow remote code execution.

14. Vulnerability in Oracle Database Application Express       Application Builder component (CVE-2010-0076)

A vulnerability has been reported in the Application Express Application Builder component in Oracle Database 3.2.1.00.10 could allow remote authenticated users to disclose information.

15. Vulnerability in Oracle Database Data Pump Component       Vulnerability (CVE-2009-3411)

A vulnerability has been reported in the Data Pump component in Oracle Database 11.1.0.7, 10.2.0.3, 10.2.0.4,10.1.0.5, 9.2.0.8, and 9.2.0.8DV could allow for the unwanted disclosure of information or a denial of service.

Solution

Apply patches as mentioned in Oracle Advisory

http://www.oracle.com/technology/deploy/security/critical-patch
-updates/cpujan2010.html

Vendor Information

Oracle
http://www.oracle.com/technology/deploy/security/critical-patch
-updates/cpujan2010.html
http://www.oracle.com/technology/deploy/security/alerts.htm

References

Oracle
http://www.oracle.com/technology/deploy/security/alerts.htm

CVE Name
CVE-2009-1996
CVE-2009-2625
CVE-2009-3410
CVE-2009-3411
CVE-2009-3412
CVE-2009-3413
CVE-2009-3414
CVE-2009-3415
CVE-2009-3416
CVE-2010-0066
CVE-2010-0067
CVE-2010-0068
CVE-2010-0069
CVE-2010-0070
CVE-2010-0071
CVE-2010-0072
CVE-2010-0073
CVE-2010-0074
CVE-2010-0075
CVE-2010-0076
CVE-2010-0077
CVE-2010-0078
CVE-2010-0079
CVE-2010-0080

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003