Advisories

CERT-In Advisory CIAD-2009-0049

Multiple Vulnerabilities in Oracle

Original Issue Date: October 26, 2009

Severity Rating: High

Systems Affected

Oracle Database 11g version 11.1.0.7
Oracle Database 10g Release 2 version 10.2.0.3
Oracle Database 10g Release 2 version 10.2.0.4
Oracle Database 10g version 10.1.0.5
Oracle Database 9i Release 2 version 9.2.0.8
Oracle Database 9i Release 2 version 9.2.0.8DV
Oracle Application Server 10g Release 3 10.1.3 version 10.1.3.4.0
Oracle Application Server 10g Release 3 10.1.3 version 10.1.3.5.0
Oracle Application Server 10g Release 2 10.1.2 version 10.1.2.3.0
Oracle Business Intelligence Enterprise Edition version 10.1.3.4.0
Oracle Business Intelligence Enterprise Edition version 10.1.3.4.1
Oracle E-Business Suite Release 12 version 12.0.6
Oracle E-Business Suite Release 12 version 12.1
Oracle E-Business Suite Release 11i version 11.5.10.2
AutoVue version 19.3
Agile Engineering Data Management EDM version 6.1
PeopleSoft PeopleTools & Enterprise Portal version 8.49
PeopleSoft Enterprise HCM TAM version 8.9
PeopleSoft Enterprise HCM TAM version 9.0
JDEdward Tools version 8.98
Oracle WebLogic Server versions 10.0 through 10.0 MP1
Oracle WebLogic Server versions 10.3
Oracle WebLogic Server version 9.0 GA
Oracle WebLogic Server version 9.1 GA
Oracle WebLogic Server versions 9.2 through 9.2 MP3
Oracle WebLogic Server versions 8.1 through 8.1 SP5
Oracle WebLogic Server versions 7.0 through 7.0 SP6
Oracle WebLogic Portal versions 8.1 through 8.1 SP6
Oracle WebLogic Portal versions 9.2 through 9.2 MP3
Oracle WebLogic Portal versions 10.0 through 10.0MP1
Oracle WebLogic Portal versions 10.2 through 10.2MP1
Oracle WebLogic Portal versions 10.3 through 10.3.1
Oracle JRockit version R27.6.4 and prior JDK/JRE 6, 5, 1.4.2
Oracle Communications Order and Service Management version 2.8.0
Oracle Communications Order and Service Management version 6.2.0
Oracle Communications Order and Service Management version 6.3.0
Oracle Communications Order and Service Management version 6.3.1

Overview

Multiple vulnerabilities have been reported in Oracle and BEA products, which could be exploited by remote or local attackers to cause a denial of service, read and manipulate certain data, disclose sensitive information, conduct SQL injection attacks, bypass security restrictions, or execute arbitrary commands.

Description

1. Vulnerability in the Data Mining component in Oracle Database 10.2.0.4 ( CVE-2009-1007   )

Vulnerability has been reported in the Data Mining component in Oracle Database 10.2.0.4 allows authenticated users to disclose or manipulate certain data.

2. A Vulnerability in the Workspace Manager component in Oracle Database 10.2.0.4 ( CVE-2009-1018   CVE-2009-1964   )

This vulnerability is caused as the Input passed to the "ROLLBACKWORKSPACE" procedure within the "LT" PL/SQL package of the Oracle Workspace Manager component is not properly sanitized before being used. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

3. A vulnerability in the Net Foundation Layer component in Oracle Database 9.2.0.8 and 10.1.0.5 ( CVE-2009-1965   )

This vulnerability is caused due to an error in the Net Foundation layer component on Windows can be exploited to disclose or manipulate certain data.

4. A vulnerability in the Data Pump component in Oracle Database 10.1.0.5, 10.2.0.3, and 11.1.0.7 ( CVE-2009-1971   )

The vulnerability in the Data Pump component in Oracle Database 10.1.0.5, 10.2.0.3, and 11.1.0.7 could allow a remote attacker with EXECUTE privileges on the KUPF$FILE_INT package to cause a denial of service.

5. A vulnerability in the Auditing component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 ( CVE-2009-1972   )

This vulnerability is caused due to an error in the Auditing component can be exploited by authenticated users to manipulate certain data.

6. A vulnerability in the Network Authentication component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.4 ( CVE-2009-1979   CVE-2009-1985   CVE-2009-1997   )

This vulnerability is cause due to two errors in the Network Authentication component can be exploited to execute arbitrary code.

7. Vulnerability in the Business Intelligence Enterprise Edition component in Oracle Application Server 10.1.3.4.1 ( CVE-2009-1990   CVE-2009-1999   )

This vulnerability is caused due to an error in Business Intelligence Enterprise Edition can be exploited to manipulate certain data and can be exploited by local authenticated users to disclose sensitive information.

8.Vulnerability in the Oracle Text component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.4 ( CVE-2009-1991   )

This vulnerability is caused due to Oracle Text component allows remote authenticated users to affect confidentiality and integrity, related to CTXSYS.DRVXTABC.

9. Vulnerability in the Core RDBMS component in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.4 ( CVE-2009-1992   )

This vulnerability is caused due to an error in the Core RDBMS component when running on Windows can be exploited to execute arbitrary code.

10. Vulnerability in the Application Express component in Oracle Database 3.0.1 ( CVE-2009-1993   )

This vulnerability is caused due to an error in the Application Express component can be exploited by authenticated users to disclose or manipulate certain data

11. Vulnerability in the Oracle Spatial component in Oracle Database 10.1.0.5 ( CVE-2009-1994   )

This vulnerability could allow remote authenticated users to affect confidentiality, integrity, and availability, related to MDSYS.PRVT_CMT_CBK.

12. Vulnerability in the Advanced Queuing component in Oracle Database 10.2.0.4 and 11.1.0.7 ( CVE-2009-1995   )

This vulnerability is caused due to error in Advanced Queuing component . Successful exploitation of this vulnerability requires execute privileges on SYS.DBMS_AQ_INV.

13. Vulnerability in Authentication component in Oracle Database 10.2.0.3 and 11.1.0.7 ( CVE-2009-1997   CVE-2009-2000   )

This vulnerability is caused due to two errors in the Authentication component can be exploited to disclose sensitive information

14. Vulnerability in the Oracle Communications Order and Service Management component in Oracle Industry Applications 2.8.0, 6.2.0, 6.3.0, and 6.3.1 ( CVE-2009-1998   )

Vulnerability was reported in Oracle Communications Order and Service Management. A remote authenticated user can access and modify some data on the target database.

15. A vulnerability in the PL/SQL component in Oracle Database 10.2.0.4 and 11.1.0.7 ( CVE-2009-2001   )

Vulnerability in the PL/SQL component in Oracle Database can be exploited by authenticated users to disclose or manipulate certain data.

16. Vulnerability in the WebLogic Portal component in BEA Product Suite 8.1.6, 9.2.3, 10.0.1, 10.2.1, and 10.3.1.0.0 ( CVE-2009-2002   )

Vulnerability in the Oracle BEA Product Suite WebLogic Portal component has an integrity impact and remote attack vector.

17. Vulnerability in the Agile Engineering Data Management (EDM) component in Oracle E-Business Suite 6.1.0.0 ( CVE-2009-3392   )

Vulnerability has been reported in Agile Engineering Data Management (EDM) component in Oracle E-Business Suite 6.1.0.0 which could allow remote attackers to affect confidentiality, integrity, and availability.

18. Vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2 , 12.0.6 and 12.1.1 ( CVE-2009-3393   CVE-2009-3397   CVE-2009-3400   )

Vulnerability has been reported in Oracle Application Object Library component in Oracle E-Business Suite 11.5.10 which could allow remote attackers to affect confidentiality, integrity, and availability

19. Vulnerability in the AutoVue component in Oracle E-Business Suite 19.3.2 ( CVE-2009-3395   )

Vulnerability in the AutoVue component in Oracle E-Business Suite 19.3.2 could allow remote attackers to affect availability via unknown vectors.

20. Vulnerability in the WebLogic Server component in BEA Product Suite Suite 9.0, 9.1, 9.2.3, 10.0.1, and 10.3 ( CVE-2009-3396   )

Vulnerability has been reported in the WebLogic Server component in BEA Product Suite 9.0, 9.1, 9.2.3, 10.0.1, and 10.3 which could allow a stack-based buffer overflow, caused by improper bounds checking by the Apache Connector. By sending a specially-crafted HTTP request, a remote attacker could overflow a buffer and execute arbitrary code on the system or cause the server to crash.

21. Vulnerability in the Oracle Applications Technology Stack component and Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.1 ( CVE-2009-3399   CVE-2009-3401   )

Vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 12.0.6 and 11i10CU2 uses default passwords for unspecified "FND Applications Users (not DB users)," which has unknown impact and attack vectors.

22. Vulnerability in the PeopleSoft PeopleTools & Enterprise Portal component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.49.23 ( CVE-2009-3404   )

This vulnerability could allow allows remote authenticated users to affect integrity and availability.

23. Vulnerability in the JD Edwards Tools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.98.1.4, 8.98.2.1 ( CVE-2009-3405   CVE-2009-3406   )

This vulnerability could allow allows remote authenticated users to affect integrity and availability.

24. vulnerability in the Portal component in Oracle Application Server 10.1.2.3 and 10.1.4.2 ( CVE-2009-3407   )

This vulnerability is caused due to unspecified vulnerability in the Portal component in Oracle Application Server 10.1.2.3 and 10.1.4.2 allows remote attackers to affect integrity via unknown vectors

25. Oracle E-Business Suite Bugs Let Remote Users Access and Modify Data and Cause Denial of Service Conditions ( CVE-2009-3408   )

This vulnerability is caused as a remote user can access and modify some data on the target database. A remote user can cause denial of service conditions. A local user can access some data on the target database.

26. Oracle PeopleSoft PeopleTools Bugs Let Remote Authenticated Users Access and Modify Data and Cause Denial of Service Conditions ( CVE-2009-3409   )

This vulnerability is caused as a remote authenticated user can access and modify some data on the target database. A remote authenticated user can cause denial of service conditions.

Solution

Apply patches as mentioned in Oracle Advisory
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html

Vendor Information

Oracle
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html

References

SecurityLab
http://en.securitylab.ru/nvd/

Infosecurity.US
http://infosecurity.us/?p=11431

Secunia
http://secunia.com/advisories/37027/
http://secunia.com/advisories/37103/

F-Secure
http://www.f-secure.com/vulnerabilities/en/SA200905709

US-Cert
http://www.us-cert.gov/cas/bulletins/SB08-294.html

Security Space
http://www.securityspace.com/smysecure/search.html?searchstr=confidentiality

SecurityTracker
http://www.securitytracker.com/archives/summary/9000.html

CVE Name
CVE-2009-1007
CVE-2009-1018
CVE-2009-1964
CVE-2009-1965
CVE-2009-1971
CVE-2009-1972
CVE-2009-1979
CVE-2009-1985
CVE-2009-1990
CVE-2009-1991
CVE-2009-1992
CVE-2009-1993
CVE-2009-1994
CVE-2009-1995
CVE-2009-1997
CVE-2009-1998
CVE-2009-1999
CVE-2009-2000
CVE-2009-2001
CVE-2009-2002
CVE-2009-3392
CVE-2009-3393
CVE-2009-3395
CVE-2009-3396
CVE-2009-3397
CVE-2009-3399
CVE-2009-3400
CVE-2009-3401
CVE-2009-3402
CVE-2009-3403
CVE-2009-3404
CVE-2009-3405
CVE-2009-3406
CVE-2009-3407
CVE-2009-3408
CVE-2009-3409

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India