CERT-In Advisory
CIAD-2010-0065
Multiple Vulnerabilities in various Oracle products
Original Issue Date: October 21, 2010
Severity Rating: High
Systems Affected
- Oracle Database 11g Release 2, version 11.2.0.1
- Oracle Database 11g Release 1, version 11.1.0.7
- Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
- Oracle Database 10g, version 10.1.0.5
- Oracle Fusion Middleware, 11 g R1, versions 11.1.1.1.0, 11.1.1.2.0
- Oracle Application Server, 10 g R3, version 10.1.3.5.0
- Oracle Application Server, 10 g R2, version 10.1.2.3.0
- Oracle BI Publisher, versions 10.1.3.3.2, 10.1.3.4.0, 10.1.3.4.1
- Oracle Identity Management 10 g , versions, 10.1.4.0.1, 10.1.4.3
- Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2
- Oracle E-Business Suite Release 11 i , versions 11.5.10, 11.5.10.2
- Agile PLM, version 9.3.0.0
- Oracle Transportation Management, versions 5.5, 6.0, and 6.1
- PeopleSoft Enterprise CRM, FMS, HCM and SCM (Supply Chain), versions 8.9, 9.0 and 9.1
- PeopleSoft Enterprise EPM, Campus Solutions, versions 8.9, 9.0 and 9.1
- PeopleSoft Enterprise PeopleTools, versions 8.49 and 8.50
- Siebel Core, versions 7.7, 7.8, 8.0 and 8.1
- Primavera P6 Enterprise Project Portfolio Management, Versions: 6.21.3.0, 7.0.1.0
- Oracle Sun Product Suite
- Oracle VM, version 2.2.1
Overview
Multiple vulnerabilities have been reported in various Oracle products, which could be exploited by remote or local attacker. The impact of these vulnerabilities includes remote execution of arbitrary code, information disclosure, and denial of service.
Description
Multiple vulnerabilities have been reported in Oracle products, the severity of which varies depending on the product, component, and configuration of the system. Specific details of each of these vulnerabilities are not available currently. Authentication is not required for exploiting some of these vulnerabilities. Successful exploitation may affect the availability of the target system, the confidentiality and integrity of data on the target system.
1. Oracle Database server
(
CVE-2010-2390
CVE-2010-2419
CVE-2010-1321
CVE-2010-2412
CVE-2010-2415
CVE-2010-2411
CVE-2010-2407
CVE-2010-2391
CVE-2010-2389
)
Multiple vulnerabilities have been reported in various components of Oracle Database Server 10.1.0.5,10.2.0.3, 10.2.0.4, 11.1.0.7 and 11.2.0.1 (EM Console, Java Virtual Machine, Change Data Capture, OLAP, Job Queue XDK, Core RDBMS, and Perl). Two of these vulnerabilities can be exploited by a remote attacker without authentication, i.e., may be exploited over a network without the need for a username and password.
The vulnerability in the "Java Virtual Machine" is due to a race condition error in the Security Manager implementation and can be exploited by authenticated users to execute Java code outside of the sandbox.
The vulnerability in DBMS_CDC_PUBLISH PL/SQL package of the oracle database server exist due to improper validation of the input passed to the CREATE_CHANGE_SET procedure over the 'Oracle Net' protocol. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability requires EXECUTE permission on the SYS.DBMS_CDC_PUBLISH package.
2. Vulnerability in Oracle Fusion Middleware
(
CVE-2010-2390
CVE-2010-3501
CVE-2010-2413
CVE-2010-2395
CVE-2010-2409
CVE-2010-2410
CVE-2010-2396
CVE-2010-3581
CVE-2010-2389
)
Multiple vulnerabilities have been reported in various components of Oracle Fusion Middleware(EM Console, OID, Cabo/UIX, Forms, BPEL Console and Perl). Seven of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username.
3. Vulnerability in Oracle Enterprise Manager Grid Control
(
CVE-2010-2390
)
A remote buffer-overflow vulnerability in EM Console component of Oracle Enterprise Manager Grid Control which can be exploited over the 'HTTP' protocol' by an unauthenticated attacker to execute arbitrary code in the context of the user running the application. Failed exploit attempts can result in a denial-of-service condition.
4 . Vulnerabilities in Oracle E-Business Suite
(
CVE-2010-2388
CVE-2010-3504
CVE-2010-2416
CVE-2010-2418
CVE-2010-2408
CVE-2010-2404
)
Multiple vulnerabilities have been reported in components of Oracle E-Business Suite Release 12, versions 12.0.4, 12.0.5, 12.0.6, 12.1.1 and 12.1.2 and Release 11i, versions 11.5.10, 11.5.10.2(Oracle Applications Manager, Oracle Applications Technology Stack, Oracle E-Business Intelligence, Oracle Territory Management and Oracle iRecruitment). Five of these vulnerabilities can be exploited by a remote attacker without authentication, i.e., may be exploited over a network without the need for a username.
5. Vulnerabilities in Oracle Supply Chain Products Suite
(
CVE-2009-3555
CVE-2010-2417
)
Two unspecified vulnerabilities exist in the Oracle Transportation Management, versions 5.5, 6.0, and 6.1 and Agile PLM, version 9.3.0.0 components, which can be exploited by malicious users to manipulate certain data and by malicious people to disclose potentially sensitive information. The vulnerability in the "Transportation Management" component" while handling session re-negotiations can be exploited to insert arbitrary plaintext before data sent by a legitimate client in an existing TLS session via Man-in-the-Middle (MitM)attacks.
6. Vulnerability in Oracle PeopleSoft Enterprise and JDEdwards Suite
(
CVE-2010-3532
CVE-2010-3527
CVE-2010-3537
CVE-2010-3529
CVE-2010-3538
CVE-2010-3539
)
Multiple vulnerabilities have been reported in components of Oracle PeopleSoft Enterprise and JDEdwards suite (PeopleSoft Enterprise CRM - Order Capture, PeopleSoft Enterprise FMS - AM, PeopleSoft Enterprise FMS - Cash Management PeopleSoft Enterprise FMS - GL, PeopleSoft Enterprise FMS ESA - RM, Enterprise FMS, SCM, EPM, CRM, Campus Solutions, PeopleSoft Enterprise HCM - HR,
PeopleSoft Enterprise HCM GP - Japan, PeopleSoft Enterprise HCM ePay, PeopleSoft Enterprise SCM, PeopleSoft Enterprise SCM, PeopleSoft Enterprise SCM - Strategic Sourcing, PeopleSoft Enterprise SCM OM and CRM Order Capture, PeopleSoft FMS ESA - EX, PeopleSoft Enterprise PeopleTools, and PeopleSoft Enterprise CRM - Common Components). Only one of these vulnerabilities can be exploited by a remote attacker without authentication, i.e., may be exploited over a network without the need for a username and password.
7. Vulnerabilities in Oracle Siebel Suite
(
CVE-2010-2405
CVE-2010-3500
CVE-2010-3502
CVE-2010-2406
)
Multiple unspecified vulnerabilities have been reported in Oracle Siebel Core - Highly Interactive Client component and Oracle Siebel Core component in Oracle Siebel Suite 7.7.2.12, 7.8.2.14, 8.0.0.10, and 8.1.1.3,the exploitation of which allows remote authenticated users to affect confidentiality via unknown vectors. None of these vulnerabilities can be exploited by a remote attacker without authentication, i.e., may be exploited over a network without the need for a username.
8. Vulnerability in Oracle Primavera Product Suite
(
CVE-2010-3534
)
There exists an unspecified vulnerability in the Primavera P6 Enterprise Project Portfolio Management component in Oracle Primavera Products Suite 6.21.3.0 and 7.0.1.0 ,the exploitation of which allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the Project Management Module.
9. Vulnerabilities in Oracle Sun Product Suite
(
CVE-2010-3509
CVE-2010-3578
CVE-2010-3507
)
Multiple vulnerabilities have been reported in components of Oracle Sun Product Suite (Solaris, OpenSolaris , Sun Java System Messaging Server , Sun Convergence 1, Sun Java Communications Suite 7 , Oracle iPlanet Web Server , Sun Java System Identity Manager , Directory Server Enterprise Edition ,and Oracle Explorer). Eleven of these vulnerabilities can be exploited remotely without authentication, i.e., may be exploited over a network without the need for a username and password
10. Vulnerabilities in Oracle Open Office Suite
(
CVE-2010-3301
CVE-2010-3302
CVE-2010-2949
CVE-2010-2950
CVE-2010-0395
)
Multiple vulnerabilities have been reported in various sub-components of StarOffice, StarSuite component of Oracle Open Office Suite (Microsoft Word attachments, XPM attachments, GIF attachments and python in .odt attachments. All of these vulnerabilities can be exploited remotely without authentication, i.e., may be exploited over a network without the need for a username and password.
11.Vulnerabilities in Oracle VM
(
CVE-2010-3582
CVE-2010-3583
CVE-2010-3585
CVE-2010-3584
)
Some unspecified vulnerabilities have been reported in OracleVM component in Oracle VM 2.2.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors related to ovs-agent
Click here (for more Details) 
Solution
Apply patches as mentioned in Oracle Advisory
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
Vendor Information
Oracle
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
http://blogs.oracle.com/security/2010/10/october_2010_and_java_critical.html
References
Oracle
http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.html
http://blogs.oracle.com/security/2010/10/october_2010_and_java_critical.html
Security Tracker
http://securitytracker.com/alerts/2010/Oct/1024560.html
http://securitytracker.com/alerts/2010/Oct/1024561.html
http://securitytracker.com/alerts/2010/Oct/1024562.html
http://securitytracker.com/alerts/2010/Oct/1024563.html
http://securitytracker.com/alerts/2010/Oct/1024565.html
http://securitytracker.com/alerts/2010/Oct/1024566.html
http://securitytracker.com/alerts/2010/Oct/1024567.html
http://securitytracker.com/alerts/2010/Oct/1024568.html
http://securitytracker.com/alerts/2010/Oct/1024569.html
Zero Day Initiative
http://www.zerodayinitiative.com/advisories/ZDI-10-201/
Secunia
http://secunia.com/advisories/41815/
http://secunia.com/advisories/41830/
http://secunia.com/advisories/39504/
http://secunia.com/advisories/41827/
http://secunia.com/advisories/41831/
http://secunia.com/advisories/41794/
http://secunia.com/advisories/41762/
http://secunia.com/advisories/41780/
http://secunia.com/advisories/41782/
http://secunia.com/advisories/41837
http://secunia.com/advisories/41782/
http://secunia.com/advisories/41758/
http://secunia.com/advisories/41833/
http://secunia.com/advisories/41834/
http://secunia.com/advisories/41818/
CVE Name
CVE-2010-2390
CVE-2010-2419
CVE-2010-1321
CVE-2010-2412
CVE-2010-2415
CVE-2010-2411
CVE-2010-2407
CVE-2010-2391
CVE-2010-2389
CVE-2010-2390
CVE-2010-3501
CVE-2010-2413
CVE-2010-2395
CVE-2010-2409
CVE-2010-2410
CVE-2010-2396
CVE-2010-3581
CVE-2010-2389
CVE-2010-2390
CVE-2010-2388
CVE-2010-3504
CVE-2010-2416
CVE-2010-2418
CVE-2010-2408
CVE-2010-2404
CVE-2009-3555
CVE-2010-2417
CVE-2010-3532
CVE-2010-3527
CVE-2010-3537
CVE-2010-3529
CVE-2010-3538
CVE-2010-3539
CVE-2010-2405
CVE-2010-3500
CVE-2010-3502
CVE-2010-2406
CVE-2010-3534
CVE-2010-3509
CVE-2010-3578
CVE-2010-3507
CVE-2010-3301
CVE-2010-3302
CVE-2010-2949
CVE-2010-2950
CVE-2010-0395
CVE-2010-3582
CVE-2010-3583
CVE-2010-3585
CVE-2010-3584
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|