Accessibility Options |  Sitemap |  Contact Us
   
 
 
 
HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space Facebook space x space insta space youtube space Linkedin
WLine
DigitalIndia
WLine
csk
WLine
Full Member FIRST
Line
Operational Member TFCSIRT
Line
Accredited Member APCERT
Line
Global Research Partner APWG
Line
Associate Partner Charter
Line
CNA
WLine
 Directions by CERT-In under  Section 70B, Information  Technology Act 2000
WLine
 Guidelines on Information  Security Practices for  Government Entities
WLine
 Technical Guidelines on NEW  SOFTWARE BILL OF MATERIALS  (SBOM)
WLine
 Cyber Security GuidelinesNEW  for Smart City Infrastructure
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Internal Complaint Committee         (ICC) 
Line
point point RFC2350 
line
point point Press  
Line
point point Tender 
Line
point point Subscribe Mailing List
Line
point point Contact Us
Line
Line
Reporting
point
 Incident Reporting
point
Line
point
 Vulnerability Reporting
point
Line
point
 Feedback
point
Line
KnowledgeBase
Line
point Point Guidelines
Line
point Point Presentations
Line
point Point White Papers 
Line
point Point Annual Report 
Line
Line
Line
line
Line
line
line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point point Antivirus Resources
line
point point FAQ
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - AdvisoriesPrint
point

CERT-In Advisory CIAD-2011-0059

Multiple Vulnerabilities in various Oracle products

Original Issue Date: November 03, 2011

Severity Rating: High

Systems Affected

  • Oracle Database 11g Release 2, version 11.2.0.2
  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
  • Oracle Database 10g Release 1, version 10.1.0.5
  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
  • Oracle Application Server 10g Release 3, version 10.1.3.5.0
  • Oracle Application Server 10g Release 2, version 10.1.2.3.0
  • Oracle Business Intelligence Enterprise Edition, versions 11.1.1.3, 11.1.1.5
  • Oracle Identity Management 10g, versions 10.1.4.0.1, 10.1.4.3
  • Oracle Outside In Technology, versions 8.3.5, 8.3.7
  • Oracle WebLogic Portal, versions 9.2.3.0, 10.0.1.0, 10.2.1.0, 10.3.2.0
  • Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5)
  • Oracle E-Business Suite Release 12, versions 12.0.6, 12.1.2, 12.1.3
  • Oracle E-Business Suite Release 11i, version 11.5.10.2
  • Oracle Agile Product Supplier Collaboration for Process, versions 5.2.2, 6.0.0.2, 6.0.0.3, 6.0.0.4
  • Oracle PeopleSoft Enterprise HRMS, versions 8.9, 9.0, 9.1
  • Oracle PeopleSoft Enterprise PeopleTools, versions 8.49, 8.50, 8.51
  • Oracle Siebel CRM Core and Apps, versions 8.0.0, 8.1.1
  • Oracle Clinical, Remote Data Capture, versions 4.6, 4.6.2
  • Oracle Thesaurus Management System, versions 4.6.1, 4.6.2
  • Oracle Sun Product Suite
  • Oracle Linux 5
  • Oracle Sun Ray

Overview

Multiple vulnerabilities have been reported in various Oracle products, which could be exploited by remote or local attacker. The impact of these vulnerabilities includes remote execution of arbitrary code, system and user's information disclosure, system and user's information modification and denial of service.

Description

Multiple vulnerabilities have been reported in Oracle products, the severity of which varies depending on the product, component, and configuration of the system. Specific details of each of these vulnerabilities are not available currently. Authentication is not required for exploiting some of these vulnerabilities. Successful exploitation may affect the availability of the target system, the confidentiality and integrity of data on the target system.

 

 1. Oracle Database server ( CVE-2011-2301   CVE-2011-3525   CVE-2011-3512   CVE-2011-2322   CVE-2011-3511   )

Multiple vulnerabilities have been reported in various components of different versions and releases of Oracle Database Server (Core RDBMS, Application Express , Database Vault and Oracle Text) . A remote authenticated or local user can partially modify data on the target system, access data on the target system and can cause partial denial of service conditions .

 2. Vulnerabilities in Oracle Fusion Middleware ( CVE-2011-2255   CVE-2011-3192   CVE-2011-2320   CVE-2011-3510   CVE-2011-2314   CVE-2011-2319   )

Multiple vulnerabilities have been reported in various components of Oracle Fusion Middleware(Oracle WebLogic Portal, Oracle HTTP Server, Oracle Business Intelligence Enterprise Edition, Oracle Containers for J2EE, Oracle WebLogic Server,Oracle Web Services Manager, and Oracle Outside In Technology). Five of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username.

3. Vulnerability in Oracle E-Business Suite ( CVE-2011-3513   CVE-2011-2308   CVE-2011-2302   )

Multiple vulnerabilities have been reported in HTML Pages, Online Help, Single Sign On, Attachments / File Upload Sub-components of the Oracle Application Object Library component and in the REST Services Sub-component of the of t Oracle Applications Framework component of the Oracle E-Business  Suite. Three of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username.

 4. Vulnerabilities in Oracle PeopleSoft Products ( CVE-2011-3527   CVE-2011-3533   CVE-2011-3528   CVE-2011-2315   )

Multiple vulnerabilities have been reported in Candidate Gateway, Job Profile Manager (JPM) eProfile, Talent Acquisition Manager, eDevelopment Sub-components of the PeopleSoft Enterprise HRMS component and in the Security and Personalization Sub-component of the of the PeopleSoft Enterprise PeopleTools component of the Oracle PeopleSoft Products. None of these vulnerabilities can be exploited by a remote attacker without authentication. These vulnerabilities can be exploited over the 'HTTP' protocol.

 5.Vulnerabilities in Oracle Siebel CRM ( CVE-2011-3518   CVE-2011-2316   CVE-2011-3526   )

Two unspecified vulnerabilities exist in the User Interface subcomponent of the Siebel Core - UIF Client and one in Email Marketing subcomponent of Siebel Core - UIF Server component of Oracle Siebel CRM. These vulnerabilities can be exploited over the 'HTTP' protocol.

 6. Vulnerability in Oracle Supply Chain Products ( CVE-2011-3532   )

A remote vulnerability in the Oracle Agile Product Supplier Collaboration for Process component in Oracle Supply Chain Products Suite 5.2.2, 6.0.0.2, 6.0.0.3, and 6.0.0.4 allows remote attackers to affect confidentiality via unknown vectors related to Supplier Portal, when exploited over the 'HTTP' protocol.

 7.Vulnerabilities in Oracle Industry Applications ( CVE-2011-2309   CVE-2011-2323   )

Unspecified  vulnerabilities have been reported in the RDC Help subcomponent of the Health Sciences - Oracle Clinical, Remote Data Capture component of Oracle Industry Applications 4.6 and 4.6.2 and in the TMS Help subcomponent of the Health Sciences - Oracle Thesaurus Management System component of Oracle Industry Applications 4.6.1 and 4.6.2. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username through network attacks via HTTP protocol.

 8. Vulnerabilities in Oracle Sun Product Suite ( CVE-2011-3508   CVE-2011-3559   CVE-2011-3517   CVE-2011-3543   CVE-2011-2310   CVE-2011-3515   CVE-2011-3534   CVE-2011-3535   CVE-2011-3537   CVE-2011-3542   CVE-2011-3506   CVE-2011-2313   )

Multiple vulnerabilities have been reported in various components of Oracle Sun Product Suite (Solaris, Glassfish Communications Server, GlassFish Enterprise Server, Sun Java System Application Server, Oracle OpenSSO, Oracle Waveset, Oracle Communications Unified and SPARC T3, Netra SPARC T3, Sun Fire, Sun Blade). Nine of these vulnerabilities can be exploited remotely without authentication, i.e., may be exploited over a network without the need for a username and password.

9. Vulnerability in Oracle Linux ( CVE-2011-2306   )

Unspecified vulnerability has been reported in Oracle Linux 4 and 5 allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to "Oracle validated".

 10. Vulnerability in Oracle Sun Ray ( CVE-2011-3538   )

Unspecified vulnerability has been reported in the Sun Ray component in Oracle Virtualization 4.0 . This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Solution

Apply patches as mentioned in Oracle Advisory  
http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html

Vendor Information

Oracle
http://www.oracle.com/technetwork/topics/security/cpuoct2011-330135.html
http://www.oracle.com/technetwork/topics/security/alerts-086861.html

References

Oracle
http://www.oracle.com/technetwork/topics/security/alerts-086861.html
http://blogs.oracle.com/security/

SecurityFocus
http://www.securityfocus.com/bid/50205
http://www.securityfocus.com/bid/50209
http://www.securityfocus.com/bid/50219
http://www.securityfocus.com/bid/50221
http://www.securityfocus.com/bid/50225
http://www.securityfocus.com/bid/50227
http://www.securityfocus.com/bid/50233
http://www.securityfocus.com/bid/50249
http://www.securityfocus.com/bid/50252
http://www.securityfocus.com/bid/50263
http://www.securityfocus.com/bid/50267
http://www.securityfocus.com/bid/50202
http://www.securityfocus.com/bid/50207
http://www.securityfocus.com/bid/50210
http://www.securityfocus.com/bid/50222
http://www.securityfocus.com/bid/50232
http://www.securityfocus.com/bid/50238
http://www.securityfocus.com/bid/50240
http://www.securityfocus.com/bid/50253
http://www.securityfocus.com/bid/50256
http://www.securityfocus.com/bid/50258
http://www.securityfocus.com/bid/50261

Secunia
http://secunia.com/advisories/46502/
http://secunia.com/advisories/46513/
http://secunia.com/advisories/46508/
http://secunia.com/advisories/46504/
http://secunia.com/advisories/46506/
http://secunia.com/advisories/46507/
http://secunia.com/advisories/46515/
http://secunia.com/advisories/46505/
http://secunia.com/advisories/46512/
http://secunia.com/advisories/46521/
http://secunia.com/advisories/46516/
http://secunia.com/advisories/46518/
http://secunia.com/advisories/46519/
http://secunia.com/advisories/46520/
http://secunia.com/advisories/46523/
http://secunia.com/advisories/46525/
http://secunia.com/advisories/46528/
http://secunia.com/advisories/46526/
http://secunia.com/advisories/46527/
http://secunia.com/advisories/46509/

CVE Name
CVE-2011-2237
CVE-2011-3523
CVE-2011-3541
CVE-2011-2318
CVE-2011-3513
CVE-2011-2308
CVE-2011-2302
CVE-2011-2303
CVE-2011-3519
CVE-2011-3527
CVE-2011-3533
CVE-2011-3528
CVE-2011-2315
CVE-2011-3529
CVE-2011-3530
CVE-2011-3520
CVE-2011-3518
CVE-2011-2316
CVE-2011-3526
CVE-2011-2310
CVE-2011-3515
CVE-2011-3534
CVE-2011-3535
CVE-2011-3537
CVE-2011-3542
CVE-2011-3506
CVE-2011-2313
CVE-2011-2304
CVE-2011-3507
CVE-2011-2292
CVE-2011-2327
CVE-2011-3522
CVE-2011-2286
CVE-2011-3536
CVE-2011-2311
CVE-2011-2312
CVE-2011-3539
CVE-2011-2306
CVE-2011-3538

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India

 
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On May 01, 2025