Accessibility Options |  Sitemap |  Contact Us
   
 
 
 
HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space Facebook space x space insta space youtube space Linkedin
WLine
DigitalIndia
WLine
csk
WLine
Full Member FIRST
Line
Operational Member TFCSIRT
Line
Accredited Member APCERT
Line
Global Research Partner APWG
Line
Associate Partner Charter
Line
CNA
WLine
 Directions by CERT-In under  Section 70B, Information  Technology Act 2000
WLine
 Guidelines on Information  Security Practices for  Government Entities
WLine
 Technical Guidelines on NEW  SOFTWARE BILL OF MATERIALS  (SBOM)
WLine
 Cyber Security GuidelinesNEW  for Smart City Infrastructure
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Internal Complaint Committee         (ICC) 
Line
point point RFC2350 
line
point point Press  
Line
point point Tender 
Line
point point Subscribe Mailing List
Line
point point Contact Us
Line
Line
Reporting
point
 Incident Reporting
point
Line
point
 Vulnerability Reporting
point
Line
point
 Feedback
point
Line
KnowledgeBase
Line
point Point Guidelines
Line
point Point Presentations
Line
point Point White Papers 
Line
point Point Annual Report 
Line
Line
Line
line
Line
line
line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point point Antivirus Resources
line
point point FAQ
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - AdvisoriesPrint
point

CERT-In Advisory CIAD-2013-0080

Multiple Vulnerabilities in Oracle Products

Original Issue Date: October 22, 2013

Severity Rating: High

Systems Affected

  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
  • Oracle Database 12c Release 1, version 12.1.0.1
  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.6, 11.1.1.7
  • Oracle Access Manager, versions 11.1.1.5.0, 11.1.2.0.0
  • Oracle Forms and Reports 11g, Release 2, version 11.1.2.1
  • Oracle GlassFish Server, versions 2.1.1, 3.0.1, 3.1.2
  • Oracle HTTP Server 12c, version 12.1.2
  • Oracle Identity Analytics, version 11.1.1.5; Sun Role Manager, versions 4.1, 5.0
  • Oracle Identity Manager, versions 11.1.2.0.0, 11.1.2.1.0
  • Oracle JDeveloper, versions 11.1.2.3.0, 11.1.2.4.0, 12.1.2.0.0
  • Oracle Outside In Technology, versions 8.4.0, 8.4.1
  • Oracle Portal, version 11.1.1.6.0
  • Oracle Web Cache, versions 11.1.1.6, 11.1.1.7
  • Oracle WebCenter Content, versions 10.1.3.5.1, 11.1.1.6.0, 11.1.1.7.0, 11.1.1.8.0
  • Oracle WebLogic Server, versions 10.3.6.0, 12.1.1.0
  • Oracle Web Services, versions 10.1.3.5, 11.1.1.6.0
  • Oracle Enterprise Manager Grid Control 10g Release 1, version 10.2.0.5
  • Oracle Enterprise Manager Grid Control 11g Release 1, version 11.1.0.1
  • Oracle Enterprise Manager Plugin for Database 12c Release 1, versions 12.1.0.2, 12.1.0.3, 12.1.0.4
  • Oracle E-Business Suite Release 12i, version 12.1
  • Oracle Agile PLM Framework, version 9.3.2
  • Oracle PeopleSoft HRMS, version 9.1
  • Oracle PeopleSoft HRMS eCompensation, versions 9.1, 9.2
  • Oracle PeopleSoft PeopleTools, versions 8.51, 8.52, 8.53
  • Oracle Siebel Core, versions 8.1.1, 8.2.2
  • Oracle Siebel Server Remote, versions 8.1.1, 8.2.2
  • Oracle Siebel UI Framework, versions 8.1.1, 8.2.2
  • Oracle iLearning, versions 5.2.1, 6.0
  • Oracle Health Sciences InForm, versions 4.5.x, 4.6.x, 5.0.x, 5.5.x and 6.0.0
  • Oracle Siebel CTMS, version 8.1.1.x
  • Oracle Retail Invoice Matching, versions 10.2, 11.0, 12.0, 12.0IN, 12.1, 13.0, 13.1, 13.2
  • Oracle FLEXCUBE Private Banking, versions 1.7, 2.0, 2.0.1, 2.2.0.1, 3.0, 12.0.1
  • Oracle Instantis EnterpriseTrack, versions 8.0.6, 8.5
  • Oracle Primavera P6 Enterprise Project Portfolio Management, versions 8.1, 8.2, 8.3
  • Oracle JavaFX, versions 2.2.40 and earlier
  • Oracle Java JDK and JRE, versions 5.0u51 and earlier, 6u60 and earlier, 7u40 and earlier
  • Oracle Java SE Embedded, versions 7u40 and earlier
  • Oracle JRockit, versions R27.7.6 and earlier, R28.2.8 and earlier
  • Oracle Solaris versions 10, 11.1
  • Oracle SPARC Enterprise T series and M Series Servers Firmware versions prior to 6.7.13, 7.4.6.c, 8.3.0.b, 9.0.0.d, 9.0.1.e
  • Oracle Sun Blade 6000 10GBE switched NEM 1.2, Sun Network 10GBE Switch 72P 1.2, Oracle Switch ES1-24 1.3
  • Oracle Secure Global Desktop, version 5
  • Oracle VM VirtualBox, versions prior to 3.2.18, 4.0.20, 4.1.28, 4.2.18
  • Oracle MySQL Server, versions 5.1, 5.5, 5.6
  • Oracle MySQL Enterprise Monitor, version 2.3

Overview

Multiple vulnerabilities have been reported in various Oracle products which could be exploited by a remote attacker to cause Denial-of-Service attack ( partial or complete) , disclosure of sensitive information and unauthorized Operating System takeover resulting in arbitrary code execution over network with or without authentication via network protocols.

Description

1. Oracle Database Server ( CVE-2013-3826    CVE-2013-5771   )

These two vulnerabilities exist  in Core RDBMS component  and  XML Parser component of Oracle Database Server which could be exploited by an attacker by launching unauthenticated network attacks via Oracle Net. Successful exploitation can lead to unauthorized read access to a subset of Core RDBMS component  and  XML Parser component accessible data. These can also result in a partial denial of service (partial DOS) of XML Parser.

2. Oracle Fusion Middleware ( CVE-2011-3389    CVE-2013-0169   CVE-2013-2172   CVE-2013-3624   CVE-2013-3827   CVE-2013-3828    )

Multiple vulnerabilities exist  in various components of Oracle Fusion Middleware which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP or SSL/TLS or SOAP protocol. Successful exploitation can lead to unauthorized read access and in some cases ,update, insert or delete access as well, to the component  accessible data resulting in partial Denial-of-Service attack(partial DoS). Two of these vulnerabilities in Oracle Outside In Technology component require logon to Operating System plus additional login/authentication to component or subcomponent. Successful attack of these two vulnerabilities can escalate attacker privileges resulting in unauthorized ability to cause partial denial of service (partial DOS) or repeatable crash (complete DOS) of Oracle Outside In Technology.

3. Oracle Enterprise Manager Grid Control ( CVE-2013-3762   CVE-2013-5766   CVE-2013-5827   CVE-2013-5828    )

Multiple vulnerabilities exist in Enterprise Manager Base Platform component of Oracle Enterprise Manager Grid Control which could be exploited by an attacker by launching unauthenticated network attacks via HTTP. Successful exploitation can lead to unauthorized update, insert or delete access to some or all Enterprise Manager Base Platform accessible data.

 4. Oracle E-Business Suite ( CVE-2013-5792   )

A vulnerability exists  in Techstack component of Oracle E-Business Suite which could be exploited by an attacker by launching unauthenticated network attacks via HTTP. Successful exploitation can lead to unauthorized read access to a subset of Techstack accessible data.

 5. Oracle Supply Chain Products Suite ( CVE-2013-5799   CVE-2013-5826   )

These two vulnerabilities exist  in Oracle Agile PLM Framework component  and Oracle Transportation Management component of Oracle Supply Chain Products Suite which could be exploited by an attacker by launching unauthenticated network attacks via HTTP. Successful exploitation can lead to unauthorized update, insert or delete access to the some Oracle Agile PLM Framework accessible data and can result in unauthorized ability to cause a partial denial of service (partial DOS) of Oracle Transportation Management.

6. Oracle PeopleSoft Products ( CVE-2013-3785   CVE-2013-3835   CVE-2013-5765   CVE-2013-5779   )

Multiple vulnerabilities exist  in various components of Oracle PeopleSoft Products which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP. Successful exploitation can lead to unauthorized read access to a subset of  component  accessible data and ability to cause a partial denial of service (partial DOS) of PeopleSoft Enterprise PeopleTools.

7. Oracle Siebel CRM ( CVE-2013-3832   CVE-2013-3840   CVE-2013-3841   CVE-2013-5761   CVE-2013-5768   )

Multiple vulnerabilities exist in various components of Oracle Siebel CRM which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP. Successful exploitation can lead to unauthorized read, update, insert or delete access to the some Oracle Siebel CRM accessible data and can result in unauthorized ability to cause a partial denial of service (partial DOS) of few Oracle Siebel CRM sub-components.

8. Oracle iLearning ( CVE-2013-5822   CVE-2013-5845   )

These two vulnerabilities exist in the Oracle iLearning component, subcomponent Learner Administration of Oracle iLearning which could be exploited by an attacker by launching unauthenticated network attacks via HTTP. Successful attack of these vulnerabilities can result in unauthorized update, insert or delete access to some Oracle iLearning accessible data as well as read access to a subset of Oracle iLearning accessible data and ability to cause a partial denial of service (partial DOS) of Oracle iLearning. 

9. Oracle Industry Applications ( CVE-2013-3814   CVE-2013-5762   CVE-2013-5811   CVE-2013-5837   )

Multiple vulnerabilities exist in various components of Oracle Industry Applications which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP. Successful exploitation can lead to unauthorized read, update, insert or delete access to the some Oracle Industry Applications accessible data. One of these vulnerabilities in Oracle Industry Applications requires logon to Operating System plus additional login/authentication to component or subcomponent. Successful attack of this vulnerability can escalate attacker privileges resulting in unauthorized ability to cause repeatable crash (complete DOS) of Oracle Siebel CTMS and read access to a subset of Oracle Siebel CTMS accessible data.

10. Oracle Financial Services Software ( CVE-2013-2251    )

This vulnerability exists in the Oracle FLEXCUBE Private Banking component of Oracle Financial Services Software, subcomponent Core of Oracle Financial Services Software which could be exploited by an attacker by launching authenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized takeover of Oracle FLEXCUBE Private Banking possibly causing arbitrary code execution within the Oracle FLEXCUBE Private Banking.

11. Oracle Primavera Products Suite ( CVE-2013-3766   CVE-2013-5859    )

These two vulnerabilities exist in Primavera P6 Enterprise Project Portfolio Management component and Instantis EnterpriseTrack component of Oracle Primavera Products Suite which could be exploited by an attacker by launching unauthenticated/authenticated network attacks via HTTP. Successful attack of these vulnerabilities can result in unauthorized update, insert or delete access to Oracle Primavera P6 Enterprise Project Portfolio Management accessible data and read access to a subset of Oracle Instantis EnterpriseTrack accessible data.

 12. Oracle Java SE

As many as 51 vulnerabilities exist in Java SE component, Java SE Embedded component , JavaFX component, JRockit  component  of Oracle Java SE which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via multiple protocols. Successful exploitation can lead to unauthorized read, update, insert or delete access to the component accessible data or unauthorized Operating System takeover including arbitrary code execution. It can even  cause a partial denial of service (partial DOS) of Java SE, JavaFX.
The CVEs have been covered under the CERT-In's Advisory for Oracle Java CIAD-2013-0079

 13. Oracle and Sun Systems Products Suite ( CVE-2013-0149   CVE-2013-3837   CVE-2013-3838   CVE-2013-3842   CVE-2013-5781   CVE-2013-5839   )

Multiple vulnerabilities exist in various components of Oracle and Sun Systems Products Suite which could be exploited by an attacker by launching unauthenticated network attacks via multiple protocols or by acquiring logon to Operating System. Successful exploitation can lead to unauthorized read, update, insert or delete access to the component  accessible data or can escalate attacker privileges resulting in unauthorized ability to cause partial DoS or repeatable crash (complete DOS) or Operating System takeover including arbitrary code execution.

14. Oracle Virtualization ( CVE-2013-3792   CVE-2013-3834   )

These two vulnerabilities exist in Oracle VM VirtualBox component and Secure Global Desktop component of Oracle Virtualization which could be exploited by an attacker by launching unauthenticated network attacks via multiple protocols or by acquiring logon to Operating System plus additional login/authentication to component or subcomponent. Successful exploitation can cause a partial denial of service (partial DOS) or a repeatable crash (complete DOS) of the concerned component.

 15. Oracle MySQL ( CVE-2012-2750   CVE-2013-2251   CVE-2013-3839   CVE-2013-5767   )

Multiple vulnerabilities exist  in various components of Oracle MySQL which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via multiple protocols. Successful exploitation can lead to unauthorized read, update, insert or delete access to the component  accessible data or can escalate attacker privileges resulting in unauthorized ability to cause repeatable crash (complete DOS).

Solution

Apply appropriate patches as mentioned in Oracle Security Bulletin October 2013  
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html

Vendor Information

Oracle Corporation
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html

References

Oracle Corporation
http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html
http://www.oracle.com/technetwork/topics/security/cpuoct2013verbose-1899842.html

CVE Name
CVE-2013-3831 
CVE-2013-3833
CVE-2013-3836
CVE-2013-5773
CVE-2013-5791
CVE-2013-5798
CVE-2013-5813
CVE-2013-5815
CVE-2013-5816
CVE-2013-5794
CVE-2013-5836
CVE-2013-5841
CVE-2013-5847
CVE-2013-3832
CVE-2013-3840
CVE-2013-3841
CVE-2013-5761
CVE-2013-5768
CVE-2013-5769
CVE-2013-5796
CVE-2013-5835
CVE-2013-5867
CVE-2013-5822
CVE-2013-5845
CVE-2013-3814
CVE-2013-5762
CVE-2013-5811
CVE-2013-5837
CVE-2013-5856
CVE-2013-5857
CVE-2013-3837
CVE-2013-3838
CVE-2013-3842
CVE-2013-5781
CVE-2013-5839 
CVE-2013-5861
CVE-2013-5862
CVE-2013-5863
CVE-2013-5864
CVE-2013-5865
CVE-2013-5866
CVE-2013-5770
CVE-2013-5786
CVE-2013-5793
CVE-2013-5807

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India

 
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On May 01, 2025