Accessibility Options |  Sitemap |  Contact Us
   
 
 
 
HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space Facebook space x space insta space youtube space Linkedin
WLine
DigitalIndia
WLine
csk
WLine
Full Member FIRST
Line
Operational Member TFCSIRT
Line
Accredited Member APCERT
Line
Global Research Partner APWG
Line
Associate Partner Charter
Line
CNA
WLine
 Directions by CERT-In under  Section 70B, Information  Technology Act 2000
WLine
 Guidelines on Information  Security Practices for  Government Entities
WLine
 Technical Guidelines on NEW  SOFTWARE BILL OF MATERIALS  (SBOM)
WLine
 Cyber Security GuidelinesNEW  for Smart City Infrastructure
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Internal Complaint Committee         (ICC) 
Line
point point RFC2350 
line
point point Press  
Line
point point Tender 
Line
point point Subscribe Mailing List
Line
point point Contact Us
Line
Line
Reporting
point
 Incident Reporting
point
Line
point
 Vulnerability Reporting
point
Line
point
 Feedback
point
Line
KnowledgeBase
Line
point Point Guidelines
Line
point Point Presentations
Line
point Point White Papers 
Line
point Point Annual Report 
Line
Line
Line
line
Line
line
line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point point Antivirus Resources
line
point point FAQ
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - AdvisoriesPrint
point

CERT-In Advisory CIAD-2014-0061

Multiple Vulnerabilities in Oracle Products

Original Issue Date: October 17, 2014

Severity Rating: High

Systems Affected

  • Oracle Database 11g Release 1, version 11.1.0.7
  • Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
  • Oracle Database 12c Release 1, versions 12.1.0.1, 12.1.0.2
  • Oracle Application Express, versions prior to 4.2.6
  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.5, 11.1.1.7
  • Oracle Fusion Middleware 11g Release 2, versions 11.1.2.1, 11.1.2.2, 11.1.2.4
  • Oracle Fusion Middleware 12c, versions 12.1.1.0, 12.1.2.0, 12.1.3.0
  • Oracle Fusion Applications, versions 11.1.2 through 11.1.8
  • Oracle Access Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
  • Oracle Adaptive Access Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
  • Oracle Endeca Information Discovery Studio versions 2.2.2, 2.3, 2.4, 3.0, 3.1
  • Oracle Enterprise Data Quality versions 8.1.2, 9.0.11
  • Oracle Identity Manager, versions 11.1.1.5, 11.1.1.7, 11.1.2.1, 11.1.2.2
  • Oracle JDeveloper, versions 10.1.3.5, 11.1.1.7, 11.1.2.4, 12.1.2.0, 12.1.3.0
  • Oracle OpenSSO version 3.0-04
  • Oracle WebLogic Server, versions 10.0.2, 10.3.6, 12.1.1, 12.1.2, 12.1.3
  • Application Performance Management, versions prior to 12.1.0.6.2
  • Enterprise Manager for Oracle Database Releases 10g, 11g, 12c
  • Oracle E-Business Suite Release 11i version 11.5.10.2
  • Oracle E-Business Suite Release 12 versions 12.0.4, 12.0.6, 12.1.1, 12.1.2, 12.1.3, 12.2.2, 12.2.3, 12.2.4
  • Oracle Agile PLM, versions 9.3.1.2, 9.3.3
  • Oracle Transportation Management, versions 6.1, 6.2, 6.3.0 through 6.3.5
  • Oracle PeopleSoft Enterprise HRMS, version 9.2
  • Oracle PeopleSoft Enterprise PeopleTools, versions 8.52, 8.53, 8.54
  • Oracle JD Edwards EnterpriseOne Tools, version 8.98
  • Oracle Communications MetaSolv Solution, versions MetaSolv Solution: 6.2.1.0.0, LSR: 9.4.0, 10.1.0, ASR: 49.0.0
  • Oracle Communications Session Border Controller, version SCX640m5
  • Oracle Retail Allocation, versions 10.0, 11.0, 12.0, 13.0, 13.1, 13.2
  • Oracle Retail Clearance Optimization Engine, versions 13.3, 13.4, 14.0
  • Oracle Retail Invoice Matching, versions 11.0, 12.0, 12.0 IN, 12.1, 13.0, 13.1, 13.2, 14.0
  • Oracle Retail Markdown Optimization, versions 12.0, 13.0, 13.1, 13.2, 13.4
  • Oracle Health Sciences Empirica Inspections, versions 1.0.1.0 and prior
  • Oracle Health Sciences Empirica Signal, versions 7.3.3.3 and prior
  • Oracle Health Sciences Empirica Study, versions 3.1.2.0 and prior
  • Oracle Primavera Contract Management, versions 13.1, 14.0
  • Oracle Primavera P6 Enterprise Project Portfolio Management, versions 7.0, 8.1, 8.2, 8.3
  • Oracle JavaFX, version 2.2.65
  • Oracle Java SE, versions 5.0u71, 6u81, 7u67, 8u20
  • Oracle Java SE Embedded, version 7u60
  • Oracle JRockit, versions R27.8.3, R28.3.3
  • Oracle Fujitsu server, versions M10-1, M10-4, M10-4S
  • Oracle Solaris, versions 10, 11
  • Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1
  • Oracle VM VirtualBox, versions prior to 4.1.34, 4.2.26, 4.3.14
  • Oracle MySQL Server, versions 5.5.39 and earlier, 5.6.20 and earlier

Overview

Multiple vulnerabilities have been reported in various Oracle products which could be exploited by a remote attacker to cause Denial-of-Service attack ( partial or complete) , disclosure of sensitive information and unauthorized Operating System takeover resulting in arbitrary code execution over network with or without authentication via network protocols.

Description

1. Oracle Database Server

Multiple vulnerabilities exist  in various components of Oracle Database Server which could be exploited by an attacker by launching authenticated/ unauthenticated network attacks via HTTP/Oracle Net.

Successful exploitation may lead to unauthorized Operating System takeover including arbitrary code execution as well as read access, in few cases even update, insert or delete access, to the component  accessible data or a subset of the data. Also it may cause a partial Denial-of-Service(partial DoS). 

 2. Oracle Fusion Middleware

Multiple vulnerabilities exist  in various components of Oracle Fusion Middleware which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP/HTTPS.

Successful exploitation can lead to unauthorized read access and in some cases ,update, insert or delete access as well, to the component  accessible data or a subset of the data. Some of these can even result in partial or complete DoS (Denial-of-Service) or unauthorized Operating System/component takeover including arbitrary code execution.

3. Oracle Enterprise Manager Grid Control ( CVE-2014-6557   CVE-2014-6488   )

A vulnerability exists in the Enterprise Manager for Oracle Database component of Oracle Enterprise Manager Grid Control. Another vulnerability exists in the Application Performance Management component of Oracle Enterprise Manager Grid Control .

Both these vulnerabilities are difficult to exploit but an attacker can launch successful authenticated network attacks via HTTP. Successful exploitation can lead to unauthorized read, insert, delete or update access to the component  accessible data or a subset of the data.

 4. Oracle E-Business Suite  

Multiple vulnerabilities exist  in various components of Oracle E-Business Suite which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP protocol.
Successful exploitation can lead to unauthorized read access and in some cases ,update, insert or delete access as well, to the component  accessible data or a subset of the data. Some of these can even result in unauthorized takeover of Oracle Applications Technology Stack possibly including arbitrary code execution within the Oracle Applications Technology Stack.

5. Oracle Supply Chain Products Suite ( CVE-2014-6461   CVE-2014-6498   CVE-2014-6533   CVE-2014-6536   CVE-2014-6543   )

Multiple vulnerabilities exist  in various components of Oracle Supply Chain Products Suite which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP.

 Successful exploitation may lead to unauthorized read access and in some cases ,update, insert or delete access as well, to the component  accessible data or a subset of the data. Some of these can even result in partial or complete DoS (Denial-of-Service) or unauthorized Operating System/component takeover including arbitrary code execution. 

6. Oracle PeopleSoft Products ( CVE-2014-6535   CVE-2014-6560   CVE-2014-6486   CVE-2014-6482   CVE-2014-6475   )

Multiple vulnerabilities exist  in various components of Oracle PeopleSoft Products which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP/HTTPS.

Successful exploitation can lead to unauthorized read access and in some cases ,update, insert or delete access as well, to the component  accessible data or a subset of the data.

7. Oracle JD Edwards Products ( CVE-2014-6516   )

A vulnerability exists  in the JD Edwards EnterpriseOne Tools component of Oracle JD Edwards Products which could be easily exploited by an attacker by acquiring  logon to Operating System plus additional login/authentication to component or subcomponent .

Successful exploitation of this vulnerability can escalate attacker privileges resulting in unauthorized takeover of JD Edwards EnterpriseOne Tools possibly including arbitrary code execution within the JD Edwards EnterpriseOne Tools.

8. Oracle Communications Application ( CVE-2014-0114   CVE-2014-6465   )

A vulnerability exists in the Oracle Communications MetaSolv Solution component of Oracle Communications Applications . Easily exploitable vulnerability allows successful unauthenticated network attacks via HTTP. Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Oracle Communications MetaSolv Solution accessible data as well as read access to a subset of Oracle Communications MetaSolv Solution accessible data and ability to cause a partial denial of service (partial DOS) of Oracle Communications MetaSolv Solution.

Another vulnerability exists in the Oracle Communications Session Border Controller component of Oracle Communications Applications. Difficult to exploit vulnerability allows successful authenticated network attacks via TCP/TLS. Successful attack of this vulnerability can result in unauthorized Operating System hang or frequently repeatable crash (complete DOS).

9. Oracle Retail Applications

Multiple vulnerabilities  exist in  various subcomponents of component of Oracle Retail Applications which could be exploited by an attacker by launching unauthenticated network attacks via HTTP protocol.

Successful exploitation may lead to unauthorized takeover of the related subcomponent including arbitrary code execution within the component.

10. Oracle Health Sciences Applications

Multiple vulnerabilities exist in  various subcomponents of Oracle Health Sciences Applications which could be exploited by an attacker by launching unauthenticated network attacks via HTTP.

Successful exploitation may lead to a partial DoS(Denial-of-Service) of the related component.

 11. Oracle Primavera Products Suite

Two vulnerabilities  exist in  various subcomponents of Oracle Primavera Products . Both these vulnerabilities are easy to exploit and  an attacker can launch successful authenticated network attacks via HTTP. Successful exploitation can lead to unauthorized read, insert, delete or update access to the component  accessible data or a subset of the data or can even  cause a partial DoS(Denial-of-Service).

12. Oracle Java SE

Multiple vulnerabilities  exist in  various subcomponents of Java SE ( JSSE, Hotspot, Deployment, Libraries, AWT, JavaFX, JAXP, Security ) which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via multiple protocols.

Successful exploitation can lead to unauthorized read, update, insert or delete access to the component  accessible data or can escalate attacker privileges resulting in unauthorized ability to cause partial  or complete DoS(Denial-of-Service) or Operating System takeover including arbitrary code execution.

13. Oracle Sun Systems Products Suite

Multiple vulnerabilities exist in  various subcomponents of Oracle Sun Systems Products Suite which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via multiple protocols.

Successful exploitation can lead to unauthorized read, update, insert or delete access to the component  accessible data or can escalate attacker privileges resulting in unauthorized ability to cause partial  or complete DoS(Denial-of-Service) or Operating System takeover including arbitrary code execution.

14. Oracle Virtualization ( CVE-2014-2472   CVE-2014-2473   CVE-2014-2474   CVE-2014-2475   CVE-2014-2476   CVE-2014-6459   CVE-2014-6540   )

Multiple vulnerabilities exist  in various components of Oracle Virtualization which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via multiple protocols.

Successful exploitation may lead to unauthorized  ability to cause partial  DoS(Denial-of-Service) of the related component.

 15. Oracle MySQL

Multiple vulnerabilities exist  in various components of Oracle MySQL which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via multiple protocols.

Successful exploitation can lead to unauthorized read, update, insert or delete access to the component  accessible data or can escalate attacker privileges resulting in unauthorized ability to cause partial  or complete DoS(Denial-of-Service) or Operating System takeover including arbitrary code execution.

Solution

Apply appropriate patches as mentioned in Oracle Security Bulletin October 2014  
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

Vendor Information

Oracle Corporation
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html

References

Oracle Corporation
http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
http://www.oracle.com/technetwork/topics/security/cpuoct2014verbose-1972962.html

CVE Name
CVE-2014-2478
CVE-2014-4290
CVE-2014-4289
CVE-2014-4291
CVE-2014-4292
CVE-2014-4293
CVE-2014-4294
CVE-2014-4295
CVE-2014-4296
CVE-2014-4297
CVE-2014-4298
CVE-2014-4299
CVE-2014-4300
CVE-2014-4301
CVE-2014-4310
CVE-2014-6452
CVE-2014-6453
CVE-2014-6454
CVE-2014-6455
CVE-2014-6467
CVE-2014-6483
CVE-2014-6537
CVE-2014-6538
CVE-2014-6542
CVE-2014-6544
CVE-2014-6545
CVE-2014-6546
CVE-2014-6547
CVE-2014-6560
CVE-2014-6563
CVE-2013-1741
CVE-2014-0119
CVE-2014-0224
CVE-2014-2880
CVE-2014-6462
CVE-2014-6487
CVE-2014-6499
CVE-2014-6522
CVE-2014-6534
CVE-2014-6552
CVE-2014-6553
CVE-2014-6554
CVE-2014-6488
CVE-2014-6557
CVE-2014-4278

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India

 
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On May 01, 2025