Accessibility Options |  Sitemap |  Contact Us
   
 
 
 
HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space Facebook space x space insta space youtube space Linkedin
WLine
DigitalIndia
WLine
csk
WLine
Full Member FIRST
Line
Operational Member TFCSIRT
Line
Accredited Member APCERT
Line
Global Research Partner APWG
Line
Associate Partner Charter
Line
CNA
WLine
 Directions by CERT-In under  Section 70B, Information  Technology Act 2000
WLine
 Guidelines on Information  Security Practices for  Government Entities
WLine
 Technical Guidelines on NEW  SOFTWARE BILL OF MATERIALS  (SBOM)
WLine
 Cyber Security GuidelinesNEW  for Smart City Infrastructure
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Internal Complaint Committee         (ICC) 
Line
point point RFC2350 
line
point point Press  
Line
point point Tender 
Line
point point Subscribe Mailing List
Line
point point Contact Us
Line
Line
Reporting
point
 Incident Reporting
point
Line
point
 Vulnerability Reporting
point
Line
point
 Feedback
point
Line
KnowledgeBase
Line
point Point Guidelines
Line
point Point Presentations
Line
point Point White Papers 
Line
point Point Annual Report 
Line
Line
Line
line
Line
line
line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point point Antivirus Resources
line
point point FAQ
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - AdvisoriesPrint
point

CERT-In Advisory CIAD-2015-0063

Multiple Vulnerabilities in Oracle Products

Original Issue Date: November 06, 2015

Severity Rating: High

Software Affected

  • Oracle Access Manager, version(s) 11.1.2.2, 11.1.2.3
  • Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7, 11.1.1.9
  • Oracle Endeca Server, version(s) 7.3.0.0, 7.4.0.0, 7.5.1.1, 7.6.1.0.0
  • Oracle Enterprise Data Quality, version(s) 8.1, 9.0, 11.1.1.7.4, 12.1.3.0.0
  • Oracle Exalogic Infrastructure, version(s) EECS 2.0.6.2.3
  • Oracle Fusion Middleware, version(s) 10.1.3.5, 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.1, 11.1.2.2, 11.1.2.3, 12.1.2.0, 12.1.3.0
  • Oracle GlassFish Server, version(s) 3.0.1, 3.1.2
  • Oracle HTTP Server, version(s) 10.1.3.5, 11.1.1.7, 11.1.1.9, 12.1.2.0, 12.1.3.0
  • Oracle Identity Manager, version(s) 11.1.1.7, 11.1.2.2, 11.1.2.3
  • Oracle JDeveloper, version(s) 11.1.2.4.0, 12.1.2.0.0, 12.1.3.0.0
  • Oracle Mobile Security Suite, version(s) MSS 3.0
  • Oracle Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2
  • Oracle Traffic Director, version(s) 11.1.1.7.0, 11.1.1.9.0
  • Oracle WebCenter Content, version(s) 10.1.3.5.1
  • Oracle WebCenter Sites, version(s) 7.6.2, 11.1.1.6.1, 11.1.1.8.0
  • Hyperion Installation Technology, version(s) 11.1.2.3
  • Enterprise Manager Base Platform, version(s) 12.1.0.4, 12.1.0.5
  • Enterprise Manager Ops Center, version(s) 12.1.0.1, 12.2.2
  • OSS Support Tools, version(s) prior to 8.8.15.7.15
  • Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4
  • Oracle Agile Engineering Data Management, version(s) 6.1.2.2, 6.1.3.0, 6.2.0.0
  • Oracle Agile PLM, version(s) 9.3.3, 9.3.4
  • Oracle Configurator, version(s) 12.0.6, 12.1.3, 12.2.3, 12.2.4
  • Oracle Transportation Management, version(s) 6.1, 6.2
  • PeopleSoft Enterprise FIN Expenses, version(s) 9.2
  • PeopleSoft Enterprise FSCM, version(s) 9.2
  • PeopleSoft Enterprise HCM, version(s) 9.2
  • PeopleSoft Enterprise HCM Talent Acquistion Managment, version(s) 9.2
  • PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54
  • Siebel Applications, version(s) IP2014, IP2015
  • Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
  • Oracle Utilities Work and Asset Management, version(s) 1.9.1.1.2
  • Oracle Communications Convergence, version(s) 2.0, 3.0.1
  • Oracle Communications Diameter Signaling Router (DSR), version(s) 4.1.6 and prior, 5.1.0 and prior, 6.0.2 and prior, 7.1.0 and prior
  • Oracle Communications LSMS, version(s) 13.1
  • Oracle Communications Messaging Server, version(s) 7.0.5, 8.0
  • Oracle Communications Performance Intelligence Center Software, version(s) 9.0.3 and prior, 10.1.5 and prior
  • Oracle Communications Policy Management, version(s) 9.9.0 and prior, 10.5.0 and prior, 11.5.0 and prior, 12.1.0 and prior
  • Oracle Communications Tekelec HLR Router, version(s) 4.0.0
  • Oracle Communications User Data Repository, version(s) 10.2.0 and prior
  • Oracle Retail Back Office, version(s) 12.0, 12.0IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0., RM2.0
  • Oracle Retail Central Office, version(s) 12.0, 12.0IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0., RM2.0
  • Oracle Retail Open Commerce Platform, version(s) 3.0
  • Oracle Retail Returns Management:, version(s) 12.0, 12.0IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0., RM2.0
  • Oracle FS1-2 Flash Storage System, version(s) 6.1, 6.2, 6.3
  • Oracle VM VirtualBox, version(s) prior to 4.0.34, prior to 4.1.42, prior to 4.2.34, prior to 4.3.32, prior to 5.0.8
  • Mobile Server, version(s) 10.3.0.3, 11.3.0.2, 12.1.0.0

Overview

Multiple vulnerabilities have been reported in various Oracle products which could be exploited by a remote attacker to cause Denial-of-Service attacks, disclosure of sensitive information and arbitrary code execution.

Description

1. Multiple vulnerabilities in Oracle Fusion Middleware ( CVE-2014-3576   CVE-2014-1569   CVE-2015-1791   CVE-2015-0286   CVE-2015-1829   CVE-2015-4909   CVE-2015-3571   CVE-2015-1622   CVE-2015-4912   CVE-2015-4899   CVE-2015-0191   CVE-2015-4832   CVE-2015-4867   CVE-2015-4880   CVE-2015-4799   CVE-2015-4838   CVE-2015-4914   CVE-2015-4812   CVE-2015-4877   CVE-2015-4878   CVE-2015-4809   CVE-2015-4811   )

Multiple vulnerabilities exist in various components of Oracle Fusion Middleware which could be exploited by a remote attacker by launching network attacks via HTTP/HTTPS.
Successful exploitation of these vulnerabilities could lead to Denial-of-Service(DOS) or unauthorized access to any arbitrary Operating System location.

 2. Vulnerability in Oracle Hyperion ( CVE-2015-4823   )

This vulnerability exists in the Hyperion Installation Technology component of Oracle Hyperion which could be exploited by a remote attacker by launching  network attacks via HTTP.
Successful exploitation of this vulnerability could lead to unauthorized access to the component accessible data.

 3. Multiple vulnerabilities in Oracle Enterprise Manager Grid Control ( CVE-2015-1793   CVE-2015-4859   CVE-2015-4875   CVE-2015-4874   CVE-2015-2633   )

Multiple vulnerabilities exist in various components of Oracle Enterprise Manager Grid Control which could be exploited by a remote attacker by launching  network attacks via HTTP.
Successful exploitation of these vulnerabilities could lead to unauthorized access to the component accessible data or could result in partial Denial-of-Service (DOS) conditions.

 4. Multiple vulnerabilities in Oracle E-Business Suite ( CVE-2015-4798   CVE-2015-4839   CVE-2015-4849   CVE-2015-4851   CVE-2015-4886   CVE-2015-4884   CVE-2015-4845   CVE-2015-4854   CVE-2015-4762   CVE-2015-4898   CVE-2015-4846   CVE-2015-4865   )

Multiple vulnerabilities exist in various components of Oracle E-Business Suite  which could be exploited by a remote attacker by launching  network attacks via HTTP/HTTPS.
Successful exploitation of these vulnerabilities could lead to unauthorized access to the component accessible data  or could result in partial Denial-of-Service(DOS) conditions.

5. Multiple vulnerabilities in Oracle Supply Chain Products Suite ( CVE-2015-1791   CVE-2015-4848   CVE-2015-1793   CVE-2015-4847   CVE-2015-4892   CVE-2015-4797   CVE-2015-4917   CVE-2015-4824   )

Multiple vulnerabilities exist in various components of Oracle Supply Chain Products Suite which could be exploited by a remote attacker by launching  network attacks via HTTP.
Successful exploitation of these vulnerabilities could lead to unauthorized access to the component accessible data  or could result in partial Denial-of-Service (DOS) conditions.

6. Multiple vulnerabilities in Oracle PeopleSoft Products ( CVE-2015-1791   CVE-2015-4887   CVE-2015-4850   CVE-2015-4818   CVE-2015-4828   CVE-2015-4804   CVE-2015-4876   CVE-2015-4825   )

Multiple vulnerabilities exist in various components of Oracle PeopleSoft Products which could be exploited by a remote attacker by launching  network attacks via HTTP.
Successful exploitation of these vulnerabilities could lead to unauthorized access to the component accessible data , unauthorized operating System takeover including arbitrary code execution or could result in partial Denial-of-Service (DOS) conditions.

7. Vulnerability in in Oracle Siebel CRM ( CVE-2015-4841   )

The vulnerability exists in various components of Oracle Siebel CRM which could be exploited by a remote attacker by launching  network attacks via HTTPS.
Successful exploitation of this vulnerability could lead to unauthorized access to the component accessible data .

 8. Vulnerability in in Oracle Industry Applications ( CVE-2015-4795   )

The vulnerability exists in the oracle utilities work and Asset Management component of Oracle Industry Applications which could be exploited by a remote attacker by launching unauthenticated network attacks via HTTP.
Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to Oracle Utilities Work and Asset Management accessible data, access to a subset of Oracle Utilities Work and Asset Management accessible data or could result in partial Denial-of-Service (DOS) conditions.

9. Multiple vulnerabilities in Oracle Communications Applications ( CVE-2015-2608   CVE-2015-7940   CVE-2015-0235   CVE-2015-4793   CVE-2015-4000   )

Multiple vulnerabilities exist in various components of Oracle Communications Applications  which could be exploited by a remote attacker by launching unauthenticated network attacks via HTTP or SSL/TLS .
Successful exploitation of these vulnerabilities could lead to unauthorized access to the component accessible data , unauthorized operating System takeover including arbitrary code execution or could result in partial Denial-of-Service (DOS) conditions.

 10. Multiple vulnerabilities in Oracle Retail Applications ( CVE-2015-0050   CVE-2015-4827   )

Multiple vulnerabilities exist in various components of Oracle Retail Applications which could be exploited by a remote attacker by launching unauthenticated network attacks via HTTP.
Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Oracle Retail Open Commerce Platform accessible data or subset of Oracle Retail Open Commerce Platform accessible data.

Solution

Apply appropriate patches as mentioned in Oracle Security Bulletin available at  
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

Vendor Information

Oracle Corporation
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

References

Oracle Corporation
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

Security Tracker
http://securitytracker.com/id/1033898
http://securitytracker.com/id/1033876
http://securitytracker.com/id/1033897
http://securitytracker.com/id/1033344
http://securitytracker.com/id/1033877
http://securitytracker.com/id/1033888
http://securitytracker.com/id/1033899
http:/securitytracker.com/id/1033903
http://securitytracker.com/id/1033878
http://securitytracker.com/id/1033879
http://securitytracker.com/id/1033900
http://securitytracker.com/id/1031623
http://securitytracker.com/id/1031641
http://securitytracker.com/id/1032932
http://securitytracker.com/id/1031307
http://securitytracker.com/id/1031528

CVE Name
CVE-2014-3576
CVE-2014-1569
CVE-2015-1791
CVE-2015-0286
CVE-2015-1829
CVE-2015-4909
CVE-2014-3571
CVE-2010-1622
CVE-2015-4912
CVE-2015-4899
CVE-2014-0191
CVE-2015-4832
CVE-2015-4867
CVE-2015-4880
CVE-2015-4799
CVE-2015-4838
CVE-2015-4914
CVE-2015-4812
CVE-2015-4877
CVE-2015-4878
CVE-2015-4809
CVE-2015-4811
CVE-2015-4823
CVE-2015-1793
CVE-2015-4859
CVE-2015-4875
CVE-2015-4874
CVE-2015-2633
CVE-2015-4798
CVE-2015-4839
CVE-2015-4849
CVE-2015-4851
CVE-2015-4886
CVE-2015-4884
CVE-2015-4845
CVE-2015-4854
CVE-2015-4762
CVE-2015-4898
CVE-2015-4846
CVE-2015-4865
CVE-2015-4848
CVE-2015-4847
CVE-2015-4892
CVE-2015-4797
CVE-2015-4917
CVE-2015-4824
CVE-2015-4887
CVE-2015-4850
CVE-2015-4818
CVE-2015-4828
CVE-2015-4804
CVE-2015-4876
CVE-2015-4825
CVE-2015-4841
CVE-2015-4795
CVE-2015-2608
CVE-2015-7940
CVE-2015-0235
CVE-2015-4793
CVE-2015-4000

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India

 
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On May 01, 2025