Announcement Announcement Module
Collapse
No announcement yet.
Multiple Vulnerabilities in Oracle Products Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple Vulnerabilities in Oracle Products

    Multiple Vulnerabilities in Oracle Products

    Severity Rating: High
    Systems Affected
    • Oracle Database 11g Release 1, version 11.1.0.7
    • Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
    • Oracle Database 12c Release 1, version 12.1.0.1
    • Oracle Fusion Middleware 11g Release 1, version 11.1.1.7
    • Oracle Fusion Middleware 12c Release 1, version 12.1.2.0
    • Oracle Fusion Applications, versions 11.1.2 through 11.1.8
    • Oracle Glassfish Server, versions 2.1.1, 3.0.1, 3.1.2
    • Oracle Traffic Director, version 11.1.1.7.0
    • Oracle iPlanet Web Proxy Server, version 4.0.24
    • Oracle iPlanet Web Server, versions 6.1, 7.0
    • Oracle WebCenter Portal, versions 11.1.1.7.0, 11.1.1.8.0
    • Oracle WebLogic Server, versions 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
    • Oracle JDeveloper, versions 11.1.1.7.0, 11.1.2.4.0, 12.1.2.0.0
    • Oracle BI Publisher, version 11.1.1.7
    • Oracle Glassfish Communications Server, version 2.0
    • Oracle HTTP Server, versions 11.1.1.7.0, 12.1.2.0
    • Oracle Hyperion Essbase, versions 11.1.2.2, 11.1.2.3
    • Oracle Hyperion BI+, versions 11.1.2.2, 11.1.2.3
    • Oracle Hyperion Enterprise Performance Management Architect, versions 11.1.2.2, 11.1.2.3
    • Oracle Hyperion Common Admin, versions 11.1.2.2, 11.1.2.3
    • Oracle Hyperion Analytic Provider Services, versions 11.1.2.2, 11.1.2.3
    • Oracle E-Business Suite Release 11i, version 11.5.10.2
    • Oracle E-Business Suite Release 12i, versions 12.0.6, 12.1.3, 12.2.2, 12.2.3
    • Oracle Transportation Management, versions 6.1, 6.2, 6.3, 6.3.1, 6.3.2, 6.3.3, 6.3.4
    • Oracle Agile Product Collaboration, version 9.3.3
    • Oracle PeopleSoft Enterprise ELS Enterprise Learning Management, versions 9.1, 9.2
    • Oracle PeopleSoft Enterprise PT PeopleTools, versions 8.52, 8.53
    • Oracle PeopleSoft Enterprise FIN Install, versions 9.1, 9.2
    • Oracle PeopleSoft Enterprise SCM Purchasing, versions 9.1, 9.2
    • Oracle Siebel Travel & Transportation, versions 8.1.1, 8.2.2
    • Oracle Siebel UI Framework, versions 8.1.1, 8.2.2
    • Oracle Siebel Core - Server OM Frwks, versions 8.1.1, 8.2.2
    • Oracle Siebel Core - EAI, versions 8.1.1, 8.2.2
    • Oracle Communications Messaging Server, version 7.0.5.30.0
    • Oracle Retail Back Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0
    • Oracle Retail Central Office, versions 8.0, 12.0, 12.0.9IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0
    • Oracle Retail Returns Management, versions 2.0, 13.1, 13.2, 13.3, 13.4, 14.0
    • Oracle Java SE, versions 5.0u65, 6u75, 7u60, 8u5
    • Oracle JRockit, versions R27.8.2, R28.3.2
    • Oracle Solaris, versions 8, 9, 10, 11.1
    • Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1
    • Oracle VM VirtualBox, versions prior to 3.2.24, 4.0.26, 4.1.34, 4.2.26, 4.3.14
    • Oracle Virtual Desktop Infrastructure (VDI), versions prior to 3.5.1
    • Sun Ray Software, versions prior to 5.4.3
    • Oracle MySQL Server, versions 5.5, 5.6

    Overview
    Multiple vulnerabilities have been reported in various Oracle products which could be exploited by a remote attacker to cause Denial-of-Service attack ( partial or complete) , disclosure of sensitive information and unauthorized Operating System takeover resulting in arbitrary code execution over network with or without authentication via network protocols.

    Description
    Multiple vulnerabilities (113) have been reported in various Oracle products, the severity of which depends on various products, their components and the system configuration. Authentication is not required for exploiting most of these vulnerabilities. Successful exploitation broadly affects system availability, data confidentiality and data integrity.

    1. Oracle Database Server
    Multiple vulnerabilities(5) exist in various components of Oracle Database Server which could be exploited by an attacker by launching authenticated/ unauthenticated network attacks via HTTP/Oracle Net.
    Successful exploitation can lead to unauthorized Operating System takeover including arbitrary code execution as well as read access to any arbitrary Operating System location.

    2. Oracle Fusion Middleware
    Multiple vulnerabilities(29) exist in various components of Oracle Fusion Middleware which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP/HTTPS/multiple protocols.

    Successful exploitation can lead to unauthorized read access and in some cases ,update, insert or delete access as well, to the component accessible data or a subset of the data. Some of these can even result in partial or complete DoS (Denial-of-Service) or unauthorized Operating System/component takeover including arbitrary code execution.

    3. Oracle Hyperion
    Multiple vulnerabilities(7) exist in various components of Oracle Hyperion which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP/XML/TCP.

    Successful exploitation can lead to unauthorized read, insert, delete or update access to the component accessible data or a subset of the data or unauthorized takeover of component including arbitrary code execution within the component. Some of these vulnerabilities can even cause a partial or complete DoS(Denial-of-Service).

    4. Oracle Enterprise Manager Grid Control
    This vulnerability exists in the Solaris component of Oracle Enterprise Manager Grid Control . Easily exploitable vulnerability allows successful authenticated network attacks via SSL/TLS.

    Successful exploitation can lead to unauthorized read access to a subset of Solaris accessible data. It is to be noted that vulnerability applies only when Cacao is running on Solaris platform.

    5. Oracle E-Business Suite
    Multiple vulnerabilities(5) exist in various components of Oracle E-Business Suite which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP/HTTPS protocols. Successful exploitation can lead to unauthorized read access and in some cases ,update, insert or delete access as well, to the component accessible data or a subset of the data.

    6. Oracle Supply Chain Products Suite
    Multiple vulnerabilities(3) exist in various components of Oracle Supply Chain Products Suite which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP.

    Successful exploitation can lead to unauthorized read access and in some cases ,update, insert or delete access as well, to the component accessible data or a subset of the data.

    7. Oracle PeopleSoft Products
    Multiple vulnerabilities(5) exist in various components of Oracle Supply Chain Products Suite which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP/HTTPS. Successful exploitation can lead to unauthorized read access and in some cases ,update, insert or delete access as well, to the component accessible data or a subset of the data. Some of these can even result in unauthorized Operating System/component takeover including arbitrary code execution.

    8. Oracle Siebel CRM
    Multiple vulnerabilities(6) exist in various components of Oracle Supply Chain Products Suite which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP.
    Successful exploitation can lead to unauthorized read access and in some cases ,update, insert or delete access as well, to the component accessible data or a subset of the data.

    9. Oracle Communications Application
    A vulnerability exists in the Oracle Communications Messaging Server component of Oracle Communications Applications. Easily exploitable vulnerability allows successful unauthenticated network attacks via SSL/TLS.

    Successful exploitation can lead to unauthorized update, insert or delete access to some Oracle Communications Messaging Server accessible data as well as read access to a subset of Oracle Communications Messaging Server accessible data and ability to cause a partial denial of service (partial DOS) of Oracle Communications Messaging Server.

    10. Oracle Retail Applications
    A vulnerability exists in the Oracle Retail Back Office component of Oracle Retail Applications. Easily exploitable vulnerability allows successful unauthenticated network attacks via HTTP.

    Successful exploitation can lead to unauthorized update, insert or delete access to some Oracle Retail Back Office accessible data as well as read access to a subset of Oracle Retail Back Office accessible data and ability to cause a partial denial of service (partial DOS) of Oracle Retail Back Office.

    11. Oracle Java SE
    Multiple vulnerabilities(20) exist in various subcomponents of Java SE (Libraries, Hotspot, Deployment, JMX, Security, JavaFX, Serviceability, Swing ) which could be exploited by an attacker by launching
    authenticated/unauthenticated network attacks via multiple protocols.

    Successful exploitation can lead to unauthorized read, update, insert or delete access to the component accessible data or unauthorized Operating System takeover including arbitrary code execution. Some of these vulnerabilities can even cause a partial DoS(Denial-of-Service).

    12. Oracle and Sun Systems Products Suite
    Multiple vulnerabilities(3) exist in Solaris component of Oracle and Sun Systems Products Suite which could be easily exploited by an attacker by obtaining logon to Operating System.

    Successful exploitation can lead to unauthorized Operating System takeover including arbitrary code execution and unauthorized ability to cause partial or complete DoS(Denial-of-Service).

    13. Oracle Virtualization
    Multiple vulnerabilities(15) exist in various components of Oracle Virtualization which could be exploited by an attacker by launching unauthenticated network attacks via HTTP/TCP or logon to Operating System plus additional login/authentication to component or subcomponent.

    Successful exploitation can lead to unauthorized read, update, insert or delete access to the component accessible data or can escalate attacker privileges resulting in unauthorized ability to cause partial or complete DoS(Denial-of-Service) or Operating System takeover including arbitrary code execution.

    14. Oracle MySQL
    Multiple vulnerabilities(10) exist in various components of Oracle MySQL which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via multiple protocols.

    Successful exploitation can lead to unauthorized read, update, insert or delete access to the component accessible data or can escalate attacker privileges resulting in unauthorized ability to cause partial or complete DoS(Denial-of-Service) or Operating System takeover including arbitrary code execution. An update to MySQL Enterprise Server 5.6 includes a fix for vulnerability CVE-2014-0160 i.e. 'HeartBleed' Vulnerability .

    Solution

    Apply appropriate patches as mentioned in Oracle Security Bulletin July 2014
    http://www.oracle.com/technetwork/to...4-1972956.html

    Vendor Information
    Oracle Corporation
    http://www.oracle.com/technetwork/to...4-1972956.html

    References
    Oracle Corporation
    http://www.oracle.com/technetwork/to...4-1972956.html
    http://www.oracle.com/technetwork/to...e-1972958.html
Tag Cloud Tag Cloud Module
Collapse
Working...
X