Announcement Announcement Module
Collapse
No announcement yet.
Multiple Vulnerabilities in Oracle Products Page Title Module
Move Remove Collapse
X
Conversation Detail Module
Collapse
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multiple Vulnerabilities in Oracle Products


    Multiple Vulnerabilities in Oracle Products


    Severity Rating: High

    Systems Affected

    • Oracle Database 11g Release 1, version 11.1.0.7
    • Oracle Database 11g Release 2, versions 11.2.0.3, 11.2.0.4
    • Oracle Database 12c Release 1, version 12.1.0.1
    • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.7, 11.1.1.8
    • Oracle Fusion Middleware 12c Release 1, versions 12.1.1.0, 12.1.2.0
    • Oracle Fusion Applications, versions 11.1.2 through 11.1.8
    • Oracle Access Manager, versions 10.1.4.3, 11.1.1.3.0, 11.1.1.5.0, 11.1.1.7.0, 11.1.2.0.0, 11.1.2.1.0, 11.1.2.2.0
    • Oracle Containers for J2EE, version 10.1.3.5
    • Oracle Data Integrator, version 11.1.1.3.0
    • Oracle Endeca Server, version 2.2.2
    • Oracle Event Processing, version 11.1.1.7.0
    • Oracle Identity Analytics, version 11.1.1.5, Sun Role Manager, version 5.0
    • Oracle OpenSSO, version 8.0 Update 2 Patch 5
    • Oracle OpenSSO Policy Agent, version 3.0-03
    • Oracle WebCenter Portal, versions 11.1.1.7, 11.1.1.8
    • Oracle WebLogic Server, versions 10.0.2.0, 10.3.6.0, 12.1.1.0, 12.1.2.0
    • Oracle Hyperion Common Admin, versions 11.1.2.2, 11.1.2.3
    • Oracle E-Business Suite Release 11i, 12i
    • Oracle Agile PLM Framework, versions 9.3.1.1, 9.3.3.0
    • Oracle Agile Product Lifecycle Management for Process, versions 6.0.0.7, 6.1.1.3
    • Oracle Transportation Management, versions 6.3, 6.3.4
    • Oracle PeopleSoft Enterprise CS Campus Self Service, version 9.0
    • Oracle PeopleSoft Enterprise HRMS Talent Acquisition Manager, versions 8.52, 8.53
    • Oracle PeopleSoft Enterprise PT Tools, versions 8.52, 8.53
    • Oracle Siebel UI Framework, versions 8.1.1, 8.2.2
    • Oracle iLearning, versions 6.0, 6.1
    • Oracle JavaFX, version 2.2.51
    • Oracle Java SE, versions 5.0u61, 6u71, 7u51, 8
    • Oracle Java SE Embedded, version 7u51
    • Oracle JRockit, versions R27.8.1, R28.3.1
    • Oracle Solaris, versions 9, 10, 11.1
    • Oracle Secure Global Desktop, versions 4.63, 4.71, 5.0, 5.1
    • Oracle VM VirtualBox, versions prior to 3.2.22, 4.0.24, 4.1.32, 4.2.24,4.3.10
    • Oracle MySQL Server, versions 5.5, 5.6

    Overview

    Multiple vulnerabilities have been reported in various Oracle products which could be exploited by a remote attacker to cause Denial-of-Service attack ( partial or complete) , disclosure of sensitive information and unauthorized Operating System takeover resulting in arbitrary code execution over network with or without authentication via network protocols.

    Description

    Multiple vulnerabilities (104) have been reported in various Oracle products, the severity of which depends on various products, their components and the system configuration. Authentication is not required for exploiting most of these vulnerabilities.

    Successful exploitation broadly affects system availability, data confidentiality and data integrity.

    1. Oracle Database Server

    A vulnerability exists in the Core RDBMS component of Oracle Database Server which could be exploited by an attacker by launching authenticated network attacks via Oracle Net. This vulnerability requires some additional privileges like Create Session, Advisor, Select Any Dictionary privileges for a successful attack . Another vulnerability exists in the same component but is very difficult to exploit. This vulnerability requires privileges like Create Session, Grant Any Object Privilege for a successful attack. Successful exploitation can lead to unauthorized Operating System takeover including arbitrary code execution or unauthorized write access to any arbitrary Operating System location as well as read access to any arbitrary Operating System location.

    2. Oracle Fusion Middleware

    Multiple vulnerabilities(20) exist in various components of Oracle Fusion Middleware which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP/HTTPS/T3 protocols. Successful exploitation can lead to unauthorized read access and in some cases ,update, insert or delete access as well, to the component accessible data or a subset of the data. Some of these can even result in partial or complete DoS (Denial-of-Service) or unauthorized Operating System/component takeover including arbitrary code execution.

    3. Oracle Hyperion

    Multiple vulnerabilities(3) exist in the Hyperion Common Admin component of Oracle Hyperion which could be exploited by an attacker with difficulty by launching authenticated/unauthenticated network attacks via HTTP. Successful exploitation can lead to unauthorized read, insert, delete or update access to the component accessible data or a subset of the data or unauthorized takeover of Hyperion Common Admin possibly including arbitrary code execution within the component.

    4. Oracle Supply Chain Products Suite

    Multiple vulnerabilities(10) exist in various components of Oracle Supply Chain Products Suite which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP. Successful exploitation can lead to unauthorized read access and in some cases ,update, insert or delete access as well, to the component accessible data or a subset of the data.

    5. Oracle PeopleSoft Products

    Multiple vulnerabilities(8) exist in various components of Oracle PeopleSoft Products which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via HTTP. Successful exploitation can lead to unauthorized read access and in some cases ,update, insert or delete access as well, to the component accessible data or a subset of the data. One of these can even escalate attacker privileges resulting in unauthorized ability to cause a partial DoS(Denial-of-Service).

    6. Oracle Siebel CRM

    A vulnerability exists in the Siebel UI Framework component of Oracle Siebel CRM which could be exploited with some difficulty by an attacker by launching unauthenticated network attacks via HTTP. Successful exploitation can lead to unauthorized update, insert or delete access to some Siebel UI Framework accessible data.

    7. Oracle iLearning

    A vulnerability exists in the Oracle iLearning component of Oracle iLearning which could be exploited by an attacker by launching unauthenticated network attacks via HTTP. Successful exploitation can lead
    to unauthorized update, insert or delete access to some Oracle iLearning accessible data.


    8. Oracle Java SE

    Multiple vulnerabilities(37) exist in Java SE component, Java SE Embedded component , JavaFX component, JRockit component of Oracle Java SE which could be exploited by an attacker by launching
    authenticated/unauthenticated network attacks via multiple protocols. Successful exploitation can lead to unauthorized read, update, insert or delete access to the component accessible data or unauthorized Operating System takeover including arbitrary code execution. Some of these vulnerabilities can even cause a partial DoS(Denial-of-Service).

    9. Oracle and Sun Systems Products Suite

    Multiple vulnerabilities(3) exist in various components of Oracle and Sun Systems Products Suite which could be easily exploited by an attacker by obtaining logon to Operating System. Successful exploitation can lead to unauthorized read, update, insert or delete access to the component accessible data or can escalate attacker privileges resulting in unauthorized ability to cause partial or complete DoS(Denial-of-Service).

    10. Oracle Virtualization

    Multiple vulnerabilities(5) exist in various components of Oracle Virtualization which could be exploited by an attacker by launching unauthenticated network attacks via HTTP/TCP or logon to Operating System plus additional login/authentication to component or subcomponent. Successful exploitation can lead to unauthorized read, update, insert or delete access to the component accessible data or can escalate attacker privileges resulting in unauthorized ability to cause partial or complete DoS(Denial-of-Service) or Operating System takeover including arbitrary code execution.

    11. Oracle MySQL

    Multiple vulnerabilities(14) exist in various components of Oracle MySQL which could be exploited by an attacker by launching authenticated/unauthenticated network attacks via multiple protocols.
    Successful exploitation can lead to unauthorized read, update, insert or delete access to the component accessible data or can escalate attacker privileges resulting in unauthorized ability to cause partial or complete DoS(Denial-of-Service) or Operating System takeover including arbitrary code execution.

    Solution

    Apply appropriate patches as mentioned in Oracle Security Bulletin April 2014
    http://www.oracle.com/technetwork/to...4-1972952.html

    Vendor Information
    Oracle Corporation
    http://www.oracle.com/technetwork/to...4-1972952.html

    References

    Oracle Corporation
    http://www.oracle.com/technetwork/to...4-1972952.html
    http://www.oracle.com/technetwork/to...e-1972954.html
Tag Cloud Tag Cloud Module
Collapse
Working...
X