CERT-MU AD-2009-10

Multiple Vulnerabilities in various Oracle products

Original issue date: 16 July, 2009

Overview

Multiple vulnerabilities have been reported in various Oracle products, which could be exploited by remote or local attacker to impact the confidentiality, integrity and availability of data on the target system.

Description

Multiple vulnerabilities have been reported in Oracle products, the severity of which varies depending on the product, component, and configuration of the system. Specific details of each of these vulnerabilities are not available currently. Authentication is not required for exploiting some of these vulnerabilities. Successful exploitation may affect the availability of the target system, the confidentiality and integrity of data on the target system.

Affected Systems

• Oracle Database 11g, version 11.1.0.6, 11.1.0.7
• Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
• Oracle Database 10g, version 10.1.0.5
• Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
• Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.3.0, 10.1.3.4.0
• Oracle Identity Management 10g, version 10.1.4.0.1, 10.1.4.2.0, 10.1.4.3.0
• Oracle E-Business Suite Release 12, version 12.1
• Oracle E-Business Suite Release 12, version 12.0.6
• Oracle E-Business Suite Release 11i, version 11.5.10.2
• Oracle Enterprise Manager Database Control 11, version 11.1.0.6, 11.1.0.7
• Oracle Enterprise Manager Grid Control 10g Release 4, version 10.2.0.4
• PeopleSoft Enterprise PeopleTools versions: 8.49
• PeopleSoft Enterprise HRMS versions: 8.9 and 9.0
• Siebel Highly Interactive Client versions: 7.5.3, 7.7.2, 7.8, 8.0, 8.1
• Oracle WebLogic Server 10.3, 10.0MP1
• Oracle WebLogic Server 9.0 GA, 9.1 GA, 9.2 through 9.2 MP3
• Oracle WebLogic Server 8.1 through 8.1 SP6
• Oracle WebLogic Server 7.0 through 7.0 SP7
• Oracle Complex Event Processing 10.3 and WebLogic Event Server 2.0
• Oracle JRockit R27.6.3 and earlier (JDK/JRE 6, 5, 1.4.2)

Impact

Severity Rating: High

Solution

Apply patches as mentioned in Oracle Advisory

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Vendor Information

Oracle Corporation
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

http://blogs.oracle.com/security/

http://www.oracle.com/technology/deploy/security/alerts.htm

CVE Name

CVE-2009-1392
CVE-2009-1832
CVE-2009-1833
CVE-2009-1834
CVE-2009-1835
CVE-2009-1836
CVE-2009-1837
CVE-2009-1838
CVE-2009-1839
CVE-2009-1840
CVE-2009-1841

References

SecurityFocus

http://www.securityfocus.com/bid/35618
http://www.securityfocus.com/bid/35673
http://www.securityfocus.com/bid/35676
http://www.securityfocus.com/bid/35674
http://www.securityfocus.com/bid/35672
http://www.securityfocus.com/bid/35679
http://www.securityfocus.com/bid/35675
http://www.securityfocus.com/bid/35678
http://www.securityfocus.com/bid/35681
http://www.securityfocus.com/bid/35683
http://www.securityfocus.com/bid/35685
http://www.securityfocus.com/bid/35685
http://www.securityfocus.com/bid/35687
http://www.securityfocus.com/bid/35682
http://www.securityfocus.com/bid/35680
http://www.securityfocus.com/bid/35686
http://www.securityfocus.com/bid/35692
http://www.securityfocus.com/bid/35691
http://www.securityfocus.com/bid/35688
http://www.securityfocus.com/bid/35690
http://www.securityfocus.com/bid/35684
http://www.securityfocus.com/bid/35689
http://www.securityfocus.com/bid/35693
http://www.securityfocus.com/bid/35694
http://www.securityfocus.com/bid/35695
http://www.securityfocus.com/bid/35696
http://www.securityfocus.com/bid/35697
http://www.securityfocus.com/bid/35698