Информационная безопасность
[RU] switch to English


Очередное ежеквартальное обновление безопасности Oracle
дополнено с 16 июля 2009 г.
Опубликовано:16 февраля 2010 г.
Источник:
SecurityVulns ID:10077
Тип:удаленная
Уровень опасности:
8/10
Описание:Исправлено около 30 уязвимостей во всех продуктах.
Затронутые продукты:ORACLE : WebLogic Server 7.0
 ORACLE : Oracle 9i
 ORACLE : Oracle E-Business Suite 11.5
 ORACLE : Oracle 10g
 ORACLE : WebLogic Server 8.1
 ORACLE : Oracle 11g
 ORACLE : PeopleSoft Enterprise PeopleTools 8.49
 ORACLE : WebLogic Server 9.0
 ORACLE : WebLogic Server 9.1
 ORACLE : WebLogic Server 9.2
 ORACLE : PeopleSoft Enterprise HRMS 8.9
 ORACLE : PeopleSoft Enterprise HRMS 9.0
 ORACLE : WebLogic Server 10.3
 ORACLE : JRockit 27.6
 ORACLE : Oracle E-Business Suite 12.1
 ORACLE : Oracle E-Business Suite 12.0
 ORACLE : Oracle Enterprise Manager Database Control 11
 ORACLE : Oracle Enterprise Manager Grid Control 10g
 ORACLE : Siebel Highly Interactive Client 7.5
 ORACLE : Siebel Highly Interactive Client 7.7
 ORACLE : Siebel Highly Interactive Client 7.8
 ORACLE : Siebel Highly Interactive Client 8.0
 ORACLE : Siebel Highly Interactive Client 8.1
 ORACLE : Oracle Complex Event Processing 10.3
 ORACLE : WebLogic Event Server 2.0
CVE:CVE-2009-1989 (Unspecified vulnerability in the PeopleSoft Enterprise FMS component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.8 SP1, 8.9 Bundle 14, and 9.0 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.)
 CVE-2009-1988 (Unspecified vulnerability in the PeopleSoft Enterprise HRMS eProfile Manager component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.8 SP1, 8.9 Bundle 14, and 9.0 Bundle 9 allows remote authenticated users to affect confidentiality via unknown vectors.)
 CVE-2009-1987 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools - Enterprise Portal component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.49.21 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2009-1984 (Unspecified vulnerability in the Application Install component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to the Patch Administrator.)
 CVE-2009-1983 (Unspecified vulnerability in the Oracle iStore component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2009-1982 (Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2 and 12.0.6 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2009-1981 (Unspecified vulnerability in the Highly Interactive Client component in Siebel Product Suite 7.5.3, 7.7.2, 7.8.2, 8.0.0.5, and 8.1.0 allows local users to affect confidentiality and integrity via unknown vectors.)
 CVE-2009-1980 (Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2009-1980 (Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2009-1978 (Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2009-1977 (Unspecified vulnerability in the Oracle Secure Backup component in Oracle Secure Backup 10.2.0.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2009-1976 (Unspecified vulnerability in the HTTP Server component in Oracle Application Server 10.1.2.3 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2009-1975 (Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3 allows remote attackers to affect confidentiality, integrity, and availability, related to the WLS Console Package.)
 CVE-2009-1974 (Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, 8.1 SP6, and 7.0 SP7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors related to the Servlet Container Package.)
 CVE-2009-1973 (Unspecified vulnerability in the Virtual Private Database component in Oracle Database 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote authenticated users to affect confidentiality and integrity, related to VPD policies.)
 CVE-2009-1970 (Unspecified vulnerability in the Listener component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote attackers to affect availability via unknown vectors.)
 CVE-2009-1969 (Unspecified vulnerability in the Auditing component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote authenticated users to affect confidentiality via unknown vectors.)
 CVE-2009-1968 (Unspecified vulnerability in the Secure Enterprise Search component in Oracle Database 10.1.8.3 allows remote attackers to affect integrity via unknown vectors. NOTE: the previous information was obtained from the July 2009 CPU. Oracle has not commented on claims from an established researcher that this is cross-site scripting (XSS) via the search_p_groups parameter in search/query/search.)
 CVE-2009-1967 (Unspecified vulnerability in the Config Management component in (1) Oracle Database 11.1.0.7 and (2) Oracle Enterprise Manager 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.)
 CVE-2009-1967 (Unspecified vulnerability in the Config Management component in (1) Oracle Database 11.1.0.7 and (2) Oracle Enterprise Manager 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.)
 CVE-2009-1966 (Unspecified vulnerability in the Config Management component in (1) Oracle Database 11.1.0.7 and (2) Oracle Enterprise Manager 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.)
 CVE-2009-1966 (Unspecified vulnerability in the Config Management component in (1) Oracle Database 11.1.0.7 and (2) Oracle Enterprise Manager 10.2.0.4 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.)
 CVE-2009-1963 (Unspecified vulnerability in the Network Foundation component in Oracle Database 11.1.0.6 allows remote authenticated users to affect integrity and availability via unknown vectors.)
 CVE-2009-1523 (Directory traversal vulnerability in the HTTP server in Mort Bay Jetty before 6.1.17, and 7.0.0.M2 and earlier 7.x versions, allows remote attackers to access arbitrary files via directory traversal sequences in the URI.)
 CVE-2009-1094 (Unspecified vulnerability in the LDAP implementation in Java SE Development Kit (JDK) and Java Runtime Environment (JRE) 5.0 Update 17 and earlier; 6 Update 12 and earlier; SDK and JRE 1.3.1_24 and earlier; and 1.4.2_19 and earlier allows remote LDAP servers to execute arbitrary code via unknown vectors related to serialized data.)
 CVE-2009-1021 (Unspecified vulnerability in the Advanced Replication component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.)
 CVE-2009-1020 (Unspecified vulnerability in the Network Foundation component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2009-1019 (Unspecified vulnerability in the Network Authentication component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, and 11.1.0.7 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2009-1015 (Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.05, and 10.2.04 allows remote authenticated users to affect integrity via unknown vectors.)
 CVE-2009-0987 (Unspecified vulnerability in the Upgrade component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.)
 CVE-2009-0217 (The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.)
 CVE-2009-0217 (The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.)
Оригинальный текстdocumentOfer Maor, Hacktics Advisory Feb09: XSS in Oracle E-Business Suite (16.02.2010)
 documentSHATTER, Team SHATTER Security Advisory: Buffer Overflow in Resource Manager of Oracle Database - Plan name parameter (28.08.2009)
 documentDavid Litchfield, Oracle 11g (11.1.0.6) Password Policy and Compliance (26.08.2009)
 documentDavid Litchfield, Bypassing DBMS_ASSERT in certain situations (26.08.2009)
 documentDavid Litchfield, Oracle PL/SQL Injection Flaw in REPCAT_RPC.VALIDATE_REMOTE_RC (26.08.2009)
 documentDavid Litchfield, Oracle 11g (11.1.0.6) Password Policy and Compliance (26.08.2009)
 documentZDI, ZDI-09-058: Oracle Secure Backup Administration Server Authentication Bypass Vulnerability (19.08.2009)
 documentZDI, ZDI-09-059: Oracle Secure Backup Administration Server Multiple Command Injection Vulnerabilities (19.08.2009)
 documentSHATTER, Team SHATTER Security Advisory: Multiple SQL Injection vulnerabilities in Oracle Enterprise Manager (04.08.2009)
 documentDennis Yurichev, Oracle CPUjul2009 (26.07.2009)
 documentDSecRG, [DSECRG-09-031] Oracle BEA Weblogic 10.3 Linked ХSS vulnerability (16.07.2009)
 documentDSecRG, [DSECRG-09-025] Oracle Secure Enterprise Search 10.1.8 Linked XSS vulnerability (16.07.2009)
 documentORACLE, Oracle Critical Patch Update Advisory - July 2009 (16.07.2009)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород