• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Oracle Multiple Vulnerabilities

Severity: CRITICAL

Description:

Oracle Database Server, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business and Applications, Oracle Enterprise Manager Grid Control, and Oracle PeopleSoft Applications are reported prone to multiple vulnerabilities.

Oracle has released a Critical Patch Update to address these issues in various supported applications and platforms. Other non-supported versions may be affected, but Symantec has not confirmed this.

The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. While various levels of authorization are required to leverage some issues, others do not require any authorization.

Oracle has released risk matrices for all of the vulnerabilities, providing some information about the affected components. The vulnerabilities are classified as follows:

- DB: Oracle Database releases.
- AS: Oracle Application Server releases.
- OCS: Oracle Collaboration Suite releases.
- APPS: Oracle E-Business Suite releases.
- EM: Oracle Enterprise Manager Grid Control releases.
- PS: Oracle PeopleSoft Applications releases.

Some vulnerabilities may fail under multiple categories.

The following is a complete list of all of the vulnerabilities that have been addressed:

Database Server/Application Server Vulnerabilities

DB01 - This issue affects the Change Data Capture component and requires SQL (Oracle Net) access. Database (execute on DBMS_CDC_IPUBLISH) authorization is required for exploitation. A successful attack can compromise the confidentiality and integrity of a vulnerable server.

DB02 - This issue affects the Change Data Capture component and requires SQL (Oracle Net) access. Database (execute on DBMS_CDC_{I}SUBSCRIBE) authorization is required for exploitation. A successful attack can compromise the confidentiality and integrity of a vulnerable server.

DB03 - This issue affects the Data Pump component and requires SQL (Oracle Net) access. Database (execute on dbms_metadata) authorization is required for exploitation. A successful attack can compromise the confidentiality and integrity of a vulnerable server.

DB04 - This issue affects the Intermedia component and requires SQL (Oracle Net) access. Database (execute on ordsys) authorization is required for exploitation. A successful attack can compromise the availability of a vulnerable server.

DB05 - This issue affects the Authentication component and requires SQL (Oracle Net) access. Authorization is not required for exploitation. A successful attack can compromise the confidentiality, availability and integrity of a vulnerable server.

DB06/AS16 - This issue affects the Database SSL Library component and requires Network (HTTPS) access. Authorization is not required for exploitation. A successful attack can compromise the availability of a vulnerable server.

DB07 - This issue affects the Internet Directory component and requires Network (LDAP) access. Authorization is not required for exploitation. A successful attack can compromise the confidentiality of a vulnerable server.

DB08 - This issue affects the Spatial component and requires SQL (Oracle Net) access. Database (execute on mdsys.prvt_idx) authorization is required for exploitation. A successful attack can compromise the confidentiality and integrity of a vulnerable server.

DB09 - This issue affects the XML Database component and requires Network (HTTPS) access. Authorization is not required for exploitation. A successful attack can compromise the confidentiality, availability and integrity of a vulnerable server.

DB10 - This issue affects the XDK component and requires SQL (Oracle Net) access. Database (execute on SYS_DBURIGEN) authorization is required for exploitation. A successful attack can compromise the confidentiality, availability and integrity of a vulnerable server.

DB11 - This issue affects the HTML DB component and requires Local access. OS authorization is required for exploitation. A successful attack can compromise the confidentiality of a vulnerable server.

DB12/AS03 - This issue affects the Oracle HTTP Server component and requires Local / Network (HTTP) access. OS authorization is required for exploitation. A successful attack can compromise the confidentiality and integrity of a vulnerable server.

DB13/AS04 - This issue affects the Oracle HTTP Server component and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise the availability of a vulnerable server.

DB14/AS05 - This issue affects the Oracle HTTP Server component and requires Local access. OS authorization is required for exploitation. A successful attack can compromise the confidentiality and integrity of a vulnerable server.

DB15/AS06 - This issue affects the Oracle HTTP Server component and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise the availability of a vulnerable server.

DB16/AS07 - This issue affects the Oracle HTTP Server component and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise the availability of a vulnerable server.

DB17/AS08 - This issue affects the Oracle HTTP Server component and requires Local access. OS authorization is required for exploitation. A successful attack can compromise the confidentiality, availability and integrity of a vulnerable server.

DB18/AS09 - This issue affects the Oracle HTTP Server component and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise the confidentiality and integrity of a vulnerable server.

DB19/AS11 - This issue affects the Oracle HTTP Server (SSL) component and requires Network (HTTPS) access. Authorization is not required for exploitation. A successful attack can compromise the availability of a vulnerable server.

DB20/AS12 - This issue affects the Oracle HTTP Server (SSL) component and requires Network (HTTPS) access. Authorization is not required for exploitation. A successful attack can compromise the availability of a vulnerable server.

DB21/AS13 - This issue affects the Oracle HTTP Server (SSL) component and requires Local access. OS authorization is required for exploitation. A successful attack can compromise the confidentiality and integrity of a vulnerable server.

DB22/AS14 - This issue affects the Oracle HTTP Server (SSL) component and requires Network (HTTPS) access. Authorization is not required for exploitation. A successful attack can compromise the confidentiality, integrity, and availability of a vulnerable server.

DB23/AS15 - This issue affects the Oracle HTTP Server (SSL) component and requires Network (HTTPS) access. Authorization is not required for exploitation. A successful attack can compromise the confidentiality of a vulnerable server.

DB24/AS17 - This issue affects the Oracle HTTP Server (SSL) component and requires Network (HTTPS) access. Authorization is not required for exploitation. A successful attack can compromise the confidentiality of a vulnerable server.

AS01/APP05 - This issue affects the Oracle Forms component and requires Network (HTTP) access. Authenticated user access is required for exploitation. A successful attack can compromise confidentiality and integrity of the affected software.

AP02 - This issue affects the mod_jserv component and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality and integrity of an affected server.

AS10 - This issue affects the Oracle Help component and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality of an affected server.

AS18 - This issue affects the Wireless component and requires Network (MobileXML or XHTML) access. Authorization is not required for exploitation. A successful attack can compromise availability of an affected server.

Oracle Collaboration Suite Vulnerabilities

OCS01 - This issue affects the Email server component and requires Network (HTTP) access. Authenticated OCS user access is required for exploitation. A successful attack can compromise confidentiality of the affected server.

OCS02 - This issue affects the Email server component and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise integrity of the affected server.

OCS03 - This issue affects the Email server component and requires Network (LDAP) access. Authenticated OCS user access is required for exploitation. A successful attack can compromise confidentiality and integrity of the affected server.

OCS04 - This issue affects the Email server component and requires Network (SMTP) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the affected server.

OCS05 - This issue affects the Email server component and requires Network (SMTP) access. Authorization is not required for exploitation. A successful attack can compromise availability of the affected server.

OCS06 - This issue affects the Email server component and requires Network (NNTP) access. Authorization is not required for exploitation. A successful attack can compromise availability of the affected server.

OCS07 - This issue affects the Email server component and requires Network (SMTP) access. Authorization is not required for exploitation. A successful attack can compromise availability of the affected server.

OCS08 - This issue affects the Email server component and requires Network (HTTP) access. Authenticated OCS user access is required for exploitation. A successful attack can compromise integrity of the affected server.

OCS09 - This issue affects the Email server component and requires Network (SMTP) access. Authorization is not required for exploitation. A successful attack can compromise availability, integrity, and confidentiality of the affected server.

OCS10 - This issue affects the Calendar component and requires Network (HTTP) access. Authenticated OCS user access is required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS11 - This issue affects the Calendar component and requires Network (CALENDAR) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS12 - This issue affects the Calendar component and requires local access to the client computer. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the software.

OCS13 - This issue affects the Calendar component and requires local access to the client computer. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the software.

OCS14 - This issue affects the Calendar component and requires network access. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the software.

OCS15 - This issue affects the Calendar component and requires Network (CALENDAR) access. Authenticated OCS user access is required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS16 - This issue affects the Calendar component and requires Network (CALENDAR) access. Authenticated OCS user access is required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS17 - This issue affects the Calendar component and requires Network (CALENDAR) access. Authenticated OCS user access is required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS18 - This issue affects the Calendar component and requires Network (CALENDAR) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS19 - This issue affects the Calendar component and requires Network (CALENDAR) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS20 - This issue affects the Calendar component and requires Network (CALENDAR) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS21 - This issue affects the Calendar component and requires Network (CALENDAR) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS22 - This issue affects the Calendar component and requires Network (CALENDAR) access. Authorization is not required for exploitation. A successful attack can compromise availability of the affected software.

OCS23 - This issue affects the Calendar component and requires Network (CALENDAR) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS24 - This issue affects the Calendar component and requires Network (CALENDAR) access. Authorization is not required for exploitation. A successful attack can compromise availability of the affected software.

OCS25 - This issue affects the Calendar component and requires Network (HTTP) access. Authenticated OCS user access is required for exploitation. A successful attack can compromise confidentiality and integrity of the affected software.

OCS26 - This issue affects the Wireless component and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS27 - This issue affects the Wireless component and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS28 - This issue affects the Conferencing component and requires local access to the client computer. Authorization is not required for exploitation. A successful attack can compromise confidentiality and integrity of the affected software.

OCS29 - This issue affects the Conferencing component and requires Network (HTTP) access. Authenticated OCS user access is required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS30 - This issue affects the Conferencing component and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality and integrity of the affected software.

OCS31 - This issue affects the Conferencing component and requires Network (HTTP) access. Authenticated OCS user access is required for exploitation. A successful attack can compromise integrity of the affected software.

OCS32 - This issue affects the Conferencing component and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise integrity of the affected software.

OCS33 - This issue affects the Conferencing component and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the affected software.

OCS34 - This issue affects the Conferencing component and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality, integrity, and availability of the affected software.

Oracle E-Business Suite Vulnerabilities

APPS01 - This issue affects Oracle E-Business Suite and requires Network (HTTP) access. Authenticated user access is required for exploitation. A successful attack can compromise confidentiality of the affected software.

APPS02 - This issue affects Oracle E-Business Suite and requires Network (HTTP) access. Authorization is not required for exploitation. A successful attack can compromise confidentiality of the affected software.

APPS03 - This issue affects Oracle E-Business Suite and requires Network (HTTP) access. Authenticated user access is required for exploitation. A successful attack can compromise confidentiality of the affected software.

APPS04 - This issue affects Oracle E-Business Suite and requires Network (HTTP) access. Authenticated user access is required for exploitation. A successful attack can compromise confidentiality and integrity of the affected software.

Oracle Enterprise Manager Grid Control Vulnerability

EM01 - This issue affects the Oracle Management Agent component and requires Network access. Authorization is not required for exploitation. A successful attack can compromise availability of the affected software.

Oracle PeopleSoft Applications Vulnerabilities

PS01 - This issue affects the Role Chooser component and requires Network access. Valid EnterpriseOne login credentials are required for exploitation. A successful attack can compromise confidentiality and integrity of the affected software.

PS02 - This issue affects the Row Security component and requires Network access. Valid EnterpriseOne login credentials are required for exploitation. A successful attack can compromise confidentiality and integrity of the affected software.

PS03 - This issue affects the Row Security component and requires Network access. Valid EnterpriseOne login credentials are required for exploitation. A successful attack can compromise confidentiality and integrity of the affected software.

PS04 - This issue affects the Row Security component and requires Network access. Valid EnterpriseOne login credentials are required for exploitation. A successful attack can compromise confidentiality and integrity of the affected software.

PS05 - This issue affects the Row Security component and requires Network access. Valid EnterpriseOne login credentials are required for exploitation. A successful attack can compromise confidentiality and integrity of the affected software.

PS06 - This issue affects the Row Security component and requires Network access. Valid EnterpriseOne login credentials are required for exploitation. A successful attack can compromise confidentiality and integrity of the affected software.

PS07 - This issue affects the Row Security component and requires Network access. Valid EnterpriseOne login credentials are required for exploitation. A successful attack can compromise confidentiality and integrity of the affected software.

This BID will be updated and divided into separate BIDs when more information is available.

Affected Products:

• Oracle Collaboration Suite Release 2 9.0.4 .2
• Oracle Collaboration Suite Release 2 9.0.4.1
• Oracle E-Business Suite 11.0.0
• Oracle E-Business Suite 11i 11.5.0
• Oracle E-Business Suite 11i 11.5.1
• Oracle E-Business Suite 11i 11.5.10
• Oracle E-Business Suite 11i 11.5.2
• Oracle E-Business Suite 11i 11.5.3
• Oracle E-Business Suite 11i 11.5.4
• Oracle E-Business Suite 11i 11.5.5
• Oracle E-Business Suite 11i 11.5.6
• Oracle E-Business Suite 11i 11.5.7
• Oracle E-Business Suite 11i 11.5.8
• Oracle E-Business Suite 11i 11.5.9
• Oracle Enterprise Manager 9.0.4 .0
• Oracle Enterprise Manager 9.0.4.1
• Oracle Enterprise Manager Grid Control 10g 10.1.0 .3
• Oracle Enterprise Manager Grid Control 10g 10.1.0.0.2
• Oracle Oracle10g Application Server 10.1.0 .0.3.1
• Oracle Oracle10g Application Server 10.1.2
• Oracle Oracle10g Application Server 9.0.4 .1
• Oracle Oracle10g Application Server 9.0.4.0
• Oracle Oracle10g Enterprise Edition 10.1.0 .0.2
• Oracle Oracle10g Enterprise Edition 10.1.0 .0.3
• Oracle Oracle10g Enterprise Edition 10.1.0 .0.3.1
• Oracle Oracle10g Enterprise Edition 10.1.0 .0.4
• Oracle Oracle10g Personal Edition 10.1.0 .0.2
• Oracle Oracle10g Personal Edition 10.1.0 .0.3
• Oracle Oracle10g Personal Edition 10.1.0 .0.3.1
• Oracle Oracle10g Personal Edition 10.1.0 .0.4
• Oracle Oracle10g Standard Edition 10.1.0 .0.2
• Oracle Oracle10g Standard Edition 10.1.0 .0.3
• Oracle Oracle10g Standard Edition 10.1.0 .0.3.1
• Oracle Oracle10g Standard Edition 10.1.0 .0.4
• Oracle Oracle8i Enterprise Edition 8.1.7.4
• Oracle Oracle8i Standard Edition 8.1.7.4
• Oracle Oracle9i Application Server 1.0.2 .2
• Oracle Oracle9i Application Server 9.0.2 .3
• Oracle Oracle9i Application Server 9.0.3 .1
• Oracle Oracle9i Enterprise Edition 9.0.1.4
• Oracle Oracle9i Enterprise Edition 9.0.1.5
• Oracle Oracle9i Enterprise Edition 9.0.4
• Oracle Oracle9i Enterprise Edition 9.2.0 .0.5
• Oracle Oracle9i Enterprise Edition 9.2.0 .6
• Oracle Oracle9i Personal Edition 9.0.1.4
• Oracle Oracle9i Personal Edition 9.0.1.5
• Oracle Oracle9i Personal Edition 9.0.4
• Oracle Oracle9i Personal Edition 9.2.0 .0.5
• Oracle Oracle9i Personal Edition 9.2.0 .6
• Oracle Oracle9i Standard Edition 9.0.1.4
• Oracle Oracle9i Standard Edition 9.0.1.5
• Oracle Oracle9i Standard Edition 9.0.4
• Oracle Oracle9i Standard Edition 9.2.0 .0.5
• Oracle Oracle9i Standard Edition 9.2.0 .6
• PeopleSoft EnterpriseOne Applications 8.9.0 SP2
• PeopleSoft EnterpriseOne Applications 8.93.0
• PeopleSoft OneWorld Xe/ERP8 Applications SP22

References:

• Oracle: Critical Patch Update - April 2005
• Oracle: Oracle Homepage
• Oracle: Oracle PeopleSoft Applications - PeopleSoft Advisory

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.