• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Oracle October 2007 Critical Patch Update Multiple Vulnerabilities

Severity: CRITICAL

Description:

Oracle has released Octobers Critical Patch Update that addresses 51 vulnerabilities affecting Oracle Database, Oracle Application Server, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle People Soft Enterprise, and JD Edwards EnterpriseOne.

Oracle Application Server is vulnerable to the following 11 issues:

AS01 - This issue affects the Oracle Process Mgmt & Notification component and requires ONS access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality, integrity, and availability of the server. (CVE-2007-5516)

AS02 - This issue affects the Oracle Portal component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5517)

AS03 - This issue affects the Oracle HTTP Server component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the availability of the server. (CVE-2007-5518)

AS04 - This issue affects the Oracle Portal component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server. (CVE-2007-5519)

AS05 - This issue affects the Oracle Internet Directory component and requires LDAP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5520)

AS06 - This issue affects the Oracle Containers for J2EE component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the integrity of the server. (CVE-2007-5521)

AS07 - This issue affects the Oracle Portal component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server. (CVE-2007-5522)

AS08 - This issue affects the Oracle Internet Directory component and requires LDAP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server. (CVE-2007-5523)

AS09 - This issue affects the Oracle Single Sign-On component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the integrity of the server. (CVE-2007-5524)

AS10 - This issue affects the Oracle Single Sign-On component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the integrity of the server. (CVE-2007-5525)

AS11 - This issue affects the Oracle Portal component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server. (CVE-2007-5526)

Oracle Database Server is vulnerable to the following 27 issues:

DB01 - This issue affects the Import component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality, integrity, and availability of the server. (CVE-2007-5504)

DB02 - This issue affects the Export component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5505)

DB03 - This issue affects the Oracle Text component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5508)

DB04 - This issue affects the Oracle Text component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5505)

DB05 - This issue affects the Oracle Text component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5505)

DB06 - This issue affects the Spatial component and requires SQL*NET access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5509)

DB07 - This issue affects the Spatial component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5505)

DB08 - This issue affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5510)

DB09 - This issue affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5510)

DB10 - This issue affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5510)

DB11 - This issue affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5510)

DB12 - This issue affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5510)

DB13 - This issue affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5510)

DB14 - This issue affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5510)

DB15 - This issue affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5510)

DB16 - This issue affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5510)

DB17 - This issue affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5510)

DB18 - This issue affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5510)

DB19 - This issue affects the Advanced Security Option component and requires TCP access. No authentication is required to exploit this issue. Successful attacks may compromise the availability of the server. (CVE-2007-5505)

DB20 - This issue affects the Core RDBMS component and requires Network access. No authentication is required to exploit this issue. Successful attacks may compromise the availability of the server. (CVE-2007-5506)

DB21 - This issue affects the Oracle Database Vault component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server. (CVE-2007-5512)

DB22 - This issue affects the Oracle Net Services component and requires GIOP access. No authentication is required to exploit this issue. Successful attacks may compromise the availability of the server. (CVE-2007-5507)

DB23 - This issue affects the XML DB component and requires FTP access. No authentication is required to exploit this issue. Successful attacks may compromise the integrity of the server. (CVE-2007-5513) UPDATE (October 17, 2007): This issue is now being tracked by BID 26107.

DB24 - This issue affects the Oracle Database Vault component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality, integrity, and availability of the server. (CVE-2007-5514)

DB25 - This issue affects the Advanced Queuing component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the availability of the server. (CVE-2007-5504) UPDATE (October 29,2007): This issue is now being tracked by BID 26235.

DB26 - This issue affects the SQL Execution component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the availability of the server. (CVE-2007-5514)

DB27 - This issue affects the Spatial component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the availability of the server. (CVE-2007-5515)

UPDATE (October 29, 2007): a vulnerability correlating with an issue that is listed above is now being tracked by BID 26243.

Oracle E-Business Suite and Applications are vulnerable to the following eight issues:

APP01 - This issue affects the Oracle Application Object Library component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality, integrity, and availability of the server. This vulnerability occurs in an old-style PHP webpage. (CVE-2007-5527)

APP02 - This issue affects the Oracle Contracts Integration component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. This issue stems from an SQL-injection issue affecting an unspecified parameter.

APP03 - This issue affects the Oracle Public Sector Human Resources component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. This issue stems from an unspecified security issue when protecting HR data. (CVE-2007-5528)

APP04 - This issue affects the Oracle Applications Manager component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the availability of the server. The issue stems from a denial-of-service condition affecting the OAM login. The vulnerability may allow an attacker crash the affected application, denying service to legitimate users. (CVE-2007-5527)

APP05 - This issue affects the Oracle Marketing component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server. This issue stems from an information-disclosure vulnerability. Specifically, the application reveals sensitive information such as user-authentication credentials. (CVE-2007-5527)

APP06 - This issue affects the Oracle Quoting component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server. (CVE-2007-5528)

APP07 - This issue affects the Oracle Exchange component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server. (CVE-2007-5527)

APP08 - This issue affects the Oracle Self-Service Web Applications component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the affected server. The vulnerability stems from a client-side URL-encoding issue. (CVE-2007-5529)

Oracle Enterprise Manager is vulnerable to the following two issues:

EM01 - This issue affects the Database Control component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server. (CVE-2007-5530)

EM02 - This issue affects the Oracle Help for Web component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the integrity of the server. (CVE-2007-5531)

Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne are vulnerable to the following three issues:

PSE01 - This issue affects the People Tools component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. (CVE-2007-5532)

PSE02 - This issue affects the People Tools component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the integrity of the server. (CVE-2007-5533)

PSE_HCM01 - This issue affects the HCM component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server. (CVE-2007-5534)

This BID describes 51 vulnerabilities in total.

Affected Products:

• HP Oracle for OpenView 8.1.7
• HP Oracle for OpenView 9.1.01
• HP Oracle for OpenView 9.2
• HP Oracle for OpenView for Linux LTU
• HP Oracle for OpenView for Linux LTU Service Bureaus
• Oracle Collaboration Suite 10g 10.1.2
• Oracle E-Business Suite 11i 11.5.10
• Oracle E-Business Suite 11i 11.5.10 CU2
• Oracle E-Business Suite 11i 11.5.8
• Oracle E-Business Suite 11i 11.5.9
• Oracle E-Business Suite 12 12.0.0
• Oracle E-Business Suite 12 12.0.1
• Oracle E-Business Suite 12 12.0.2
• Oracle E-Business Suite 12 12.0.3
• Oracle Enterprise Manager Database Control 10g 10.1.0.5
• Oracle Enterprise Manager Database Control 10g 10.2.0.2
• Oracle Enterprise Manager Database Control 10g 10.2.0.3
• Oracle Enterprise Manager Grid Control 10g 10.1.0 .5
• Oracle Enterprise Manager Grid Control 10g 10.1.0 6
• Oracle Oracle10g Application Server 10.1.2 .0.1
• Oracle Oracle10g Application Server 10.1.2 .0.2
• Oracle Oracle10g Application Server 10.1.2 .1.0
• Oracle Oracle10g Application Server 10.1.2 .2.0
• Oracle Oracle10g Application Server 10.1.3 .0.0
• Oracle Oracle10g Application Server 10.1.3 .1.0
• Oracle Oracle10g Application Server 10.1.3 .2.0
• Oracle Oracle10g Application Server 10.1.3 .3.0
• Oracle Oracle10g Application Server 9.0.4 3
• Oracle Oracle10g Enterprise Edition 10.1.0 .5
• Oracle Oracle10g Enterprise Edition 10.2.0 .2
• Oracle Oracle10g Enterprise Edition 10.2.0 .3
• Oracle Oracle10g Personal Edition 10.1.0.5
• Oracle Oracle10g Personal Edition 10.2.0 .2
• Oracle Oracle10g Personal Edition 10.2.0 .3
• Oracle Oracle10g Standard Edition 10.1.0 .5
• Oracle Oracle10g Standard Edition 10.2.0 .2
• Oracle Oracle10g Standard Edition 10.2.0 .3
• Oracle Oracle9i Enterprise Edition 9.2.0 .8
• Oracle Oracle9i Enterprise Edition 9.2.0 .8DV
• Oracle Oracle9i Personal Edition 9.2.0 .8
• Oracle Oracle9i Personal Edition 9.2.0 .8DV
• Oracle Oracle9i Standard Edition 9.2.0 .8DV
• Oracle Oracle9i Standard Edition 9.2.0.8
• Oracle PeopleSoft Enterprise Human Capital Management 8.9
• Oracle PeopleSoft Enterprise Human Capital Management 9.0
• Oracle PeopleSoft Enterprise PeopleTools 8.22
• Oracle PeopleSoft Enterprise PeopleTools 8.47
• Oracle PeopleSoft Enterprise PeopleTools 8.48
• Oracle PeopleSoft Enterprise PeopleTools 8.49

References:

• CVE: CVE-2007-5504
• CVE: CVE-2007-5505
• CVE: CVE-2007-5506
• CVE: CVE-2007-5507
• CVE: CVE-2007-5508
• CVE: CVE-2007-5509
• CVE: CVE-2007-5510
• CVE: CVE-2007-5512
• CVE: CVE-2007-5513
• CVE: CVE-2007-5514
• CVE: CVE-2007-5515
• CVE: CVE-2007-5516
• CVE: CVE-2007-5517
• CVE: CVE-2007-5518
• CVE: CVE-2007-5519
• CVE: CVE-2007-5520
• CVE: CVE-2007-5521
• CVE: CVE-2007-5522
• CVE: CVE-2007-5523
• CVE: CVE-2007-5524
• CVE: CVE-2007-5525
• CVE: CVE-2007-5526
• CVE: CVE-2007-5527
• CVE: CVE-2007-5528
• CVE: CVE-2007-5529
• CVE: CVE-2007-5530
• CVE: CVE-2007-5531
• CVE: CVE-2007-5532
• CVE: CVE-2007-5533
• CVE: CVE-2007-5534
• Integrigy Corporation: Oracle Critical Patch Update - October 2007 - Version Support Matrix
• NGSSoftware: High Risk Vulnerability in Oracle CTX_DOC
• NGSSoftware: High Risk Vulnerability in Oracle RDBMS
• NGSSoftware: High Risk Vulnerability in Oracle TNS Listener
• NGSSoftware: High Risk Vulnerability in Oracle Workspace Manager
• NGSSoftware: High Risk Vulnerability in Oracle XMLDB FTP Service
• Oracle: Oracle Critical Patch Update - October 2007
• Oracle: Oracle Homepage
• US_CERT: Technical Cyber Security Alert TA07-290A
• Zero Day Initiative: ZDI-07-058 Oracle E-Business Suite SQL Injection Vulnerability

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.