• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Oracle January 2008 Critical Patch Update Multiple Vulnerabilities

Severity: CRITICAL

Description:

Oracle has released its critical patch update for January 2008. The advisory addresses 26 vulnerabilities affecting Oracle Database, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager, and Oracle People Soft Enterprise.

Oracle Application Server is vulnerable to the following six issues:

AS01 - This issue affects the Oracle Jinitiator component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

AS02 - This issue affects the Oracle Jinitiator component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

AS03 - This issue affects the Oracle BPEL Worklist Application component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

AS04 - This issue affects the Oracle Forms component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the integrity of the server.

AS05 - This issue affects the Oracle JDeveloper component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the integrity of the server.

AS06 - This issue affects the Oracle Internet Directory component and requires LDAP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server.


Oracle Database Server is vulnerable to the following eight issues:

DB01 - This issue affects the XML DB component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

DB02 - This issue affects the Advanced Queuing component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server.

DB03 - This issue affects the Advanced Queuing component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server.

DB04 - This issue affects the Oracle Spatial component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server.

DB05 - This issue affects the Upgrade/Downgrade component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server.

DB06 - This issue affects the Oracle Spatial component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the availability of the server.

DB07 - This issue affects the Oracle Spatial component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the availability of the server.

DB08 - This issue affects the Core RDBMS component and requires Oracle Net access. Successful authentication is required to exploit this issue. Successful attacks may compromise the of the server.


Oracle E-Business Suite and Applications are vulnerable to the following seven issues:

APP01 - This issue affects the Mobile Application Server component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server.

APP02 - This issue affects the Oracle Application Object Library component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server. This is a cross-site scripting vulnerability affecting multiple parameters in the 'AppChangePassword.jsp' script.

APP03 - This issue affects the Oracle Applications Framework component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server. This is an information-disclosure vulnerability affecting 'OAInfo.jsp'.

APP04 - This issue affects the Oracle Applications Manager component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server.

APP05 - This issue affects the CRM Technical Foundation component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server. This is a cross-site scripting vulnerability affecting the 'jtflogin.jsp' script.

APP06 - This issue affects the Oracle Application Object Library component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server.

APP07 - This issue affects the Oracle Applications Technology Stack component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the integrity and availability of the server.


Oracle Collaboration Suite is vulnerable to the following issue:

OCS01 - This issue affects the Oracle Ultra Search component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality and integrity of the server.


Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne are vulnerable to the following four issues:

PSE01 - This issue affects the PeopleTools component and requires HTTP access. No authentication is required to exploit this issue. Successful attacks may compromise the integrity and availability of the server.

PSE02 - This issue affects the PeopleTools component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the integrity of the server.

PSE03 - This issue affects the PeopleTools component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the integrity of the server.

PSE04 - This issue affects the PeopleTools component and requires HTTP access. Successful authentication is required to exploit this issue. Successful attacks may compromise the confidentiality of the server.


The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Various levels of authorization are needed to leverage some of the issues, but other issues do not require any authorization. The most severe of the vulnerabilities could possibly compromise affected computers.

Affected Products:

• Oracle Collaboration Suite 10g 10.1.2
• Oracle E-Business Suite 11i 11.5.10
• Oracle E-Business Suite 11i 11.5.10 CU2
• Oracle E-Business Suite 11i 11.5.8
• Oracle E-Business Suite 11i 11.5.9
• Oracle E-Business Suite 12 12.0.0
• Oracle E-Business Suite 12 12.0.1
• Oracle E-Business Suite 12 12.0.2
• Oracle E-Business Suite 12 12.0.3
• Oracle Enterprise Manager Database Control 10g 10.1.0.5
• Oracle Enterprise Manager Database Control 10g 10.2.0.2
• Oracle Enterprise Manager Database Control 10g 10.2.0.3
• Oracle Enterprise Manager Grid Control 10g 10.1.0 .5
• Oracle Enterprise Manager Grid Control 10g 10.1.0 6
• Oracle Oracle10g Application Server 10.1.2 .0.1
• Oracle Oracle10g Application Server 10.1.2 .0.2
• Oracle Oracle10g Application Server 10.1.2 .1.0
• Oracle Oracle10g Application Server 10.1.2 .2.0
• Oracle Oracle10g Application Server 10.1.3 .0.0
• Oracle Oracle10g Application Server 10.1.3 .1.0
• Oracle Oracle10g Application Server 10.1.3 .2.0
• Oracle Oracle10g Application Server 10.1.3 .3.0
• Oracle Oracle10g Application Server 9.0.4 3
• Oracle Oracle10g Enterprise Edition 10.1.0 .5
• Oracle Oracle10g Enterprise Edition 10.2.0 .2
• Oracle Oracle10g Enterprise Edition 10.2.0 .3
• Oracle Oracle10g Personal Edition 10.1.0.5
• Oracle Oracle10g Personal Edition 10.2.0 .2
• Oracle Oracle10g Personal Edition 10.2.0 .3
• Oracle Oracle10g Standard Edition 10.1.0 .5
• Oracle Oracle10g Standard Edition 10.2.0 .2
• Oracle Oracle10g Standard Edition 10.2.0 .3
• Oracle Oracle11g Enterprise Edition 11.1.0 6
• Oracle Oracle11g Standard Edition 11.1.0 6
• Oracle Oracle11g Standard Edition One 11.1.0 6
• Oracle Oracle9i Enterprise Edition 9.2.0 .8
• Oracle Oracle9i Enterprise Edition 9.2.0 .8DV
• Oracle Oracle9i Personal Edition 9.2.0 .8
• Oracle Oracle9i Personal Edition 9.2.0 .8DV
• Oracle Oracle9i Standard Edition 9.2.0 .8DV
• Oracle Oracle9i Standard Edition 9.2.0.8
• Oracle PeopleSoft Enterprise PeopleTools 8.22
• Oracle PeopleSoft Enterprise PeopleTools 8.47
• Oracle PeopleSoft Enterprise PeopleTools 8.48
• Oracle PeopleSoft Enterprise PeopleTools 8.49

References:

• Integrigy: Oracle Critical Patch Update – January 2008 Oracle E-Business Suite 11i Impact
• Oracle: Oracle Critical Patch Update Advisory - January 2008
• Oracle: Oracle Homepage
• PeteFinnigan.com: PeteFinnigan.com Limited Oracle Security Advisory - Jan 2008 Critical Patch Upda

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.