• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Oracle January 2009 Critical Patch Update Multiple Vulnerabilities

Severity: CRITICAL

Description:

Oracle has released the January 2009 critical patch update addressing 41 vulnerabilities affecting the following software:

Oracle Database
Oracle Secure Backup
Oracle TimesTen In-Memory Database
Oracle Application Server
Oracle Collaboration Suite
Oracle E-Business Suite Release
Oracle Enterprise Manager Grid Control
PeopleSoft Enterprise HRMS
JD Edwards Tools
Oracle WebLogic Server (formerly BEA WebLogic Server)
Oracle WebLogic Portal (formerly BEA WebLogic Portal)

Oracle has listed the following vulnerabilities (NOTE: some issues may be listed in multiple categories):

1. Application Server is vulnerable to the following four issues:

CVE-2008-2623 - This issue affects the Oracle JDeveloper component and requires local access. No authentication is required. Successful attacks may compromise the confidentiality of the server.

CVE-2008-4014 - This issue affects the Oracle BPEL Process Manager component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2008-4017 - This issue affects the OC4J component and requires LDAP access. No authentication is required. Successful attacks may compromise the confidentiality of the server.

CVE-2008-5438 - This issue affects the Oracle Portal component and requires HTTP access. No authentication is required. Successful attacks may compromise the integrity of the server.


2. Oracle E-Business Suite is vulnerable to the following four issues:

CVE-2008-5446 - This issue affects the Oracle Applications Framework component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality of the server and allow unauthorized access to the OA Framework 'About this page' diagnostics, which can reveal sensitive information (e.g. the instance of the running page and environment, configuration of Java virtual machines, system profile-specific information, or latest patches applied to the system).

CVE-2008-5450 - This issue affects the Oracle Applications Platform Engineering component and requires local access. Successful authentication is required. Successful attacks may compromise the confidentiality of the server. Specifically, the concurrent manager service may display the 'APPS' password to unauthorized users.

CVE-2008-5454 - This issue affects the iProcurement component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server. The problem occurs in the shopping and search results webpages.

CVE-2008-5458 - This issue affects the Oracle Application Object Library component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server. Specifically, authentication issues in the 'Self-Service' personal home pages can allow users to access, delete, and modify other users' custom pages.


3. BEA Products Suite is vulnerable to the following five issues:

CVE-2008-5457 - This issue affects the WebLogic Server Plugins for Apache, Sun, and IIS webservers component and requires HTTP access. Specifically, the vulnerability stems from a boundary-condition error when processing specially crafted HTTP requests. No authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2008-5459 - This issue affects the WebLogic Server component and requires HTTP access. No authentication is required. Successful attacks may compromise the confidentiality of the server.

CVE-2008-5460 - This issue affects the WebLogic Server component and requires HTTP access. No authentication is required. Successful attacks may compromise the confidentiality of the server.

CVE-2008-5461 - This issue affects the WebLogic Server component and requires HTTP access. No authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2008-5462 - This issue affects the WebLogic Portal component and requires HTTP access. No authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.


4. Oracle Database is vulnerable to the following 10 issues:

CVE-2008-3973 - This issue affects the SQL*Plus Windows GUI component and requires local access. Successful authentication is required. Successful attacks may compromise the confidentiality of the server.

CVE-2008-3974 - A buffer-overflow vulnerability affects the 'ODCITABLESTART' procedure of the 'SYS.OLAPIMPL_T' package. An authenticated attacker with Oracle Net access can exploit this issue. Successful attacks may compromise the availability of the server. NOTE: The vendor considers this issue a denial of service, but the discoverer reports that arbitrary code execution is possible.

CVE-2008-3978 - This issue affects the Oracle Spatial component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2008-3979 - An SQL-injection issue affects the 'MDSYS.SDO_TOPO_DROP_FTBL' trigger in the Oracle Spatial Application. Specifically, the application fails to properly validate the table name string before using it in an SQL query. The attacker requires 'CREATE SESSION' privileges. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2008-3997 - A local privilege-escalation vulnerability occurs in 'Summary Advisor' of the Oracle OLAP component. Authenticated attackers can overwrite or create arbitrary files. The attacker requires Oracle Net access and must first create a session to execute the privileged procedure. Successful attacks may compromise the availability of the server.

CVE-2008-3999 - This issue affects the Oracle OLAP component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the availability of the server.

CVE-2008-4015 - This issue affects the Oracle Streams component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2008-5436 - This issue affects the Oracle OLAP component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the integrity and availability of the server.

CVE-2008-5437 - This issue affects the Job Queue component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2008-5439 - This issue affects the SQL*Plus Windows GUI component and requires local access. Successful authentication is required. Successful attacks may compromise the confidentiality of the server.


5. Oracle Enterprise Manager is vulnerable to the following issue:

CVE-2008-5447 - An SQL-injection vulnerability affects the 'TARGET' parameter of the '/em/console/reports/admin' page of the Oracle Enterprise Manager component. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.


6. Oracle Collaboration Suite is vulnerable to the following issue:

CVE-2008-4016 - This issue affects the Collaborative Workspaces component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality of the server.


7. Oracle Secure Backup is vulnerable to the following nine issues:

CVE-2008-3981 - This issue affects the Oracle Secure Backup component and requires TCP access. No authentication is required. Successful attacks may compromise the confidentiality of the server.

CVE-2008-4006 - A command-injection vulnerability resides in the 'php/login.php' script of the Oracle Secure Backup Administration server. Attackers can leverage this issue by making a login request with specially crafted cookie credentials to execute arbitrary code on the server. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2008-5441 - A denial-of-service vulnerability affects the Oracle Secure Backup component and requires NDMP access. No authentication is required. Successful attacks may compromise the availability of the server. The problem occurs when handling a malformed NDMP 'connect open(NDMP_CONNECT_OPEN command)' packet.

CVE-2008-5442 - A denial-of-service vulnerability affects the Oracle Secure Backup component and requires NDMP access. No authentication is required. Successful attacks may compromise the availability of the server. The problem occurs when handling a malformed NDMP 'connect close(NDMP_CONNECT_CLOSE command)' packet.

CVE-2008-5443 - A denial-of-service vulnerability affects the Oracle Secure Backup component and requires NDMP access. No authentication is required. Successful attacks may compromise the availability of the server. The problem occurs when handling a malformed NDMP 'mover get state(NDMP_MOVER_GET_STATE command)' packet.

CVE-2008-5444 - A buffer-overflow vulnerability affects the Oracle Secure Backup component and requires NDMP access. No authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server. The problem occurs when handling a malformed NDMP 'client authentication(NDMP_CONECT_CLIENT_AUTH Command)' packet.

CVE-2008-5445 - A denial-of-service vulnerability addects the Oracle Secure Backup component and requires NDMP access. No authentication is required. Successful attacks may compromise the availability of the server. The problem occurs in the 'observiced.exe' component when handling malfomred packets.

CVE-2008-5448 - A command-injection vulnerability resides in the 'php/common.php' script of the Oracle Secure Backup Administration server. Attackers can leverage this issue by providing arbitrary shell commands to an unspecified parameter during the login procedure. Successful attacks may compromise the confidentiality, integrity, and availability of the server; arbitrary commands may run in the context of the webserver process.

CVE-2008-5449 - A command-injection vulnerability resides in the 'common.php' script of the Oracle Secure Backup Administration server. Attackers can leverage this issue by providing arbitrary shell commands to an unspecified parameter during the login procedure. Successful attacks may compromise the confidentiality, integrity, and availability of the server; arbitrary commands may run in the context of the webserver process.


8. Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne are vulnerable to the following six issues:

CVE-2008-4007 - This issue affects the PeopleSoft Enterprise Components component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2008-5451 - This issue affects the JD Edwards Tools component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality of the server.

CVE-2008-5452 - This issue affects the PeopleSoft Enterprise HRMS component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2008-5455 - This issue affects the PeopleSoft Enterprise HRMS - ePerformance component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2008-5456 - This issue affects the PeopleSoft Enterprise HRMS component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2008-5463 - This issue affects the PeopleSoft Enterprise Campus Solutions component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.


9. TimesTen In-Memory Database is vulnerable to the following issue:

CVE-2008-5440 - TimesTen Data Server component is prone to a remote format string vulnerability because it fails to properly sanitize user-supplied input to the 'msg' parameter of the 'evtdump' command. A remote unauthenticated user can exploit this issue to execute arbitrary code in the context of the affected application.


This BID describes 41 vulnerabilities in total.

Affected Products:

• BEA Systems WebLogic Portal 10.0
• BEA Systems WebLogic Portal 10.0 MP1
• BEA Systems WebLogic Portal 10.2
• BEA Systems WebLogic Portal 10.3
• BEA Systems WebLogic Portal 8.1.0
• BEA Systems WebLogic Portal 8.1.0 SP1
• BEA Systems WebLogic Portal 8.1.0 SP2
• BEA Systems WebLogic Portal 8.1.0 SP3
• BEA Systems WebLogic Portal 8.1.0 SP4
• BEA Systems WebLogic Portal 8.1.0 SP5
• BEA Systems WebLogic Portal 8.1.0 SP6
• BEA Systems WebLogic Portal 9.2
• BEA Systems WebLogic Portal 9.2 MP3
• BEA Systems Weblogic Server 10.0
• BEA Systems Weblogic Server 10.0
• BEA Systems Weblogic Server 10.0 MP1
• BEA Systems Weblogic Server 10.3
• BEA Systems Weblogic Server 10.3
• BEA Systems Weblogic Server 7.0 SP7
• BEA Systems Weblogic Server 7.0.0
• BEA Systems Weblogic Server 7.0.0 .0.1
• BEA Systems Weblogic Server 7.0.0 .0.1 SP 1
• BEA Systems Weblogic Server 7.0.0 .0.1 SP 2
• BEA Systems Weblogic Server 7.0.0 .0.1 SP 3
• BEA Systems Weblogic Server 7.0.0 .0.1 SP 4
• BEA Systems Weblogic Server 7.0.0 SP 1
• BEA Systems Weblogic Server 7.0.0 SP 2
• BEA Systems Weblogic Server 7.0.0 SP 3
• BEA Systems Weblogic Server 7.0.0 SP 4
• BEA Systems Weblogic Server 7.0.0 SP 5
• BEA Systems Weblogic Server 7.0.0 SP 6
• BEA Systems Weblogic Server 7.0.0 SP 7
• BEA Systems Weblogic Server 8.1
• BEA Systems Weblogic Server 8.1.0
• BEA Systems Weblogic Server 8.1.0 SP 1
• BEA Systems Weblogic Server 8.1.0 SP 2
• BEA Systems Weblogic Server 8.1.0 SP 3
• BEA Systems Weblogic Server 8.1.0 SP 4
• BEA Systems Weblogic Server 8.1.0 SP 5
• BEA Systems Weblogic Server 8.1.0 SP 6
• BEA Systems Weblogic Server 9.0
• BEA Systems Weblogic Server 9.1
• BEA Systems Weblogic Server 9.1
• BEA Systems Weblogic Server 9.2
• BEA Systems Weblogic Server 9.2 Maintenance Pack 3
• Oracle Collaboration Suite Release 1 10.1.2
• Oracle E-Business Suite 11i 11.5.10.2
• Oracle E-Business Suite 12 12.0.6
• Oracle Enterprise Manager Grid Control 10g 10.2.0.4
• Oracle Oracle10g Application Server 10.1.2 .2.0
• Oracle Oracle10g Application Server 10.1.2.3.0
• Oracle Oracle10g Application Server 10.1.3 .3.0
• Oracle Oracle10g Enterprise Edition 10.1.0 .5
• Oracle Oracle10g Enterprise Edition 10.2.0 .2
• Oracle Oracle10g Enterprise Edition 10.2.0 .3
• Oracle Oracle10g Enterprise Edition 10.2.0.2 64 bit
• Oracle Oracle10g Enterprise Edition 10.2.0.4
• Oracle Oracle10g Personal Edition 10.1.0.5
• Oracle Oracle10g Personal Edition 10.2.0 .2
• Oracle Oracle10g Personal Edition 10.2.0 .3
• Oracle Oracle10g Personal Edition 10.2.0.4
• Oracle Oracle10g Standard Edition 10.1.0 .5
• Oracle Oracle10g Standard Edition 10.2.0 .2
• Oracle Oracle10g Standard Edition 10.2.0 .3
• Oracle Oracle10g Standard Edition 10.2.0.4
• Oracle Oracle11g Enterprise Edition 11.1.0 6
• Oracle Oracle11g Standard Edition 11.1.0 6
• Oracle Oracle11g Standard Edition 11.1.0 6
• Oracle Oracle11g Standard Edition One 11.1.0 6
• Oracle Oracle9i Enterprise Edition 9.2.0 .8DV
• Oracle Oracle9i Enterprise Edition 9.2.0.8.0
• Oracle Oracle9i Personal Edition 9.2.0 .8
• Oracle Oracle9i Personal Edition 9.2.0 .8DV
• Oracle Oracle9i Standard Edition 9.2.0 .8DV
• Oracle Oracle9i Standard Edition 9.2.0.8
• Oracle Secure Backup 10.1.0.1
• Oracle Secure Backup 10.1.0.2
• Oracle Secure Backup 10.1.0.3
• Oracle Secure Backup 10.2.0.2
• Oracle Secure Backup 10.2.0.3
• Oracle TimesTen In-Memory Database 7.0.5.1.0
• Oracle TimesTen In-Memory Database 7.0.5.2.0
• Oracle TimesTen In-Memory Database 7.0.5.3.0
• Oracle TimesTen In-Memory Database 7.0.5.4.0

References:

• ACROS: ACROS Security Problem Report #2009-01-27-1
• BEA: SECURITY ADVISORY (CVE-2008-5457)
• BEA: SECURITY ADVISORY (CVE-2008-5459)
• BEA: SECURITY ADVISORY (CVE-2008-5460)
• BEA: SECURITY ADVISORY (CVE-2008-5461)
• BEA: SECURITY ADVISORY (CVE-2008-5462)
• CVE: CVE-2008-2623
• CVE: CVE-2008-3973
• CVE: CVE-2008-3974
• CVE: CVE-2008-3978
• CVE: CVE-2008-3979
• CVE: CVE-2008-3981
• CVE: CVE-2008-3997
• CVE: CVE-2008-3999
• CVE: CVE-2008-4006
• CVE: CVE-2008-4007
• CVE: CVE-2008-4014
• CVE: CVE-2008-4015
• CVE: CVE-2008-4016
• CVE: CVE-2008-4017
• CVE: CVE-2008-5436
• CVE: CVE-2008-5437
• CVE: CVE-2008-5438
• CVE: CVE-2008-5439
• CVE: CVE-2008-5440
• CVE: CVE-2008-5441
• CVE: CVE-2008-5442
• CVE: CVE-2008-5443
• CVE: CVE-2008-5444
• CVE: CVE-2008-5445
• CVE: CVE-2008-5446
• CVE: CVE-2008-5447
• CVE: CVE-2008-5448
• CVE: CVE-2008-5449
• CVE: CVE-2008-5450
• CVE: CVE-2008-5451
• CVE: CVE-2008-5452
• CVE: CVE-2008-5454
• CVE: CVE-2008-5455
• CVE: CVE-2008-5456
• CVE: CVE-2008-5457
• CVE: CVE-2008-5458
• CVE: CVE-2008-5459
• CVE: CVE-2008-5460
• CVE: CVE-2008-5461
• CVE: CVE-2008-5462
• CVE: CVE-2008-5463
• Integrigy: Oracle Critical Patch Update - January 2009 - E-Business Suite Impact
• Joxean Koret: Oracle Secure Backup 10g Remote Code Execution
• Joxean Koret: Oracle TimesTen Remote Format String
• Oracle: Oracle Critical Patch Update Advisory - January 2009
• Oracle: Oracle Critical Patch Update Pre-Release Announcement - January 2009
• Oracle: Oracle Homepage
• SecNiche: CVE -2008- 5446 Sensitive Information Disclosure
• ZDI: ZDI-09-003 Oracle Secure Backup exec_qr() Command Injection Vulnerability
• ZDI: ZDI-09-004 Oracle TimesTen evtdump Remote Format String Vulnerability
• iDefense: Oracle Secure Backup Administration Server login.php Command Injection Vulnerabi
• iDefense Labs: Oracle Database 10g R2 Summary Advisor Arbitrary File Rewrite Vulnerability
• iDefense Labs: Oracle Secure Backup Administration Server login.php Command Injection Vulnerabi

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.