• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Oracle April 2009 Critical Patch Update Multiple Vulnerabilities

Severity: CRITICAL

Description:

Oracle has released the April 2009 critical patch update. The following issues have been addressed:

Application Server is vulnerable to the following 12 issues:

CVE-2009-0974 - Affects the Portal component and requires HTTP access. No authentication is required. Successful attacks may compromise the integrity of the server.

CVE-2009-0983 - Affects the Portal component and requires HTTP access. No authentication is required. Successful attacks may compromise the integrity of the server.

CVE-2009-0989 - Affects the BI Publisher component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2009-0990 - Affects the BI Publisher component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2009-0993 - Affects the OPMN component and requires ONS access. No authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server. This is a format-string issue affecting POST data logged to the '$ORACLE_HOME/opmn/logs/opmn.log' file.

CVE-2009-0994 - Affects the BI Publisher component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality of the server.

CVE-2009-0996 - Affects the BI Publisher component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality of the server.

CVE-2009-1008 - Affects the Outside In Technology component. No authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2009-1009 - Affects the Outside In Technology component. No authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2009-1010 - Affects the Outside In Technology component. No authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2009-1011 - Affects the Outside In Technology component. No authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2009-1017 - Affects the BI Publisher component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality of the server.

Oracle E-Business Suite is vulnerable to the following three issues:

CVE-2009-0995 - Affects the Oracle Applications Framework component and requires HTTP access. No authentication is required. Successful attacks may compromise the integrity of the server.

CVE-2009-0999 - Affects the Oracle Application Object Library component and requires HTTP access. No authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2009-1000 - Affects the Oracle Applications Technology Stack component and requires HTTP access. No authentication is required. Successful attacks may compromise the integrity of the server.

BEA Products Suite is vulnerable to the following eight issues:

CVE-2009-1001 - Affects the WebLogic Portal component and requires HTTP access. Successful authentication is required. Successful attacks may allow elevation of privileges in the portal.

CVE-2009-1002 - Affects the WebLogic Server component and requires HTTP access. No authentication is required. Successful attacks may allow elevation of privileges in the server.

CVE-2009-1003 - Affects the WebLogic Server component and requires HTTP access. No authentication is required. Successful attacks may disclose source code in server webpages.

CVE-2009-1004 - Affects the WebLogic Server component and requires HTTP access. No authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2009-1005 - Affects the Oracle Data Service Integrator (AquaLogic Data Services Platform) component. Successful authentication is required. Successful attacks may allow elevation of privileges.

CVE-2009-1006 - Affects the JRockit component. No authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2009-1012 - Affects the WebLogic Server component and requires HTTP access. No authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2009-1016 - Affects the WebLogic Server component and requires HTTP access. No authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

Oracle Database is vulnerable to the following 16 issues:

CVE-2009-0972 - Affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2009-0973 - Affects the Cluster Ready Services component and requires Oracle Net access. No authentication is required. Successful attacks may compromise the availability of the server.

CVE-2009-0975 - Affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2009-0976 - Affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2009-0977 - Affects the Advanced Queuing component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server. This is an SQL-injection vulnerability in the 'DMBS_AQADM_SYS' package; it affects the 'USER_NAME' parameter of the 'GRANT_TYPE_ACCESS' procedure.

CVE-2009-0978 - Affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server. This is an SQL-injection vulnerability in the 'ROLLBACKWORKSPACE' procedure of the 'LT PL/SQL' package.

CVE-2009-0979 - Affects the Resource Manager component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server. This is an arbitrary-code-execution vulnerability caused by a buffer overflow that affects the plan name parameter used in the 'ALTER SYSTEM SET RESOURCE_MANAGER_PLAN' statement in the 'SYS.DBMS_RESOURCE_MANAGER.SWITCH_PLAN' procedure.

CVE-2009-0980 - Affects the SQLX Functions component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the integrity and availability of the server.

CVE-2009-0981 - Affects the Application Express component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality of the server. Specifically, unprivileged users can access the APEX password hashes in 'FLOWS_030000.WWV_FLOW_USER'.

CVE-2009-0984 - Affects the Database Vault component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2009-0985 - Affects the Core RDBMS component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2009-0986 - Affects the Workspace Manager component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality, integrity, and availability of the server.

CVE-2009-0988 - Affects the Password Policy component and requires Oracle Net access. Specifically, any security standard requires the tracking of user password history. If the administrator has enabled 11g passwords, then tracking password history can be bypassed. Successful authentication is required. Successful attacks may compromise the confidentiality of the server.

CVE-2009-0991 - Affects the Listener component and requires Oracle Net access. No authentication is required. Successful attacks may compromise the availability of the server.

CVE-2009-0992 - Affects the Advanced Queuing component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server. This is an SQL-injection vulnerability in the 'DBMS_AQIN' package; it affects the 'DEQ_EXEJOB' procedure.

CVE-2009-0997 - Affects the Database Vault component and requires Oracle Net access. Successful authentication is required. Successful attacks may compromise the confidentiality of the server.

Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne are vulnerable to the following four issues:

CVE-2009-0982 - Affects the PeopleSoft Enterprise PeopleTools component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the integrity of the server.

CVE-2009-0998 - Affects the PeopleSoft Enterprise HRMS - eBenefits component and requires HTTP access. Successful authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2009-1013 - Affects the PeopleSoft Enterprise PeopleTools component and requires HTTP access. No authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

CVE-2009-1014 - Affects the PeopleSoft Enterprise PeopleTools component and requires HTTP access. No authentication is required. Successful attacks may compromise the confidentiality and integrity of the server.

This BID describes 43 vulnerabilities in total.

Affected Products:

• BEA Systems WebLogic Portal 8.1.0
• BEA Systems WebLogic Portal 8.1.0 SP1
• BEA Systems WebLogic Portal 8.1.0 SP2
• BEA Systems WebLogic Portal 8.1.0 SP3
• BEA Systems WebLogic Portal 8.1.0 SP4
• BEA Systems WebLogic Portal 8.1.0 SP5
• BEA Systems WebLogic Portal 8.1.0 SP6
• BEA Systems Weblogic Server 10.0
• BEA Systems Weblogic Server 10.0
• BEA Systems Weblogic Server 10.0 MP1
• BEA Systems Weblogic Server 10.3
• BEA Systems Weblogic Server 10.3
• BEA Systems Weblogic Server 7.0 SP7
• BEA Systems Weblogic Server 7.0.0
• BEA Systems Weblogic Server 7.0.0 .0.1
• BEA Systems Weblogic Server 7.0.0 .0.1 SP 1
• BEA Systems Weblogic Server 7.0.0 .0.1 SP 2
• BEA Systems Weblogic Server 7.0.0 .0.1 SP 3
• BEA Systems Weblogic Server 7.0.0 .0.1 SP 4
• BEA Systems Weblogic Server 7.0.0 SP 1
• BEA Systems Weblogic Server 7.0.0 SP 2
• BEA Systems Weblogic Server 7.0.0 SP 3
• BEA Systems Weblogic Server 7.0.0 SP 4
• BEA Systems Weblogic Server 7.0.0 SP 5
• BEA Systems Weblogic Server 7.0.0 SP 6
• BEA Systems Weblogic Server 7.0.0 SP 7
• BEA Systems Weblogic Server 8.1.0
• BEA Systems Weblogic Server 8.1.0 SP 1
• BEA Systems Weblogic Server 8.1.0 SP 2
• BEA Systems Weblogic Server 8.1.0 SP 3
• BEA Systems Weblogic Server 8.1.0 SP 4
• BEA Systems Weblogic Server 8.1.0 SP 5
• BEA Systems Weblogic Server 8.1.0 SP 6
• BEA Systems Weblogic Server 9.0
• BEA Systems Weblogic Server 9.1
• BEA Systems Weblogic Server 9.2
• BEA Systems Weblogic Server 9.2 Maintenance Pack 3
• Oracle AquaLogic Data Services Platform 3.0
• Oracle AquaLogic Data Services Platform 3.0.1
• Oracle AquaLogic Data Services Platform 3.2
• Oracle Audit Vault 10.2.3
• Oracle BI Publisher 10.1.3.3.0
• Oracle BI Publisher 10.1.3.3.1
• Oracle BI Publisher 10.1.3.3.2
• Oracle BI Publisher 10.1.3.3.3
• Oracle BI Publisher 10.1.3.4
• Oracle Data Service Integrator 10.3.0
• Oracle E-Business Suite 11i 11.5.10.2
• Oracle E-Business Suite 12 12.0.6
• Oracle JRockit R27.1.0
• Oracle JRockit R27.6.0
• Oracle JRockit R27.6.2
• Oracle Oracle10g Application Server 10.1.2
• Oracle Oracle10g Application Server 10.1.2.3.0
• Oracle Oracle10g Enterprise Edition 10.1.0 .5
• Oracle Oracle10g Enterprise Edition 10.2.0 .3
• Oracle Oracle10g Enterprise Edition 10.2.0.4
• Oracle Oracle10g Personal Edition 10.1.0.5
• Oracle Oracle10g Personal Edition 10.2.0 .3
• Oracle Oracle10g Personal Edition 10.2.0.4
• Oracle Oracle10g Standard Edition 10.1.0 .5
• Oracle Oracle10g Standard Edition 10.2.0 .3
• Oracle Oracle10g Standard Edition 10.2.0.4
• Oracle Oracle11g Enterprise Edition 11.1.0 6
• Oracle Oracle11g Enterprise Edition 11.1.0.7
• Oracle Oracle11g Standard Edition 11.1.0 6
• Oracle Oracle11g Standard Edition 11.1.0 6
• Oracle Oracle11g Standard Edition One 11.1.0 6
• Oracle Oracle9i Enterprise Edition 9.2.0 .8DV
• Oracle Oracle9i Enterprise Edition 9.2.0.8.0
• Oracle Oracle9i Personal Edition 9.2.0 .8
• Oracle Oracle9i Personal Edition 9.2.0 .8DV
• Oracle Oracle9i Standard Edition 9.2.0 .8DV
• Oracle Oracle9i Standard Edition 9.2.0.8
• Oracle Outside In SDK HTML Export 8.2.2
• Oracle Outside In SDK HTML Export 8.3.0
• Oracle PeopleSoft Enterprise HRMS 8.9
• Oracle PeopleSoft Enterprise HRMS 9.0
• Oracle PeopleSoft Enterprise PeopleTools 8.49
• Oracle Weblogic Server 10.3
• Oracle XML Publisher 10.1.3.2
• Oracle XML Publisher 10.1.3.2.1
• Oracle XML Publisher 5.6.2

References:

• CVE: CVE-2009-0972
• CVE: CVE-2009-0973
• CVE: CVE-2009-0974
• CVE: CVE-2009-0975
• CVE: CVE-2009-0976
• CVE: CVE-2009-0977
• CVE: CVE-2009-0978
• CVE: CVE-2009-0979
• CVE: CVE-2009-0980
• CVE: CVE-2009-0981
• CVE: CVE-2009-0982
• CVE: CVE-2009-0983
• CVE: CVE-2009-0984
• CVE: CVE-2009-0985
• CVE: CVE-2009-0986
• CVE: CVE-2009-0988
• CVE: CVE-2009-0989
• CVE: CVE-2009-0990
• CVE: CVE-2009-0991
• CVE: CVE-2009-0992
• CVE: CVE-2009-0993
• CVE: CVE-2009-0994
• CVE: CVE-2009-0995
• CVE: CVE-2009-0996
• CVE: CVE-2009-0997
• CVE: CVE-2009-0998
• CVE: CVE-2009-0999
• CVE: CVE-2009-1000
• CVE: CVE-2009-1001
• CVE: CVE-2009-1002
• CVE: CVE-2009-1003
• CVE: CVE-2009-1004
• CVE: CVE-2009-1005
• CVE: CVE-2009-1006
• CVE: CVE-2009-1008
• CVE: CVE-2009-1009
• CVE: CVE-2009-1010
• CVE: CVE-2009-1011
• CVE: CVE-2009-1012
• CVE: CVE-2009-1013
• CVE: CVE-2009-1014
• CVE: CVE-2009-1016
• CVE: CVE-2009-1017
• Oracle: Oracle Critical Patch Update Advisory - April 2009
• Oracle: Oracle Critical Patch Update Pre-Release Announcement - April 2009
• Oracle: Oracle Homepage
• Oracle: SECURITY ADVISORY (CVE-2009-1001)
• Oracle: SECURITY ADVISORY (CVE-2009-1002)
• Oracle: SECURITY ADVISORY (CVE-2009-1003)
• Oracle: SECURITY ADVISORY (CVE-2009-1004)
• Oracle: SECURITY ADVISORY (CVE-2009-1005)
• Oracle: SECURITY ADVISORY (CVE-2009-1006)
• Oracle: SECURITY ADVISORY (CVE-2009-1012)
• Oracle: SECURITY ADVISORY (CVE-2009-1016)
• Red-Database-Security: SQL Injection in package DBMS_AQADM_SYS
• Red-Database-Security: SQL Injection in package DBMS_AQIN
• Red-Database-Security: Unprivileged DB users can see APEX password hashes in FLOWS_030000.WWV_FLOW_USER
• Secunia: Oracle BEA WebLogic Server Plug-ins Certificate Buffer Overflow
• Secunia: Oracle BEA WebLogic Server Plug-ins Integer Overflow
• Team SHATTER: Oracle Database SQL Injection vulnerability in LT.ROLLBACKWORKSPACE
• ZDI: Oracle Applications Server 10g Format String Vulnerability

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.