Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Oracle Database and Other Products Have Unspecified Vulnerabilities With Unspecified Impact
|
|
SecurityTracker Alert ID: 1017927
|
|
SecurityTracker URL: http://securitytracker.com/id?1017927
|
|
CVE Reference: CVE-2007-2108
, CVE-2007-2109
, CVE-2007-2110
, CVE-2007-2111
, CVE-2007-2112
, CVE-2007-2113
, CVE-2007-2114
, CVE-2007-2115
, CVE-2007-2116
, CVE-2007-2117
, CVE-2007-2118
, CVE-2007-2119
, CVE-2007-2120
, CVE-2007-2121
, CVE-2007-2122
, CVE-2007-2123
, CVE-2007-2124
, CVE-2007-2125
, CVE-2007-2126
, CVE-2007-2127
, CVE-2007-2128
, CVE-2007-2129
, CVE-2007-2130
, CVE-2007-2131
(Links to External Site)
|
Updated: May 14 2008
|
Original Entry Date: Apr 17 2007
|
Impact: Not specified
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Oracle Security Advisory
|
Version(s): 9i, 10g
|
Description: Numerous vulnerabilities were reported in Oracle Database and other Oracle products. The impact was not specified by the vendor.
Oracle released their Critical Patch Update for April 2007, addressing numerous vulnerabilities in Oracle Database, Oracle Secure
Enterprise Search, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Enterprise Manager, Oracle
PeopleSoft Enterprise PeopleTools, Oracle PeopleSoft Enterprise Human Capital Management, JD Edwards EnterpriseOne Tools, and JD
Edwards OneWorld Tools.
The following product versions are affected:
* Oracle Database 10g Release 2, versions 10.2.0.2,
10.2.0.3
* Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5
* Oracle9i Database Release 2, versions 9.2.0.7,
9.2.0.8
* Oracle Secure Enterprise Search 10g Release 1, version 10.1.8
* Oracle Application Server 10g Release 3 (10.1.3),
versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0
* Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.1 - 10.1.2.0.2,
10.1.2.1.0, 10.1.2.2.0
* Oracle Application Server 10g (9.0.4), version 9.0.4.3
* Oracle10g Collaboration Suite Release
1, version 10.1.2
* Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2
* Oracle E-Business Suite Release
12, version 12.0.0
* Oracle Enterprise Manager 9i Release 2, versions 9.2.0.7, 9.2.0.8
* Oracle Enterprise Manager 9i,
version 9.0.1.5
* Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48
* Oracle PeopleSoft Enterprise Human
Capital Management version 8.9
* JD Edwards EnterpriseOne Tools version 8.96
* JD Edwards OneWorld Tools SP23
* Oracle9i
Database Release 1, versions 9.0.1.5, 9.0.1.5 FIPS
* Oracle9i Database Release 2, versions 9.2.0.5
* Oracle Database 10g
Release 2, version 10.2.0.1
Oracle has provided no specifics regarding the nature of these vulnerabilities.
Oracle Database
products contain 17 vulnerabilities, three of which can be exploited by remote users without authentication. Two vulnerabilities
apply to Oracle Database client-only installations (that do not have the Oracle Database installed).
The affected Database components
include: Advanced Queuing, Advanced Replication, Authentication, Change Data Capture (CDC), Core RDBMS, Oracle Agent, Oracle Instant
Client, Oracle Streams, Oracle Text, Oracle Workflow Cartridge, Rules Manager, Expression Filter, Ultra Search, and Upgrade/Downgrade.
Oracle
Application Server contains seven vulnerabilities, two of which can be exploited by remote users without authentication.
Oracle
Collaboration Suite contains two vulnerabilities. None can be exploited remotely without authentication.
Oracle E-Business Suite
contains 11 vulnerabilities, two of which can be exploited by remote users without authentication.
Oracle Enterprise Manager
contains two vulnerabilities, both of which can be exploited by remote users without authentication.
Oracle PeopleSoft Enterprise
contains four vulnerabilities (two for PeopleTools, one for PeopleSoft Enterprise Human Capital Management, and one for JD Edwards
EnterpriseOne and JD Edwards OneWorld Tools). None can be exploited remotely without authentication.
Oracle has provided the
following maximum CVSS base scores:
* Oracle Database: 7.0
* Oracle Application Server: 4.2
* Oracle Collaboration Suite: 1.4
*
Oracle E-Business Suite: 4.2
* Oracle Enterprise Manager: 2.3
* Oracle PeopleSoft Enterprise: 2.4
Oracle credits the following
individuals and organizations with reporting these vulnerabilities:
Vicente Aguilera Diaz of Internet Security Auditors, S.L.;
Gerhard Eschelbeck of Qualys, Inc.; Esteban Martinez Fayo of Application Security, Inc.; Joxean Koret; Alexander Kornbrust of Red
Database Security GmbH; David Litchfield and Paul M. Wright of Next Generation Security Software Ltd.; noderat ratty; and TippingPoint's
Zero Day Initiative.
|
Impact: The impact was not specified by the vendor.
|
Solution: The vendor has issued a fix, described in their April 2007 Critical Patch Update advisory at:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html
|
Vendor URL: www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html (Links to External Site)
|
Cause: Not specified
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 17 Apr 2007 13:58:01 -0400
Subject: Oracle Database
|
|
|
Go to the Top of This SecurityTracker Archive Page
|
