Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Oracle Database and Other Products Have Unspecified Vulnerabilities With Unspecified Impact
|
|
SecurityTracker Alert ID: 1018415
|
|
SecurityTracker URL: http://securitytracker.com/id?1018415
|
|
CVE Reference: CVE-2007-3853
, CVE-2007-3854
, CVE-2007-3855
, CVE-2007-3856
, CVE-2007-3857
, CVE-2007-3858
, CVE-2007-3859
, CVE-2007-3860
, CVE-2007-3861
, CVE-2007-3862
, CVE-2007-3863
, CVE-2007-3864
, CVE-2007-3865
, CVE-2007-3866
, CVE-2007-3867
, CVE-2007-3868
, CVE-2007-3869
, CVE-2007-3870
(Links to External Site)
|
Updated: May 6 2008
|
Original Entry Date: Jul 18 2007
|
Impact: Not specified
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Oracle Security Advisory
|
Version(s): 9i, 10g
|
Description: Numerous vulnerabilities were reported in Oracle Database and other Oracle products. The impact was not specified by the vendor.
Oracle released their Critical Patch Update for July 2007, addressing numerous vulnerabilities in Oracle Database, Oracle Secure
Enterprise Search, Oracle Application Server, Oracle Application Express, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle
PeopleSoft Enterprise PeopleTools, Oracle PeopleSoft Enterprise Human Capital Management, and Oracle PeopleSoft Enterprise Customer
Relationship Management.
The following product versions are affected:
* Oracle Database 10g Release 2, versions 10.2.0.2,
10.2.0.3
* Oracle Database 10g Release 1, versions 10.1.0.5
* Oracle9i Database Release 2, versions 9.2.0.7, 9.2.0.8, 9.2.0.8DV
*
Oracle Application Express (formerly called HTML DB), versions 1.5 - 2.2
* Oracle Secure Enterprise Search 10g Release 1, version
10.1.6, 10.1.8
* Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0, 10.1.3.3.0
* Oracle
Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.1 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
* Oracle Application Server
10g (9.0.4), version 9.0.4.3
* Oracle10g Collaboration Suite Release 1, version 10.1.2
* Oracle E-Business Suite Release 11i,
versions 11.5.8 - 11.5.10 CU2
* Oracle E-Business Suite Release 12, version 12.0.0, 12.0.1
* Oracle PeopleSoft Enterprise PeopleTools
versions 8.22, 8.47, 8.48, 8.49
* Oracle PeopleSoft Enterprise Human Capital Management version 8.9, 9.0
* Oracle PeopleSoft Enterprise
Customer Relationship Management versions 8.9, 9.0
* Oracle9i Database Release 1, versions 9.0.1.5 FIPS+
* Oracle9i Application
Server Release 1, version 1.0.2.2
Oracle has provided no specifics regarding the nature of these vulnerabilities.
Oracle Database
products contain 19 vulnerabilities, two of which can be exploited by remote users without authentication. None of the vulnerabilities
apply to Oracle Database client-only installations (that do not have the Oracle Database installed).
The affected Database components
include: Java VM, Advanced Queuing, Data Guard, Oracle Data Mining, Oracle Text, PL/SQL, Rules Manager, Spatial, Oracle Internet
Directory, Program Interface, SQL Compiler, and Oracle Application Express (formerly called HTML DB).
Oracle Application Server
contains four vulnerabilities, three of which can be exploited by remote users without authentication.
Oracle Collaboration Suite
contains one vulnerability, which can be exploited remotely without authentication.
Oracle E-Business Suite contains 14 vulnerabilities,
six of which can be exploited by remote users without authentication.
Oracle PeopleSoft Enterprise contains seven vulnerabilities
(three for PeopleSoft Enterprise PeopleTools, two for PeopleSoft Enterprise Human Capital Management, and two PeopleSoft Enterprise
Customer Relationship Management). One of the vulnerabilities for PeopleTools can be exploited remotely without authentication.
Oracle
has provided the following maximum CVSS base scores:
* Oracle Database: 4.2
* Oracle Application Express: 4.2
* Oracle Application
Server: 2.3
* Oracle Collaboration Suite: 2.3
* Oracle E-Business Suite: 4.7
* Oracle PeopleSoft Enterprise: 4.8
Oracle credits
the following individuals and organizations with reporting these vulnerabilities:
Esteban Martinez Fayo of Application Security,
Inc.; Jack Kanter and Stephen Kost of Integrigy; Guy Karlebach of Imperva; Joxean Koret; Alexander Kornbrust of Red Database Security
GmbH; Michael Krax; and David Litchfield and Paul M. Wright of Next Generation Security Software Ltd.
|
Impact: The impact was not specified.
|
Solution: The vendor has issued a fix, described in their July 2007 Critical Patch Update advisory at:
The Oracle advisory is available at:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html
|
Vendor URL: www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html (Links to External Site)
|
Cause: Not specified
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (2003), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 18 Jul 2007 06:36:24 -0400
Subject: Oracle Database
|
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html
Oracle Critical Patch Update - July 2007
|
|
Go to the Top of This SecurityTracker Archive Page
|
