Oracle OpenSSO Flaw Lets Remote Users Partially Modify Data
|
|
SecurityTracker Alert ID: 1026536 |
|
SecurityTracker URL: http://securitytracker.com/id/1026536
|
|
CVE Reference:
CVE-2012-0079
(Links to External Site)
|
Date: Jan 18 2012
|
Impact:
Modification of system information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): 7.1, 8.0
|
Description:
A vulnerability was reported in Oracle OpenSSO. A remote user can partially modify data on the target system.
A remote user can exploit the Administration component via HTTPS to partially modify data on the target system.
The following researchers reported these and other Oracle vulnerabilities:
An Anonymous Reporter of TippingPoint's Zero Day Initiative; Behrang Fouladi of SensePost Information Security; Chris Wysopal of Veracode; Clement Lecigne; Dennis Yurichev of McAfee Labs; Gorkem Yakin; InfoWorld; Juan Pablo Perez Etchegoyen of Onapsis; Mateusz "j00ru" Jurczyk; Michael Myngerbayev of McAfee Labs; Michael Oglesby of True Digital Security; Minetoshi Takizawa through JPCERT/CC Vulnerability Handling Team; Robert Maly of Ness Technologies; Rohan Stelling of Stratsec Research; and Will Dormann of CERT/CC.
|
Impact:
A remote user can partially modify data on the target system.
|
Solution:
The vendor has issued a fix, described in their January 2012 Critical Patch Update advisory.
The vendor's advisory is available at:
http://www.oracle.com/technetwork/topics/security/cpujan2012-366304.html
|
Vendor URL: www.oracle.com/technetwork/topics/security/cpujan2012-366304.html (Links to External Site)
|
Cause:
Not specified
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 18 Jan 2012 06:49:47 +0000
Subject: Oracle Sun OpenSSO
|
CVE-2012-0079
|
|
