SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (E-mail Server)  >   Microsoft Exchange Vendors:   Microsoft
(Microsoft Issues Fix for Microsoft Exchange Server) Oracle Fusion Middleware Bugs Let Remote Users Access and Modify Data and Local and Remote Users Deny Service
SecurityTracker Alert ID:  1027858
SecurityTracker URL:  http://securitytracker.com/id/1027858
CVE Reference:   CVE-2012-3214, CVE-2012-3217   (Links to External Site)
Date:  Dec 11 2012
Impact:   Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 2007 SP3, 2010 SP1, 2010 SP2
Description:   Multiple vulnerabilities were reported in Oracle Fusion Middleware. A remote user can take full control of the target system. A remote or local user can cause denial of service conditions. A local user can partially modify data on the target system. Microsoft Exchange Server is affected.

A remote user can exploit a flaw in Oracle JRockit to take full control of the target system [CVE-2012-3202].

A remote user can exploit flaws in Oracle Reports Developer to partially access and modify data on the target system [CVE-2012-3152, CVE-2012-3153]. These vulnerabilities can also be exploited to gain shell access on the target system. Additional exploit information is available at:

http://netinfiltration.com/

A remote user can exploit a flaw in Oracle Event Processing and Oracle WebLogic Server to partially access and modify data on the target system [CVE-2011-1411].

A remote user can partially modify data on the target system. The Oracle Imaging and Process Management [CVE-2012-0106] and Oracle WebCenter Sites [CVE-2012-3183, CVE-2012-3185] components are affected.

A remote user can partially modify data on the target system. The Oracle Application Server Single Sign-On [CVE-2012-3175, CVE-2012-0518], Oracle BI Publisher [CVE-2012-3194], Oracle Business Intelligence Enterprise Edition [CVE-2012-1686], and Oracle Imaging and Process Management [CVE-2012-0071, CVE-2012-0093] components are affected.

A remote user can cause partial denial of service conditions in the Oracle Imaging and Process Management component [CVE-2012-0107].

A remote user can exploit a flaw in Oracle WebCenter Sites to partially modify data on the target system [CVE-2012-3184].

A remote authenticated user can partially access data on the target system. The Oracle BI Publisher [CVE-2012-3193] and Oracle Imaging and Process Management [CVE-2012-0086] components are affected.

A remote authenticated user can partially modify data on the target system [CVE-2012-0090, CVE-2012-0092]. The Oracle Imaging and Process Management component is affected.

A remote authenticated user can partially access data on the target system [CVE-2012-0108, CVE-2012-0095]. The Oracle Imaging and Process Management component is affected.

A local user can cause partial denial of service conditions on the target system in Oracle Outside In Technology [CVE-2012-3214, CVE-2012-3217].

A local user can exploit a flaw in Oracle WebCenter Sites to partially modify data on the target system [CVE-2012-5065].

The following researchers reported these and other Oracle vulnerabilities:

Alexandr Polyakov of Digital Security; Andy Yang; Dana Lane Taylor of the University of Pennsylvania; Dominic Sim, Agus Komang; Esteban Martinez Fayo of Application Security, Inc.; Florian Lukavsky of SEC Consult Vulnerability Lab; Francis Provencher
via Secunia SVCRP; John Zimmerman; Martin Carpenter of Citco; Martin Rakhmanov of Application Security, Inc.; Microsoft Vulnerability Research of Microsoft Corp; Paul Harrington of NGS Secure; Pavel Toporkov of Positive Technologies; Ronnie Sahlberg;
Sam Thomas of Pentest Limited; Sjoerd Resink of Fox-IT; Thomas Biege of SUSE; Travis Emmert; and Travis Emmert of Veracode.

Impact:   A remote user can take full control of the target system.

A remote or remote authenticated user can partially access and modify data on the target system.

A remote or local user can cause denial of service conditions.

A local user can partially modify data on the target system.

Solution:   Microsoft has issued a fix for CVE-2012-3214 and CVE-2012-3217 for Microsoft Exchange Server.

Microsoft Exchange Server 2007 Service Pack 3:

http://www.microsoft.com/downloads/details.aspx?familyid=605fc9bc-a05c-4466-ace6-9c2af087d797

Microsoft Exchange Server 2010 Service Pack 1:

http://www.microsoft.com/downloads/details.aspx?familyid=e43b1164-d768-4152-b9a3-d1491e2f3cba

Microsoft Exchange Server 2010 Service Pack 2:

http://www.microsoft.com/downloads/details.aspx?familyid=2a49ed58-9dab-4d48-ae8a-c7139e3b34ba

The Microsoft advisory is available at:

http://technet.microsoft.com/en-us/security/bulletin/ms12-080

Cause:   Not specified
Underlying OS:  Windows (2000), Windows (2003), Windows (2008)

Message History:   This archive entry is a follow-up to the message listed below.
Oct 17 2012 Oracle Fusion Middleware Bugs Let Remote Users Access and Modify Data and Local and Remote Users Deny Service



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC