SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Generic)  >   Oracle PeopleSoft Products Vendors:   Oracle
Oracle PeopleSoft Products Flaws Let Remote Users Partially Access Data and Partially Deny Service
SecurityTracker Alert ID:  1029194
SecurityTracker URL:  http://securitytracker.com/id/1029194
CVE Reference:   CVE-2013-3785, CVE-2013-3835, CVE-2013-5765, CVE-2013-5779, CVE-2013-5794, CVE-2013-5836, CVE-2013-5841, CVE-2013-5847   (Links to External Site)
Date:  Oct 16 2013
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 8.51, 8.52, 8.53, 9.1, 9.2
Description:   Multiple vulnerabilities were reported in Oracle PeopleSoft Products. A remote user can cause partial denial of service conditions. A remote user can partially access data.

A remote user can exploit flaws in PeopleSoft Enterprise PeopleTools to partially access data. The Business Interlink [CVE-2013-5836], Integration Broker [CVE-2013-3835], and Portal components [CVE-2013-5794, CVE-2013-5841] are affected.

A remote user can exploit a flaw in PeopleSoft Enterprise PeopleTools in the XML Publisher to partially deny service [CVE-2013-5765]

A remote authenticated user can exploit flaws in PeopleSoft Enterprise HRMS to partially access data. The Career's Home [CVE-2013-3785] and eCompensation [CVE-2013-5847] components are affected.

A remote authenticated user can exploit flaws in PeopleSoft Enterprise PeopleTools in the PIA Core Technology component to partially access data [CVE-2013-5779].

The following researchers reported these and other Oracle vulnerabilities:

Adam Gowdiak of Security Explorations; Adam Willard of Foreground Security; Adi Ludmer of McAfee Labs; Ajinkya Patil of AVsecurity.in; Alex Kouzemtchenko of Security Research Lab via CERT/CC; Alex Rajan of Network Intelligence; Alexander Polyakov of
ERPScan; Alexander Tlyapov of Positive Technologies; Alexey Osipov of Positive Technologies; Alexey Tyurin of ERPScan (Digital Security Research Group); Anagha Devale-Vartak of AVsecurity.in; Andrea Micalizzi aka rgod, working with HP's Zero Day
Initiative; Andrew Davies formerly of NCC Group; Ben Murphy via HP's Zero Day Initiative; CERT/CC; Chris Ries via the Exodus Intelligence Program; Dave Bryant of Orion Health; Dmitry Sklyarov of Positive Technologies; Esteban Martinez Fayo formerly
of Application Security Inc.; HUAWEI PSIRT; James Forshaw of Context Information Security; Jeroen Frijters; Jon Passki of Security Research Lab via CERT/CC; Juraj Somorovsky of Ruhr-University Bochum; Manuel Garcia Cardenas of Internet Security
Auditors; Positive Research Center (Positive Technologies Company); Qinglin Jiang formerly of Application Security Inc; Rohan Stelling of BAE Systems Detica; Sam Thomas of Pentest Limited; Timur Yunusov of Positive Technologies; Tom Parker of Orion
Health; Travis Emmert via iDefense; Vinesh N. Redkar; Will Dormann of CERT/CC; and Yuki Chen of Trend Micro.

Impact:   A remote user can cause denial of service conditions.

A remote user can partially access data.

Solution:   The vendor has issued a fix as part of Oracle Critical Patch Update Advisory - October 2013.

The vendor's advisory is available at:

http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html

Vendor URL:  www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC