Oracle Database and Other Products Have Unspecified Vulnerabilities With Unspecified Impact - SecurityTracker

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Category: Application (Database) > Oracle Database

Vendors: Oracle

Oracle Database and Other Products Have Unspecified Vulnerabilities With Unspecified Impact

SecurityTracker Alert ID: 1018415

SecurityTracker URL: http://securitytracker.com/id/1018415

CVE Reference: CVE-2007-3853, CVE-2007-3854, CVE-2007-3855, CVE-2007-3856, CVE-2007-3857, CVE-2007-3858, CVE-2007-3859, CVE-2007-3860, CVE-2007-3861, CVE-2007-3862, CVE-2007-3863, CVE-2007-3864, CVE-2007-3865, CVE-2007-3866, CVE-2007-3867, CVE-2007-3868, CVE-2007-3869, CVE-2007-3870 (Links to External Site)

Updated: May 6 2008

Original Entry Date: Jul 18 2007

Impact: Not specified

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 9i, 10g

Description: Numerous vulnerabilities were reported in Oracle Database and other Oracle products. The impact was not specified by the vendor.

Oracle released their Critical Patch Update for July 2007, addressing numerous vulnerabilities in Oracle Database, Oracle Secure Enterprise Search, Oracle Application Server, Oracle Application Express, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise PeopleTools, Oracle PeopleSoft Enterprise Human Capital Management, and Oracle PeopleSoft Enterprise Customer Relationship Management.

The following product versions are affected:

* Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
* Oracle Database 10g Release 1, versions 10.1.0.5
* Oracle9i Database Release 2, versions 9.2.0.7, 9.2.0.8, 9.2.0.8DV
* Oracle Application Express (formerly called HTML DB), versions 1.5 - 2.2
* Oracle Secure Enterprise Search 10g Release 1, version 10.1.6, 10.1.8
* Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0, 10.1.3.3.0
* Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.1 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
* Oracle Application Server 10g (9.0.4), version 9.0.4.3
* Oracle10g Collaboration Suite Release 1, version 10.1.2
* Oracle E-Business Suite Release 11i, versions 11.5.8 - 11.5.10 CU2
* Oracle E-Business Suite Release 12, version 12.0.0, 12.0.1
* Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48, 8.49
* Oracle PeopleSoft Enterprise Human Capital Management version 8.9, 9.0
* Oracle PeopleSoft Enterprise Customer Relationship Management versions 8.9, 9.0
* Oracle9i Database Release 1, versions 9.0.1.5 FIPS+
* Oracle9i Application Server Release 1, version 1.0.2.2

Oracle has provided no specifics regarding the nature of these vulnerabilities.

Oracle Database products contain 19 vulnerabilities, two of which can be exploited by remote users without authentication. None of the vulnerabilities apply to Oracle Database client-only installations (that do not have the Oracle Database installed).

The affected Database components include: Java VM, Advanced Queuing, Data Guard, Oracle Data Mining, Oracle Text, PL/SQL, Rules Manager, Spatial, Oracle Internet Directory, Program Interface, SQL Compiler, and Oracle Application Express (formerly called HTML DB).

Oracle Application Server contains four vulnerabilities, three of which can be exploited by remote users without authentication.

Oracle Collaboration Suite contains one vulnerability, which can be exploited remotely without authentication.

Oracle E-Business Suite contains 14 vulnerabilities, six of which can be exploited by remote users without authentication.

Oracle PeopleSoft Enterprise contains seven vulnerabilities (three for PeopleSoft Enterprise PeopleTools, two for PeopleSoft Enterprise Human Capital Management, and two PeopleSoft Enterprise Customer Relationship Management). One of the vulnerabilities for PeopleTools can be exploited remotely without authentication.

Oracle has provided the following maximum CVSS base scores:

* Oracle Database: 4.2
* Oracle Application Express: 4.2
* Oracle Application Server: 2.3
* Oracle Collaboration Suite: 2.3
* Oracle E-Business Suite: 4.7
* Oracle PeopleSoft Enterprise: 4.8

Oracle credits the following individuals and organizations with reporting these vulnerabilities:

Esteban Martinez Fayo of Application Security, Inc.; Jack Kanter and Stephen Kost of Integrigy; Guy Karlebach of Imperva; Joxean Koret; Alexander Kornbrust of Red Database Security GmbH; Michael Krax; and David Litchfield and Paul M. Wright of Next Generation Security Software Ltd.

Impact: The impact was not specified.

Solution: The vendor has issued a fix, described in their July 2007 Critical Patch Update advisory at:

The Oracle advisory is available at:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html

Vendor URL: www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html (Links to External Site)

Cause: Not specified

Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History: None.

Source Message Contents


[Original Message Not Available for Viewing]

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
This web site uses cookies for web analytics. Learn More
Copyright 2020, SecurityGlobal.net LLC