SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Oracle Database Vendors:   Oracle
Oracle Database and Other Products Have Unspecified Vulnerabilities With Unspecified Impact
SecurityTracker Alert ID:  1018415
SecurityTracker URL:  http://securitytracker.com/id/1018415
CVE Reference:   CVE-2007-3853, CVE-2007-3854, CVE-2007-3855, CVE-2007-3856, CVE-2007-3857, CVE-2007-3858, CVE-2007-3859, CVE-2007-3860, CVE-2007-3861, CVE-2007-3862, CVE-2007-3863, CVE-2007-3864, CVE-2007-3865, CVE-2007-3866, CVE-2007-3867, CVE-2007-3868, CVE-2007-3869, CVE-2007-3870   (Links to External Site)
Updated:  May 6 2008
Original Entry Date:  Jul 18 2007
Impact:   Not specified
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9i, 10g
Description:   Numerous vulnerabilities were reported in Oracle Database and other Oracle products. The impact was not specified by the vendor.

Oracle released their Critical Patch Update for July 2007, addressing numerous vulnerabilities in Oracle Database, Oracle Secure Enterprise Search, Oracle Application Server, Oracle Application Express, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle PeopleSoft Enterprise PeopleTools, Oracle PeopleSoft Enterprise Human Capital Management, and Oracle PeopleSoft Enterprise Customer Relationship Management.

The following product versions are affected:

* Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
* Oracle Database 10g Release 1, versions 10.1.0.5
* Oracle9i Database Release 2, versions 9.2.0.7, 9.2.0.8, 9.2.0.8DV
* Oracle Application Express (formerly called HTML DB), versions 1.5 - 2.2
* Oracle Secure Enterprise Search 10g Release 1, version 10.1.6, 10.1.8
* Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0, 10.1.3.3.0
* Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.1 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
* Oracle Application Server 10g (9.0.4), version 9.0.4.3
* Oracle10g Collaboration Suite Release 1, version 10.1.2
* Oracle E-Business Suite Release 11i, versions 11.5.8 - 11.5.10 CU2
* Oracle E-Business Suite Release 12, version 12.0.0, 12.0.1
* Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48, 8.49
* Oracle PeopleSoft Enterprise Human Capital Management version 8.9, 9.0
* Oracle PeopleSoft Enterprise Customer Relationship Management versions 8.9, 9.0
* Oracle9i Database Release 1, versions 9.0.1.5 FIPS+
* Oracle9i Application Server Release 1, version 1.0.2.2

Oracle has provided no specifics regarding the nature of these vulnerabilities.

Oracle Database products contain 19 vulnerabilities, two of which can be exploited by remote users without authentication. None of the vulnerabilities apply to Oracle Database client-only installations (that do not have the Oracle Database installed).

The affected Database components include: Java VM, Advanced Queuing, Data Guard, Oracle Data Mining, Oracle Text, PL/SQL, Rules Manager, Spatial, Oracle Internet Directory, Program Interface, SQL Compiler, and Oracle Application Express (formerly called HTML DB).

Oracle Application Server contains four vulnerabilities, three of which can be exploited by remote users without authentication.

Oracle Collaboration Suite contains one vulnerability, which can be exploited remotely without authentication.

Oracle E-Business Suite contains 14 vulnerabilities, six of which can be exploited by remote users without authentication.

Oracle PeopleSoft Enterprise contains seven vulnerabilities (three for PeopleSoft Enterprise PeopleTools, two for PeopleSoft Enterprise Human Capital Management, and two PeopleSoft Enterprise Customer Relationship Management). One of the vulnerabilities for PeopleTools can be exploited remotely without authentication.

Oracle has provided the following maximum CVSS base scores:

* Oracle Database: 4.2
* Oracle Application Express: 4.2
* Oracle Application Server: 2.3
* Oracle Collaboration Suite: 2.3
* Oracle E-Business Suite: 4.7
* Oracle PeopleSoft Enterprise: 4.8

Oracle credits the following individuals and organizations with reporting these vulnerabilities:

Esteban Martinez Fayo of Application Security, Inc.; Jack Kanter and Stephen Kost of Integrigy; Guy Karlebach of Imperva; Joxean Koret; Alexander Kornbrust of Red Database Security GmbH; Michael Krax; and David Litchfield and Paul M. Wright of Next Generation Security Software Ltd.

Impact:   The impact was not specified.
Solution:   The vendor has issued a fix, described in their July 2007 Critical Patch Update advisory at:

The Oracle advisory is available at:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html

Vendor URL:  www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC