|
|
|
Oracle Fusion Middleware Flaws Let Remote Users Execute Arbitrary Code, Access and Modify Data, and Deny Service
|
SecurityTracker Alert ID: 1024981 |
SecurityTracker URL: http://securitytracker.com/id/1024981
|
CVE Reference:
CVE-2010-3510, CVE-2010-3588, CVE-2010-3591, CVE-2010-3592, CVE-2010-3595, CVE-2010-3597, CVE-2010-3598, CVE-2010-3599, CVE-2010-4416, CVE-2010-4417, CVE-2010-4425, CVE-2010-4427, CVE-2010-4437, CVE-2010-4453, CVE-2010-4455
(Links to External Site)
|
Date: Jan 19 2011
|
Impact:
Denial of service via local system, Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
|
Fix Available: Yes Vendor Confirmed: Yes
|
|
Description:
Multiple vulnerabilities were reported in Oracle Fusion Middleware. A remote user can execute arbitrary code on the target system. A remote user can cause denial of service conditions. A local user can cause denial of service conditions. A remote user can access and modify data.
The Oracle BI Publisher [CVE-2010-4425, CVE-2010-4427], Oracle Discoverer [CVE-2010-3588], Oracle Document Capture [CVE-2010-3591, CVE-2010-3592, CVE-2010-3595, CVE-2010-3598, CVE-2010-3599], Oracle GoldenGate Veridata [CVE-2010-4416], Oracle HTTP Server [CVE-2010-4455], Oracle JRockit [CVE-2010-3574], Oracle Outside In Technology [CVE-2010-3597], Oracle WebLogic Server [CVE-2010-3510, CVE-2010-4437, CVE-2010-4453], and Services for Beehive [CVE-2010-4417] components are affected.
The following researchers reported these and other Oracle vulnerabilities:
Alexander Kornbrust of Red Database Security; Alexandr Polyakov of Digital Security; Alexey Sintsov of Digital Security Research Group; Andrea Micalizzi aka rgod, working with TippingPoint's Zero Day Initiative; Andrey Labunets of Digital Security Research Group; Cris Neckar of Neohapsis, Inc.; Daniel Fahlgren; Esteban Martinez Fayo of Application Security, Inc.; Evdokimov Dmitriy of Digital Security Research Group; Karan Saberwal; Laszlo Toth; Maksymilian Arciemowicz of SecurityReason; Martin Rakhmanov of Application Security, Inc.; Matt Parcell of Accuvant; Monarch2020 of unsecurityresearch.com; Robert Clugston of Accuvant; Roberto Suggi Liverani of Security-Assessment.com; Rodrigo Rubira Branco (BSDaemon) via TippingPoint's Zero Day Initiative; and Sumit Siddharth from 7safe.
|
Impact:
A remote user can execute arbitrary code on the target system.
A remote user can cause denial of service conditions.
A local user can cause partial denial of service conditions on the target system.
A remote user can access and modify data on the target system.
|
Solution:
The vendor has issued a fix, described in their January 2011 Critical Patch Update advisory.
The Oracle advisory is available at:
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
|
Vendor URL: www.oracle.com/technetwork/topics/security/cpujan2011-194091.html (Links to External Site)
|
Cause:
Not specified
|
Underlying OS: Linux (Any), UNIX (Any), Windows (Any)
|
|
Message History:
None.
|
Source Message Contents
|
|
[Original Message Not Available for Viewing]
|
|
Go to the Top of This SecurityTracker Archive Page
|