The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Netscape Web Proxy Server

computer vulnerability bulletin CVE-2016-3473 CVE-2016-3505 CVE-2016-3551

Oracle Fusion Middleware: vulnerabilities of October 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Fusion Middleware.
Impacted products: Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, WebLogic, Oracle Web Tier.
Severity: 4/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 17.
Creation date: 19/10/2016.
Identifiers: cpuoct2016, CVE-2016-3473, CVE-2016-3505, CVE-2016-3551, CVE-2016-5488, CVE-2016-5495, CVE-2016-5500, CVE-2016-5506, CVE-2016-5511, CVE-2016-5519, CVE-2016-5531, CVE-2016-5535, CVE-2016-5536, CVE-2016-5537, CVE-2016-5601, CVE-2016-5602, CVE-2016-5618, CVE-2016-8281, VIGILANCE-VUL-20908, ZDI-16-572.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion Middleware.

An attacker can use a vulnerability via JAXWS Web Services Stack, in order to obtain information, to alter information, or to trigger a denial of service. [severity:4/4; CVE-2016-3551]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:4/4; CVE-2016-5535, ZDI-16-572]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:4/4; CVE-2016-5531]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5519]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3505]

An attacker can use a vulnerability via BI Publisher (formerly XML Publisher), in order to obtain information. [severity:3/4; CVE-2016-3473]

An attacker can use a vulnerability via Oracle Platform Security for Java, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-8281]

An attacker can use a vulnerability via Oracle Platform Security for Java, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-5536]

An attacker can use a vulnerability via Oracle Platform Security for Java, in order to obtain information. [severity:3/4; CVE-2016-5495]

An attacker can use a vulnerability via Oracle Discoverer, in order to obtain information. [severity:3/4; CVE-2016-5500]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain or alter information. [severity:2/4; CVE-2016-5601]

An attacker can use a vulnerability via NetBeans, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2016-5537]

An attacker can use a vulnerability via Oracle Data Integrator, in order to obtain information. [severity:2/4; CVE-2016-5602]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to trigger a denial of service. [severity:2/4; CVE-2016-5488]

An attacker can use a vulnerability via Oracle WebCenter Sites, in order to alter information. [severity:2/4; CVE-2016-5511]

An attacker can use a vulnerability via Oracle Data Integrator, in order to obtain information. [severity:1/4; CVE-2016-5618]

An attacker can use a vulnerability via Oracle Identity Manager, in order to obtain or alter information. [severity:1/4; CVE-2016-5506]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2016-2105 CVE-2016-2106 CVE-2016-2107

OpenSSL: six vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Impacted products: SDS, SES, SNS, Tomcat, Mac OS X, StormShield, Blue Coat CAS, ProxyAV, ProxySG par Blue Coat, Cisco ASR, Cisco Aironet, Cisco ATA, Cisco AnyConnect Secure Mobility Client, Cisco ACE, ASA, Cisco Catalyst, Cisco Content SMA, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, Cisco IPS, IronPort Email, IronPort Encryption, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Cisco PRSM, Cisco Router, Secure ACS, Cisco CUCM, Cisco IP Phone, Cisco MeetingPlace, Cisco Wireless IP Phone, Cisco WSA, Cisco Wireless Controller, XenServer, Debian, PowerPath, Black Diamond, ExtremeXOS, Summit, BIG-IP Hardware, TMOS, Fedora, FileZilla Server, FortiAnalyzer, FortiAnalyzer Virtual Appliance, FortiOS, FreeBSD, Android OS, HP Operations, HP Switch, AIX, IRAD, QRadar SIEM, IBM System x Server, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere MQ, Juniper J-Series, Junos OS, Junos Space, NSM Central Manager, NSMXpress, MariaDB ~ precise, McAfee NSM, Meinberg NTP Server, MySQL Community, MySQL Enterprise, Data ONTAP 7-Mode, NETASQ, NetScreen Firewall, ScreenOS, Nodejs Core, OpenBSD, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Solaris, Tuxedo, VirtualBox, WebLogic, Oracle Web Tier, Palo Alto Firewall PA***, PAN-OS, Percona Server, pfSense, Pulse Connect Secure, Puppet, Python, RHEL, JBoss EAP by Red Hat, SAS Management Console, Shibboleth SP, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Synology DS***, Synology RS***, Nessus, Ubuntu, VxWorks, X2GoClient.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 03/05/2016.
Identifiers: 1982949, 1985850, 1987779, 1993215, 1995099, 1998797, 2003480, 2003620, 2003673, 510853, 9010083, bulletinapr2016, bulletinapr2017, CERTFR-2016-AVI-151, CERTFR-2016-AVI-153, CERTFR-2018-AVI-160, cisco-sa-20160504-openssl, cpuapr2017, cpujan2018, cpujul2016, cpujul2017, cpujul2018, cpuoct2016, cpuoct2017, cpuoct2018, CTX212736, CTX233832, CVE-2016-2105, CVE-2016-2106, CVE-2016-2107, CVE-2016-2108, CVE-2016-2109, CVE-2016-2176, DLA-456-1, DSA-3566-1, ESA-2017-142, FEDORA-2016-05c567df1a, FEDORA-2016-1e39d934ed, FEDORA-2016-e1234b65a2, FG-IR-16-026, FreeBSD-SA-16:17.openssl, HPESBGN03728, HPESBHF03756, HT206903, JSA10759, K23230229, K36488941, K51920288, K75152412, K93600123, MBGSA-1603, MIGR-5099595, MIGR-5099597, NTAP-20160504-0001, openSUSE-SU-2016:1237-1, openSUSE-SU-2016:1238-1, openSUSE-SU-2016:1239-1, openSUSE-SU-2016:1240-1, openSUSE-SU-2016:1241-1, openSUSE-SU-2016:1242-1, openSUSE-SU-2016:1243-1, openSUSE-SU-2016:1273-1, openSUSE-SU-2016:1566-1, openSUSE-SU-2017:0487-1, PAN-SA-2016-0020, PAN-SA-2016-0028, RHSA-2016:0722-01, RHSA-2016:0996-01, RHSA-2016:1137-01, RHSA-2016:1648-01, RHSA-2016:1649-01, RHSA-2016:1650-01, RHSA-2016:2054-01, RHSA-2016:2055-01, RHSA-2016:2056-01, RHSA-2016:2073-01, SA123, SA40202, SB10160, SOL23230229, SOL36488941, SOL51920288, SOL75152412, SP-CAAAPPQ, SPL-119440, SPL-121159, SPL-123095, SSA:2016-124-01, STORM-2016-002, SUSE-SU-2016:1206-1, SUSE-SU-2016:1228-1, SUSE-SU-2016:1231-1, SUSE-SU-2016:1233-1, SUSE-SU-2016:1267-1, SUSE-SU-2016:1290-1, SUSE-SU-2016:1360-1, SUSE-SU-2018:0112-1, TNS-2016-10, USN-2959-1, VIGILANCE-VUL-19512, VN-2016-006, VN-2016-007.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. This vulnerability was initially fixed in versions 1.0.1o and 1.0.2c, but it was not disclosed at that time. [severity:3/4; CVE-2016-2108]

An attacker can act as a Man-in-the-Middle and use the AES CBC algorithm with a server supporting AES-NI, in order to read or write data in the session. [severity:3/4; CVE-2016-2107]

An attacker can generate a buffer overflow in EVP_EncodeUpdate(), which is mainly used by command line applications, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2105]

An attacker can generate a buffer overflow in EVP_EncryptUpdate(), which is difficult to reach, in order to trigger a denial of service, and possibly to run code. [severity:2/4; CVE-2016-2106]

An attacker can trigger an excessive memory usage in d2i_CMS_bio(), in order to trigger a denial of service. [severity:2/4; CVE-2016-2109]

An attacker can force a read at an invalid address in applications using X509_NAME_oneline(), in order to trigger a denial of service, or to obtain sensitive information. [severity:2/4; CVE-2016-2176]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-3576 CVE-2015-3195 CVE-2015-3197

Oracle Fusion Middleware: multiple vulnerabilities of April 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Fusion Middleware.
Impacted products: Oracle Fusion Middleware, Oracle GlassFish Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Oracle OIT, Tuxedo, WebLogic, Oracle Web Tier.
Severity: 4/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 16.
Creation date: 20/04/2016.
Identifiers: cpuapr2016, CVE-2014-3576, CVE-2015-3195, CVE-2015-3197, CVE-2015-3253, CVE-2015-7182, CVE-2015-7547, CVE-2016-0468, CVE-2016-0479, CVE-2016-0638, CVE-2016-0671, CVE-2016-0675, CVE-2016-0688, CVE-2016-0696, CVE-2016-0700, CVE-2016-3416, CVE-2016-3455, TALOS-2016-0086, VIGILANCE-VUL-19415.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion Middleware.

An attacker can use a vulnerability of Oracle GlassFish Server, Oracle OpenSSO, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server or Oracle Traffic Director, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-18237). [severity:4/4; CVE-2015-7182]

An attacker can use a vulnerability of Oracle WebCenter Sites, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-17973). [severity:4/4; CVE-2015-3253]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:4/4; CVE-2016-0638]

An attacker can use a vulnerability of Oracle Outside In Technology, in order to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3455, TALOS-2016-0086]

An attacker can use a vulnerability of Oracle Exalogic Infrastructure, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-18956). [severity:3/4; CVE-2015-7547]

An attacker can use a vulnerability of Oracle BI Publisher, in order to trigger a denial of service (VIGILANCE-VUL-17610). [severity:3/4; CVE-2014-3576]

An attacker can use a vulnerability of Oracle Business Intelligence Enterprise Edition, in order to obtain or alter information. [severity:3/4; CVE-2016-0479]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain or alter information. [severity:3/4; CVE-2016-0675]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain or alter information. [severity:3/4; CVE-2016-0700]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain or alter information. [severity:3/4; CVE-2016-3416]

An attacker can use a vulnerability of Oracle Exalogic Infrastructure or Oracle Tuxedo, in order to obtain information (VIGILANCE-VUL-18837). [severity:2/4; CVE-2015-3197]

An attacker can use a vulnerability of Oracle Business Intelligence Enterprise Edition, in order to obtain or alter information. [severity:2/4; CVE-2016-0468]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain or alter information. [severity:2/4; CVE-2016-0696]

An attacker can use a vulnerability of Oracle API Gateway or Oracle Exalogic Infrastructure, in order to trigger a denial of service (VIGILANCE-VUL-18436). [severity:2/4; CVE-2015-3195]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information. [severity:1/4; CVE-2016-0671]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:1/4; CVE-2016-0688]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2016-1950 CVE-2016-1979

Mozilla NSS: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Mozilla NSS.
Impacted products: Blue Coat CAS, Debian, BIG-IP Hardware, TMOS, Firefox, NSS, openSUSE, openSUSE Leap, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Oracle OIT, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 4/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 09/03/2016.
Identifiers: cpujul2017, cpuoct2016, cpuoct2017, CVE-2016-1950, CVE-2016-1979, DLA-480-1, DSA-3688-1, K20145801, K91100352, MFSA-2016-35, MFSA-2016-36, openSUSE-SU-2016:0731-1, openSUSE-SU-2016:0733-1, RHSA-2016:0370-01, RHSA-2016:0371-01, RHSA-2016:0495-01, RHSA-2016:0591-01, RHSA-2016:0684-01, RHSA-2016:0685-01, SA119, SOL20145801, SOL91100352, SSA:2016-069-02, SUSE-SU-2016:0727-1, SUSE-SU-2016:0777-1, SUSE-SU-2016:0820-1, SUSE-SU-2016:0909-1, SUSE-SU-2017:1175-1, SUSE-SU-2017:1248-1, USN-2924-1, VIGILANCE-VUL-19134.

Description of the vulnerability

Several vulnerabilities were announced in Mozilla NSS.

An attacker can generate a buffer overflow in ASN1 Certificate Parsing, in order to trigger a denial of service, and possibly to run code. [severity:4/4; CVE-2016-1950, MFSA-2016-35]

An attacker can force the usage of a freed memory area in PK11_ImportDERPrivateKeyInfoAndReturnKey(), in order to trigger a denial of service, and possibly to run code. [severity:3/4; CVE-2016-1979, MFSA-2016-36]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2015-4852 CVE-2015-6420 CVE-2015-6934

Apache Commons Collections: code execution via InvokerTransformer

Synthesis of the vulnerability

An attacker can send a malicious serialized Gadget Chain object to a Java application using Apache Commons Collections, in order to run shell code.
Impacted products: CAS Server, Blue Coat CAS, SGOS by Blue Coat, Brocade Network Advisor, Brocade vTM, ASA, AsyncOS, Cisco ESA, Cisco Prime Access Registrar, Prime Infrastructure, Cisco Prime LMS, Cisco PRSM, Secure ACS, Cisco CUCM, Cisco Unified CCX, Cisco MeetingPlace, Cisco Unity ~ precise, Debian, BIG-IP Hardware, TMOS, HPE BSM, HPE NNMi, HP Operations, DB2 UDB, Domino, Notes, IRAD, QRadar SIEM, SPSS Modeler, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere AS Traditional, JBoss AS OpenSource, Junos Space, ePO, Mule ESB, Snap Creator Framework, SnapManager, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Oracle OIT, Solaris, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, RHEL, JBoss EAP by Red Hat, SAS Add-in for Microsoft Office, SAS Analytics Pro, Base SAS Software, SAS Enterprise BI Server, SAS Enterprise Guide, SAS Management Console, SAS OLAP Server, SAS SAS/ACCESS, SAS SAS/AF, SAS SAS/CONNECT, SAS SAS/EIS, SAS SAS/ETS, SAS SAS/FSP, SAS SAS/GRAPH, SAS SAS/IML, SAS SAS/OR, SAS SAS/STAT, SAS SAS/Web Report Studio, Unix (platform) ~ not comprehensive, vCenter Server.
Severity: 3/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 12.
Creation date: 12/11/2015.
Identifiers: 1610582, 1970575, 1971370, 1971531, 1971533, 1971751, 1972261, 1972373, 1972565, 1972794, 1972839, 2011281, 7014463, 7022958, 9010052, BSA-2016-004, bulletinjul2016, c04953244, c05050545, c05206507, c05325823, c05327447, CERTFR-2015-AVI-484, CERTFR-2015-AVI-555, cisco-sa-20151209-java-deserialization, COLLECTIONS-580, cpuapr2017, cpuapr2018, cpujan2017, cpujan2018, cpujul2017, cpuoct2016, cpuoct2017, cpuoct2018, CVE-2015-4852, CVE-2015-6420, CVE-2015-6934, CVE-2015-7420-ERROR, CVE-2015-7450, CVE-2015-7501, CVE-2015-8545, CVE-2015-8765, CVE-2016-1985, CVE-2016-1997, CVE-2016-4373, CVE-2016-4398, DSA-3403-1, HPSBGN03542, HPSBGN03560, HPSBGN03630, HPSBGN03656, HPSBGN03670, JSA10838, NTAP-20151123-0001, RHSA-2015:2500-01, RHSA-2015:2501-01, RHSA-2015:2502-01, RHSA-2015:2516-01, RHSA-2015:2517-01, RHSA-2015:2521-01, RHSA-2015:2522-01, RHSA-2015:2523-01, RHSA-2015:2524-01, RHSA-2015:2534-01, RHSA-2015:2535-01, RHSA-2015:2536-01, RHSA-2015:2537-01, RHSA-2015:2538-01, RHSA-2015:2539-01, RHSA-2015:2540-01, RHSA-2015:2541-01, RHSA-2015:2542-01, RHSA-2015:2547-01, RHSA-2015:2548-01, RHSA-2015:2556-01, RHSA-2015:2557-01, RHSA-2015:2559-01, RHSA-2015:2560-01, RHSA-2015:2578-01, RHSA-2015:2579-01, RHSA-2015:2670-01, RHSA-2015:2671-01, RHSA-2016:0040-01, RHSA-2016:0118-01, SA110, SB10144, SOL30518307, VIGILANCE-VUL-18294, VMSA-2015-0009, VMSA-2015-0009.1, VMSA-2015-0009.2, VMSA-2015-0009.3, VMSA-2015-0009.4, VU#576313.

Description of the vulnerability

The Apache Commons Collections library is used by several Java applications.

A Java Gadgets ("gadget chains") object can contain Transformers, with an "exec" string containing a shell command which is run with the Java.lang.Runtime.exec() method. When raw data are unserialized, the readObject() method is thus called to rebuild the Gadgets object, and it uses InvokerTransformer, which runs the indicated shell command.

It can be noted that other classes (CloneTransformer, ForClosure, InstantiateFactory, InstantiateTransformer, PrototypeCloneFactory, PrototypeSerializationFactory, WhileClosure) also execute a shell command from raw data to deserialize.

However, several applications publicly expose (before authentication) the Java unserialization feature.

An attacker can therefore send a malicious serialized Gadget Chain object to a Java application using Apache Commons Collections, in order to run shell code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2015-3253

Apache Groovy: code execution via MethodClosure

Synthesis of the vulnerability

An attacker can use a vulnerability in MethodClosure of Apache Groovy, in order to run code.
Impacted products: Blue Coat CAS, SGOS by Blue Coat, Fedora, SiteScope, Oracle Communications, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Oracle OIT, Tuxedo, WebLogic, Oracle Web Tier, RHEL.
Severity: 2/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 24/09/2015.
Identifiers: c05324755, cpuapr2019, cpujan2018, cpujul2017, cpuoct2016, cpuoct2017, CVE-2015-3253, FEDORA-2015-15907, FEDORA-2017-6a0389a6a7, FEDORA-2017-9899aba20e, HPSBGN03669, RHSA-2015:2556-01, RHSA-2015:2557-01, RHSA-2015:2558-01, RHSA-2016:0066-01, RHSA-2016:0118-01, RHSA-2017:2596-01, SA110, VIGILANCE-VUL-17973.

Description of the vulnerability

An attacker can use a vulnerability in MethodClosure of Apache Groovy, in order to run code.
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2013-2186 CVE-2014-1568 CVE-2014-1569

Oracle Fusion: several vulnerabilities of July 2015

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion were announced in July 2015.
Impacted products: WebSphere AS Traditional, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Tuxedo, WebLogic, Oracle Web Tier.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 39.
Creation date: 15/07/2015.
Identifiers: 1962107, cpujul2015, CVE-2013-2186, CVE-2014-1568, CVE-2014-1569, CVE-2014-3566, CVE-2014-3567, CVE-2014-3571, CVE-2014-7809, CVE-2015-0286, CVE-2015-0443, CVE-2015-0444, CVE-2015-0445, CVE-2015-0446, CVE-2015-1926, CVE-2015-2593, CVE-2015-2598, CVE-2015-2602, CVE-2015-2603, CVE-2015-2604, CVE-2015-2605, CVE-2015-2606, CVE-2015-2623, CVE-2015-2634, CVE-2015-2635, CVE-2015-2636, CVE-2015-2658, CVE-2015-4742, CVE-2015-4744, CVE-2015-4745, CVE-2015-4747, CVE-2015-4751, CVE-2015-4758, CVE-2015-4759, VIGILANCE-VUL-17373.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion.

An attacker can use a vulnerability of Oracle Business Intelligence Enterprise Edition, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2013-2186]

An attacker can use a vulnerability of Oracle Directory Server Enterprise Edition, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-1568]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4745]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2603]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2602]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2604]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2605]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2606]

An attacker can use a vulnerability of Oracle GlassFish Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-1569]

An attacker can use a vulnerability of Oracle OpenSSO, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-1568]

An attacker can use a vulnerability of Oracle Traffic Director, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-1568]

An attacker can use a vulnerability of Oracle iPlanet Web Proxy Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-1569]

An attacker can use a vulnerability of Oracle iPlanet Web Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-1569]

An attacker can use a vulnerability of Oracle Access Manager, in order to obtain or alter information. [severity:3/4; CVE-2015-2593]

An attacker can use a vulnerability of Oracle Tuxedo, in order to trigger a denial of service. [severity:3/4; CVE-2014-3567]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0443]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0444]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0445]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0446]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4759]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4758]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2634]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2635]

An attacker can use a vulnerability of Oracle Data Integrator, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-2636]

An attacker can use a vulnerability of Oracle Event Processing, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-4747]

An attacker can use a vulnerability of Oracle WebCenter Sites, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-7809]

An attacker can use a vulnerability of Oracle WebCenter Portal, in order to obtain or alter information. [severity:2/4; CVE-2015-1926]

An attacker can use a vulnerability of Oracle Access Manager, in order to trigger a denial of service. [severity:2/4; CVE-2015-4751]

An attacker can use a vulnerability of Oracle Exalogic Infrastructure, in order to trigger a denial of service. [severity:2/4; CVE-2015-0286]

An attacker can use a vulnerability of Oracle JDeveloper, in order to trigger a denial of service. [severity:2/4; CVE-2015-4742]

An attacker can use a vulnerability of Oracle Tuxedo, in order to trigger a denial of service. [severity:2/4; CVE-2014-3571]

An attacker can use a vulnerability of Oracle Tuxedo, in order to trigger a denial of service. [severity:2/4; CVE-2015-0286]

An attacker can use a vulnerability of Web Cache, in order to obtain information. [severity:2/4; CVE-2015-2658]

An attacker can use a vulnerability of Oracle GlassFish Server, in order to alter information. [severity:2/4; CVE-2015-2623]

An attacker can use a vulnerability of Oracle Tuxedo, in order to obtain information. [severity:2/4; CVE-2014-3566]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; CVE-2015-2623]

An attacker can use a vulnerability of Oracle Business Intelligence Enterprise Edition, in order to alter information. [severity:2/4; CVE-2015-2598]

An attacker can use a vulnerability of Oracle GlassFish Server, in order to alter information. [severity:1/4; CVE-2015-4744]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:1/4; CVE-2015-4744]
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2013-4286 CVE-2013-4545 CVE-2014-0050

Oracle Fusion: several vulnerabilities of April 2015

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion were announced in April 2015.
Impacted products: Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, WebLogic, Oracle Web Tier.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 13.
Creation date: 15/04/2015.
Identifiers: cpuapr2015, CVE-2013-4286, CVE-2013-4545, CVE-2014-0050, CVE-2014-0112, CVE-2014-1568, CVE-2014-3571, CVE-2015-0235, CVE-2015-0449, CVE-2015-0450, CVE-2015-0451, CVE-2015-0456, CVE-2015-0461, CVE-2015-0482, VIGILANCE-VUL-16610.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion.

An attacker can use a vulnerability of Oracle Exalogic Infrastructure, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0235]

An attacker can use a vulnerability of Oracle GlassFish Server, Oracle iPlanet Web Proxy Server or Oracle iPlanet Web Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-1568]

An attacker can use a vulnerability of Oracle Access Manager, in order to obtain or alter information. [severity:3/4; CVE-2015-0461]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0482]

An attacker can use a vulnerability of Oracle GoldenGate Monitor, in order to obtain or alter information. [severity:2/4; CVE-2013-4286]

An attacker can use a vulnerability of Oracle Exalogic Infrastructure, in order to trigger a denial of service. [severity:2/4; CVE-2014-3571]

An attacker can use a vulnerability of Oracle WebCenter Sites, in order to alter information. [severity:2/4; CVE-2014-0112]

An attacker can use a vulnerability of Oracle WebCenter Sites, in order to trigger a denial of service. [severity:2/4; CVE-2014-0050]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; CVE-2015-0449]

An attacker can use a vulnerability of Oracle GlassFish Server, in order to alter information. [severity:2/4; CVE-2013-4545]

An attacker can use a vulnerability of Oracle WebCenter Portal, in order to alter information. [severity:2/4; CVE-2015-0456]

An attacker can use a vulnerability of Oracle WebCenter Portal, in order to alter information. [severity:2/4; CVE-2015-0450]

An attacker can use a vulnerability of Oracle OpenSSO, in order to obtain information. [severity:2/4; CVE-2015-0451]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2013-1620 CVE-2013-1739 CVE-2013-1740

Oracle Fusion: several vulnerabilities of July 2014

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion were announced in July 2014.
Impacted products: Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, WebLogic, Oracle Web Tier.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 26.
Creation date: 16/07/2014.
Identifiers: CERTFR-2014-AVI-313, cpujul2014, CVE-2013-1620, CVE-2013-1739, CVE-2013-1740, CVE-2013-1741, CVE-2013-5605, CVE-2013-5606, CVE-2013-5855, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-2479, CVE-2014-2480, CVE-2014-2481, CVE-2014-2493, CVE-2014-4201, CVE-2014-4202, CVE-2014-4210, CVE-2014-4211, CVE-2014-4212, CVE-2014-4217, CVE-2014-4222, CVE-2014-4241, CVE-2014-4242, CVE-2014-4249, CVE-2014-4251, CVE-2014-4253, CVE-2014-4254, CVE-2014-4255, CVE-2014-4256, CVE-2014-4257, CVE-2014-4267, VIGILANCE-VUL-15052.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion.

Several vulnerabilities impact NSS (VIGILANCE-VUL-13598, VIGILANCE-VUL-13789, VIGILANCE-VUL-14099, VIGILANCE-VUL-14456) in Oracle GlassFish Server, Oracle iPlanet Web Proxy Server and Oracle iPlanet Web Server. [severity:3/4; CVE-2013-1739, CVE-2013-1740, CVE-2013-1741, CVE-2013-5605, CVE-2013-5606, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492]

An attacker can use a vulnerability of Oracle WebCenter Portal, in order to obtain information. [severity:3/4; CVE-2014-4257]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-2481]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-2480]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-4255]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-4254]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-2479]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-4267]

An attacker can use a vulnerability of Oracle JDeveloper, in order to obtain information, or to trigger a denial of service. [severity:3/4; CVE-2014-2493]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain or alter information. [severity:3/4; CVE-2014-4256]

An attacker can use a vulnerability of BI Publisher, in order to obtain information. [severity:2/4; CVE-2014-4249]

An attacker can use a vulnerability of Oracle WebCenter Portal, in order to alter information. [severity:2/4; CVE-2014-4211]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to trigger a denial of service. [severity:2/4; CVE-2014-4201]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to trigger a denial of service. [severity:2/4; CVE-2014-4202]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information. [severity:2/4; CVE-2014-4210]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to trigger a denial of service. [severity:2/4; CVE-2014-4253]

An attacker can use a vulnerability of GlassFish Communications Server, in order to obtain information. [severity:2/4; CVE-2013-1620]

An attacker can use a vulnerability of Oracle Fusion Middleware, in order to obtain information. [severity:2/4; CVE-2014-4212]

An attacker can use a vulnerability of Oracle GlassFish Server, in order to alter information. [severity:2/4; CVE-2013-5855]

An attacker can use a vulnerability of Oracle JDeveloper, in order to alter information. [severity:2/4; CVE-2013-5855]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; CVE-2014-4242]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; CVE-2014-4217]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; CVE-2014-4241]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; CVE-2013-5855]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2014-4251]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information. [severity:1/4; CVE-2014-4222]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2007-0009 CVE-2007-1858 CVE-2012-3499

Oracle Fusion: several vulnerabilities of January 2014

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion were announced in January 2014.
Impacted products: Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Oracle Portal, Oracle Web Tier, Sun AS.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: user account.
Number of vulnerabilities in this bulletin: 19.
Creation date: 15/01/2014.
Identifiers: BID-64815, BID-64819, BID-64822, BID-64827, BID-64829, BID-64830, BID-64835, BID-64838, BID-64842, CERTA-2014-AVI-022, cpujan2014, CVE-2007-0009, CVE-2007-1858, CVE-2012-3499, CVE-2012-3544, CVE-2012-4605, CVE-2013-1620, CVE-2013-1654, CVE-2013-1862, CVE-2013-4316, CVE-2013-5785, CVE-2013-5808, CVE-2013-5869, CVE-2013-5900, CVE-2013-5901, CVE-2014-0374, CVE-2014-0383, CVE-2014-0391, CVE-2014-0400, VIGILANCE-VUL-14089.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion.

An attacker can use a vulnerability of Oracle WebCenter Sites, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2013-4316]

An attacker can use a vulnerability of Oracle Reports Developer, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64819, CVE-2013-5785]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2007-0009]

An attacker can use a vulnerability of Oracle Internet Directory, in order to obtain information. [severity:3/4; BID-64822, CVE-2014-0400]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2013-1862]

An attacker can use a vulnerability of Oracle Enterprise Data Quality, in order to trigger a denial of service. [severity:2/4; CVE-2012-3544]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2013-1654]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information. [severity:2/4; CVE-2012-4605]

An attacker can use a vulnerability of Oracle Identity Manager, in order to obtain information. [severity:2/4; BID-64829, CVE-2014-0391]

An attacker can use a vulnerability of Oracle WebCenter Portal, in order to obtain information. [severity:2/4; BID-64835, CVE-2013-5869]

An attacker can use a vulnerability of Oracle GlassFish Server, in order to obtain information. [severity:2/4; CVE-2013-1620]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2012-3499]

An attacker can use a vulnerability of Oracle Identity Manager, in order to alter information. [severity:2/4; BID-64838, CVE-2013-5900]

An attacker can use a vulnerability of Oracle Identity Manager, in order to obtain information. [severity:2/4; BID-64815, CVE-2013-5901]

An attacker can use a vulnerability of Oracle Portal, in order to alter information. [severity:2/4; BID-64830, CVE-2014-0374]

An attacker can use a vulnerability of Oracle Traffic Director, Oracle iPlanet Web Server and Oracle iPlanet Web Proxy Server, in order to obtain information. [severity:2/4; CVE-2013-1620]

An attacker can use a vulnerability of Oracle Identity Manager, in order to obtain information. [severity:2/4; BID-64842, CVE-2014-0383]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information. [severity:1/4; CVE-2007-1858]

An attacker can use a vulnerability of Oracle iPlanet Web Proxy Server, in order to obtain information. [severity:1/4; BID-64827, CVE-2013-5808]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Netscape Web Proxy Server: