The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Oracle Application Server

vulnerability bulletin CVE-2011-3389 CVE-2013-0169 CVE-2013-2172

Oracle Fusion Middleware: several vulnerabilities of October 2013

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion Middleware are fixed by the CPU of October 2013.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 15.
Creation date: 16/10/2013.
Identifiers: BID-63041, BID-63043, BID-63049, BID-63052, BID-63054, BID-63058, BID-63066, BID-63069, BID-63074, CERTA-2013-AVI-575, cpuoct2013, CVE-2011-3389, CVE-2013-0169, CVE-2013-2172, CVE-2013-3827, CVE-2013-3828, CVE-2013-3831, CVE-2013-3833, CVE-2013-3836, CVE-2013-5773, CVE-2013-5798, CVE-2013-5813, CVE-2013-5815, CVE-2013-5816, RHSA-2013:1437-01, RHSA-2014:1369-01, VIGILANCE-VUL-13603, ZDI-13-249.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A Critical Patch Update fixes several vulnerabilities of Oracle Fusion Middleware.

An attacker can use a vulnerability of Security, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63041, CVE-2013-5815]

An attacker can use a SQL injection in PORTAL_DEMO.ORG_CHART, in order to read or alter data. [severity:2/4; BID-63043, CVE-2013-3831]

An attacker can use a vulnerability of Content Server, in order to obtain or alter information. [severity:2/4; BID-63049, CVE-2013-5813]

An attacker can use a vulnerability of Java Server Faces, in order to obtain information. [severity:2/4; CVE-2013-3827]

An attacker can use a vulnerability of Metro, in order to trigger a denial of service. [severity:2/4; BID-63054, CVE-2013-5816]

An attacker can use a vulnerability of Web Container, in order to obtain information. [severity:2/4; CVE-2013-3827]

An attacker can traverse directories in Test Page BPEL Process Manager, in order to read a file outside the root path. [severity:2/4; BID-63058, CVE-2013-3828, ZDI-13-249]

An attacker can use a vulnerability of Web Container, in order to obtain information. [severity:2/4; BID-63052, CVE-2013-3827]

An attacker can use a vulnerability of Authentication Engine, in order to alter information. [severity:2/4; CVE-2013-3833]

An attacker can use a vulnerability of Servlet Runtime, in order to alter information. [severity:2/4; BID-63066, CVE-2013-5773]

An attacker can use a vulnerability of Metro, in order to alter information. [severity:2/4; CVE-2013-2172]

An attacker can use a vulnerability of End User Self Service, in order to alter information. [severity:2/4; BID-63069, CVE-2013-5798]

An attacker can use a vulnerability of SSL/TLS, in order to obtain information (VIGILANCE-VUL-11014). [severity:2/4; CVE-2011-3389]

An attacker can use a vulnerability of ESI/Partial Page Caching, in order to obtain information. [severity:2/4; BID-63074, CVE-2013-3836]

An attacker can use a vulnerability of SSL/TLS, in order to obtain information (VIGILANCE-VUL-12374). [severity:1/4; CVE-2013-0169]
Full Vigil@nce bulletin... (Free trial)

computer weakness CVE-2005-3352 CVE-2006-5752 CVE-2007-3847

Oracle Fusion Middleware: several vulnerabilities of July 2013

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion Middleware are fixed by the CPU of July 2013.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 19.
Creation date: 17/07/2013.
Identifiers: BID-61224, CERTA-2013-AVI-425, cpujuly2013, CVE-2005-3352, CVE-2006-5752, CVE-2007-3847, CVE-2007-5000, CVE-2007-6388, CVE-2008-2364, CVE-2010-0425, CVE-2010-0434, CVE-2010-2068, CVE-2011-0419, CVE-2011-3348, CVE-2012-2687, CVE-2013-2461, CVE-2013-3755, CVE-2013-3763, CVE-2013-3764, CVE-2013-3769, CVE-2013-3770, CVE-2013-3772, VIGILANCE-VUL-13129.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A Critical Patch Update fixes several vulnerabilities of Oracle Fusion Middleware.

An attacker can use a vulnerability of Oracle JRockit, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; CVE-2013-2461]

An attacker can use a vulnerability of Oracle Endeca Server, in order to obtain or alter information. [severity:2/4; CVE-2013-3763]

An attacker can use a vulnerability of Oracle Endeca Server, in order to obtain or alter information. [severity:2/4; BID-61224, CVE-2013-3764]

An attacker can use a vulnerability of WebCenter, in order to obtain or alter information. [severity:2/4; CVE-2013-3770]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information. [severity:2/4; CVE-2010-2068]

An attacker can use a vulnerability of Oracle HTTP Server, in order to create a denial of service. [severity:2/4; CVE-2007-3847]

An attacker can use a vulnerability of Oracle HTTP Server, in order to create a denial of service. [severity:2/4; CVE-2008-2364]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information. [severity:2/4; CVE-2010-0425]

An attacker can use a vulnerability of Oracle Access Manager, in order to alter information. [severity:2/4; CVE-2013-3755]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2006-5752]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2007-6388]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2007-5000]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2012-2687]

An attacker can use a vulnerability of Oracle HTTP Server, in order to create a denial of service. [severity:2/4; CVE-2011-3348]

An attacker can use a vulnerability of Oracle HTTP Server, in order to create a denial of service. [severity:2/4; CVE-2011-0419]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2005-3352]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information. [severity:2/4; CVE-2010-0434]

An attacker can use a vulnerability of Oracle WebCenter Content, in order to alter information. [severity:2/4; CVE-2013-3769]

An attacker can use a vulnerability of Oracle WebCenter Content, in order to alter information. [severity:2/4; CVE-2013-3772]
Full Vigil@nce bulletin... (Free trial)

computer threat announce CVE-2007-1862 CVE-2009-0023 CVE-2009-1191

Oracle Fusion Middleware: several vulnerabilities of April 2013

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion Middleware are fixed by the CPU of April 2013.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 28.
Creation date: 17/04/2013.
Identifiers: BID-24553, BID-34663, BID-35221, BID-35251, BID-35253, BID-35565, BID-36596, BID-38491, BID-38494, BID-40827, BID-42102, BID-52107, BID-54156, BID-59086, BID-59087, BID-59091, BID-59095, BID-59097, BID-59099, BID-59101, BID-59102, BID-59105, BID-59107, BID-59110, BID-59112, BID-59115, BID-59122, BID-59132, BID-59140, CERTA-2013-AVI-247, cpuapr2013, CVE-2007-1862, CVE-2009-0023, CVE-2009-1191, CVE-2009-1890, CVE-2009-1955, CVE-2009-1956, CVE-2009-2699, CVE-2010-0408, CVE-2010-2068, CVE-2010-2791, CVE-2012-0841, CVE-2012-2751, CVE-2012-4303, CVE-2013-1497, CVE-2013-1503, CVE-2013-1504, CVE-2013-1509, CVE-2013-1514, CVE-2013-1516, CVE-2013-1522, CVE-2013-1529, CVE-2013-1542, CVE-2013-1545, CVE-2013-1553, CVE-2013-1559, CVE-2013-1565, CVE-2013-2380, CVE-2013-2390, VIGILANCE-VUL-12680, ZDI-13-091, ZDI-13-094.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A Critical Patch Update fixes several vulnerabilities of Oracle Fusion Middleware.

An attacker can use a vulnerability of Oracle JRockit, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-59086, CVE-2013-2380]

An attacker can construct complex XML data in order to generate a denial of service in applications linked to APR-util (VIGILANCE-VUL-8761). [severity:3/4; BID-35253, CVE-2009-1955]

An attacker can use a malicious query in order to generate a denial of service of mod_proxy in reverse proxy mode (VIGILANCE-VUL-8837). [severity:3/4; BID-35565, CVE-2009-1890]

An attacker can generate an off by one overflow in the apr_brigade_vprintf() function of Apache APR-util (VIGILANCE-VUL-8768). [severity:3/4; BID-35251, CVE-2009-1956]

An attacker can use a vulnerability of Oracle Web Services Manager, in order to obtain or alter information. [severity:3/4; BID-59099, CVE-2013-1553]

An attacker can use a vulnerability of Oracle GoldenGate Veridata, in order to create a denial of service. [severity:2/4; BID-59101, CVE-2013-1565]

An attacker can send data generating storage collisions, in order to overload a service (VIGILANCE-VUL-11384). [severity:2/4; BID-52107, CVE-2012-0841]

An attacker can obtain memory fragments when mod_mem_cache is used (VIGILANCE-VUL-6928). [severity:2/4; BID-24553, CVE-2007-1862]

In some cases, the mod_proxy_ajp module can send to the client data belonging to another user (VIGILANCE-VUL-8669). [severity:2/4; BID-34663, CVE-2009-1191]

An attacker can open several sessions when Apache httpd is installed under Solaris, in order to stop it (VIGILANCE-VUL-9074). [severity:2/4; BID-36596, CVE-2009-2699]

An attacker can use a vulnerability of Oracle HTTP Server, in order to create a denial of service. [severity:2/4; BID-59105, CVE-2013-1545]

An attacker can generate a denial of service in mod_proxy_ajp and mod_isapi modules of Apache httpd (VIGILANCE-VUL-9487). [severity:2/4; BID-38491, BID-38494, CVE-2010-0408]

When mod_proxy is installed Unix, an attacker can obtain documents belonging to the session of another user (VIGILANCE-VUL-9801). [severity:2/4; BID-42102, CVE-2010-2791]

When mod_proxy_http is used on Netware, OS2 or Windows, an attacker can obtain documents belonging to the session of another user (VIGILANCE-VUL-9705). [severity:2/4; BID-40827, CVE-2010-2068]

An attacker can use a vulnerability of Oracle COREid Access, in order to alter information. [severity:2/4; BID-59087, CVE-2013-1497]

An attacker can use a vulnerability of Oracle Containers for J2EE, in order to alter information. [severity:2/4; BID-59095, CVE-2013-1542]

An attacker can create a denial of service in applications using apr_strmatch of APR-util (VIGILANCE-VUL-8766). [severity:2/4; BID-35221, CVE-2009-0023]

An attacker can use a special HTTP multipart/form-data query, in order to bypass security rules of ModSecurity (VIGILANCE-VUL-11719). [severity:2/4; BID-54156, CVE-2012-2751]

An attacker can use a vulnerability of Oracle WebCenter Content, in order to alter information. [severity:2/4; BID-59110, CVE-2013-1522]

An attacker can use a vulnerability of Oracle WebCenter Interaction, in order to alter information. [severity:2/4; BID-59091, CVE-2013-1529]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; BID-59115, CVE-2013-1504]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; BID-59097, CVE-2013-2390]

An attacker can use a vulnerability of Oracle Containers for J2EE, in order to alter information. [severity:2/4; BID-59102, CVE-2013-1514]

An attacker can use a vulnerability of Oracle WebCenter Capture, in order to create a denial of service. [severity:2/4; BID-59112, CVE-2013-1516, ZDI-13-091]

An attacker can use a vulnerability of Oracle WebCenter Content, in order to create a denial of service. [severity:2/4; BID-59122, CVE-2013-1559, ZDI-13-094]

An attacker can use a vulnerability of Oracle WebCenter Sites, in order to alter information. [severity:2/4; BID-59132, CVE-2013-1509]

An attacker can use a vulnerability of Oracle WebCenter Content, in order to alter information. [severity:2/4; BID-59107, CVE-2013-1503]

An attacker can use a vulnerability of Oracle WebCenter Content, in order to obtain information. [severity:2/4; BID-59140, CVE-2012-4303]
Full Vigil@nce bulletin... (Free trial)

threat note CVE-2011-5035 CVE-2012-0022 CVE-2012-1677

Oracle Fusion Middleware: several vulnerabilities of January 2013

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion Middleware are fixed by the CPU of January 2013.
Severity: 2/4.
Number of vulnerabilities in this bulletin: 5.
Creation date: 16/01/2013.
Identifiers: BID-57342, BID-57348, CERTA-2013-AVI-041, cpujan2013, CVE-2011-5035, CVE-2012-0022, CVE-2012-1677, CVE-2012-5097, VIGILANCE-VUL-12332.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A Critical Patch Update fixes several vulnerabilities of Oracle Fusion Middleware.

An attacker can use a vulnerability of Management Pack for Oracle GoldenGate, in order to create a denial of service. [severity:2/4; CVE-2012-0022]

An attacker can use a vulnerability of Oracle GoldenGate Veridata, in order to create a denial of service. [severity:2/4; CVE-2012-0022]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to create a denial of service (VIGILANCE-VUL-11254). [severity:2/4; CVE-2011-5035]

An attacker can use a vulnerability of Oracle Access Manager, in order to alter information. [severity:2/4; BID-57348, CVE-2012-5097]

An attacker can use a vulnerability of Oracle Application Server Single Sign-On, in order to alter information. [severity:2/4; BID-57342, CVE-2012-1677]
Full Vigil@nce bulletin... (Free trial)

computer threat note CVE-2011-3368 CVE-2011-3562 CVE-2011-4317

Oracle Fusion Middleware: several vulnerabilities of July 2012

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion Middleware are corrected by the CPU of July 2012.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 8.
Creation date: 18/07/2012.
Identifiers: BID-54492, BID-54494, BID-54495, BID-54514, BID-54516, BID-54520, CERTA-2012-AVI-393, cpujul2012, CVE-2011-3368, CVE-2011-3562, CVE-2011-4317, CVE-2012-1736, CVE-2012-1741, CVE-2012-1749, CVE-2012-3115, CVE-2012-3135, VIGILANCE-VUL-11776.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A Critical Patch Update corrects several vulnerabilities of Oracle Fusion Middleware.

An attacker can use a vulnerability of Oracle JRockit, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-54494, CVE-2012-3135]

An attacker can use a vulnerability of Enterprise Manager for Fusion Middleware, in order to obtain or alter information. [severity:2/4; BID-54492, CVE-2012-1741]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information. [severity:2/4; CVE-2011-3368]

An attacker can use a vulnerability of Oracle MapViewer, in order to obtain information. [severity:2/4; BID-54514, CVE-2012-1736]

An attacker can use a vulnerability of Oracle MapViewer, in order to obtain information. [severity:2/4; BID-54516, CVE-2012-1749]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2011-4317]

An attacker can use a vulnerability of Oracle MapViewer, in order to alter information. [severity:2/4; BID-54520, CVE-2012-3115]

An attacker can use a vulnerability of Portal, in order to alter information. [severity:2/4; BID-54495, CVE-2011-3562]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2012-0515 CVE-2012-0522 CVE-2012-0532

Oracle Fusion Middleware: several vulnerabilities of April 2012

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion Middleware are corrected by the CPU of April 2012.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 11.
Creation date: 18/04/2012.
Identifiers: BID-53053, BID-53054, BID-53060, BID-53062, BID-53069, BID-53070, BID-53079, BID-53082, BID-53083, BID-53087, CERTA-2012-AVI-220, cpuapr2012, CVE-2012-0515, CVE-2012-0522, CVE-2012-0532, CVE-2012-0543, CVE-2012-0554, CVE-2012-0555, CVE-2012-0556, CVE-2012-0557, CVE-2012-1695, CVE-2012-1709, CVE-2012-1710, VIGILANCE-VUL-11550, ZDI-12-073, ZDI-12-074, ZDI-12-150, ZDI-12-151, ZDI-12-152, ZDI-12-202.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A Critical Patch Update corrects several vulnerabilities of Oracle Fusion Middleware.

An attacker can use a vulnerability of Oracle JRockit, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; CVE-2012-1695]

An attacker can use a vulnerability of Oracle Outside In Technology, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53069, CVE-2012-0554]

An attacker can use a vulnerability of Oracle Outside In Technology, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53070, CVE-2012-0555]

An attacker can use a vulnerability of Oracle Outside In Technology, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53087, CVE-2012-0556]

An attacker can use a vulnerability of Oracle Outside In Technology, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53054, CVE-2012-0557]

An attacker can use a vulnerability of Oracle WebCenter Forms Recognition, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53082, CVE-2012-1709, ZDI-12-074]

An attacker can use a vulnerability of Oracle WebCenter Forms Recognition, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-53062, CVE-2012-1710, ZDI-12-073]

An attacker can use a vulnerability of Identity Manager, in order to obtain or alter information. [severity:2/4; BID-53060, CVE-2012-0532]

An attacker can use a vulnerability of BI Publisher (XML Publisher), in order to alter information. [severity:2/4; BID-53083, CVE-2012-0543]

An attacker can use a vulnerability of Oracle JDeveloper, in order to alter information. [severity:2/4; BID-53053, CVE-2012-0522]

An attacker can use a vulnerability of Identity Manager Connector, in order to alter information. [severity:2/4; BID-53079, CVE-2012-0515]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2011-3414 CVE-2011-4461 CVE-2011-4462

Multiple: denial of service via hash collision

Synthesis of the vulnerability

An attacker can send data generating storage collisions, in order to overload a service.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 11.
Creation date: 28/12/2011.
Revision date: 22/02/2012.
Identifiers: 1506603, 2638420, 2659883, BID-51186, BID-51194, BID-51195, BID-51196, BID-51197, BID-51199, BID-51235, BID-51441, CERTA-2011-AVI-727, CERTA-2011-AVI-728, cpujul2018, CVE-2011-3414, CVE-2011-4461, CVE-2011-4462, CVE-2011-4885, CVE-2011-5034, CVE-2011-5035, CVE-2011-5036, CVE-2011-5037, CVE-2012-0039, CVE-2012-0193, CVE-2012-0839, DSA-2783-1, DSA-2783-2, FEDORA-2012-0730, FEDORA-2012-0752, MS11-100, n.runs-SA-2011.004, NTAP-20190307-0004, oCERT-2011-003, openSUSE-SU-2012:0262-1, PM53930, RHSA-2012:1604-01, RHSA-2012:1605-01, RHSA-2012:1606-01, RHSA-2013:1455-01, RHSA-2013:1456-01, sk66350, VIGILANCE-VUL-11254, VU#903934.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A hash table stores information, as keys pointing to values. Each key is converted to an integer, which is the index of the area where to store data. For example:
 - keyA is converted to 34
 - keyB is converted to 13
Data are then stored at offsets 34 and 13.

In most cases, these keys generate integers which are uniformly located in the storage area (which runs for example between 0 and 99). However, if an attacker computes his keys in such a way that they are converted to the same integer (for example 34), all data are stored at the same location (at the index 34). The access time to these data is thus very large.

A posted HTTP form is used to send a lot of variables. For example: var1=a, var2=b, etc. Web servers store these variables in a hash table. However, if the attacker computes his keys (variable names) in such a way that they are all stored at the same place, he can overload the server.

Other features, such as a JSON parser or additional services, can also be used as an attack vector.

The following products are also impacted:
 - Apache APR (VIGILANCE-VUL-11380)
 - Apache Xerces-C++ (VIGILANCE-VUL-15082)
 - Apache Xerces Java (VIGILANCE-VUL-15083)
 - expat (VIGILANCE-VUL-11420)
 - Java Lightweight HTTP Server (VIGILANCE-VUL-11381)
 - Java Language (VIGILANCE-VUL-11715)
 - libxml2 (VIGILANCE-VUL-11384)
 - PHP (VIGILANCE-VUL-11379)
 - Python (VIGILANCE-VUL-11416)
 - Ruby (VIGILANCE-VUL-11382)
 - Tomcat (VIGILANCE-VUL-11383)

An attacker can therefore send data generating storage collisions, in order to overload a service.
Full Vigil@nce bulletin... (Free trial)

weakness alert CVE-2011-3531 CVE-2011-3566 CVE-2011-3568

Oracle Fusion Middleware: several vulnerabilities of January 2012

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion Middleware are corrected by the CPU of January 2012.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 11.
Creation date: 18/01/2012.
Identifiers: BID-50992, BID-51451, BID-51454, BID-51457, BID-51460, BID-51462, BID-51463, BID-51469, BID-51471, CERTA-2012-AVI-119, cpujan2012, CVE-2011-3531, CVE-2011-3566, CVE-2011-3568, CVE-2011-3569, CVE-2011-4516, CVE-2011-4517, CVE-2012-0077, CVE-2012-0083, CVE-2012-0084, CVE-2012-0085, CVE-2012-0110, VIGILANCE-VUL-11295, VU#738961, ZDI-12-017.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A Critical Patch Update corrects several vulnerabilities of Oracle Fusion Middleware.

An attacker can use a vulnerability of Search, in order to obtain or alter information. [severity:3/4; BID-51451, CVE-2012-0083]

An attacker can use a vulnerability of Web Services Security, in order to obtain or alter information. [severity:3/4; BID-51463, CVE-2011-3568]

An attacker can use a vulnerability of Web Services Security, in order to create a denial of service. [severity:2/4; BID-51471, CVE-2011-3531]

An attacker can use a vulnerability of Web Services Security, in order to obtain information. [severity:2/4; BID-51462, CVE-2011-3569]

An attacker can use a vulnerability of Web Container, in order to create a denial of service. [severity:2/4; BID-51469, CVE-2011-3566]

An attacker can use a vulnerability of JPEG 2000 Filter, in order to obtain information, to alter information, or to create a denial of service (VIGILANCE-VUL-11211). [severity:2/4; BID-50992, CVE-2011-4516]

An attacker can use a vulnerability of JPEG 2000 Filter, in order to obtain information, to alter information, or to create a denial of service (VIGILANCE-VUL-11211). [severity:2/4; BID-50992, CVE-2011-4517]

An attacker can send a malformed Lotus 123 file to an application using Oracle Outside In module, in order to execute code (VIGILANCE-VUL-11304). [severity:2/4; CERTA-2012-AVI-119, CVE-2012-0110, VU#738961, ZDI-12-017]

An attacker can use a vulnerability of Content Server, in order to alter information. [severity:2/4; BID-51457, CVE-2012-0085]

An attacker can use a vulnerability of Content Server, in order to alter information. [severity:2/4; BID-51454, CVE-2012-0084]

An attacker can use a vulnerability of WLS-Console, in order to alter information. [severity:2/4; BID-51460, CVE-2012-0077]
Full Vigil@nce bulletin... (Free trial)

computer threat bulletin CVE-2011-2237 CVE-2011-2255 CVE-2011-2314

Oracle Fusion: several vulnerabilities of October 2011

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion are corrected by the CPU of October 2011.
Severity: 3/4.
Number of vulnerabilities in this bulletin: 10.
Creation date: 19/10/2011.
Identifiers: BID-49303, BID-50198, BID-50202, BID-50205, BID-50206, BID-50207, BID-50209, BID-50210, BID-50212, BID-50213, CERTA-2011-AVI-488, CERTA-2011-AVI-490, CERTA-2011-AVI-494, CERTA-2011-AVI-530, CERTA-2011-AVI-560, CERTA-2011-AVI-586, CERTA-2012-AVI-221, cpuoct2011, CVE-2011-2237, CVE-2011-2255, CVE-2011-2314, CVE-2011-2318, CVE-2011-2319, CVE-2011-2320, CVE-2011-3192, CVE-2011-3510, CVE-2011-3523, CVE-2011-3541, VIGILANCE-VUL-11074, VU#405811.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

A Critical Patch Update corrects several vulnerabilities of Oracle Fusion.

An attacker can use a vulnerability of Oracle WebLogic Portal, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-50205, CVE-2011-2255]

An attacker can use several parallel queries using Range or Request-Range, in order to progressively use the available memory of the Oracle HTTP Server (VIGILANCE-VUL-10944). [severity:2/4; BID-49303, CERTA-2011-AVI-488, CERTA-2011-AVI-490, CERTA-2011-AVI-494, CERTA-2011-AVI-530, CERTA-2011-AVI-560, CERTA-2012-AVI-221, CVE-2011-3192, VU#405811]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information. [severity:2/4; BID-50198, CVE-2011-2320]

An attacker can use a vulnerability of Oracle Business Intelligence Enterprise Edition, in order to obtain or alter information. [severity:2/4; BID-50213, CVE-2011-3510]

An attacker can use a vulnerability of Oracle Containers for J2EE, in order to alter information. [severity:2/4; BID-50202, CVE-2011-2314]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information. [severity:2/4; BID-50206, CVE-2011-2319]

An attacker can use a vulnerability of Oracle Web Services Manager, in order to alter information. [severity:2/4; BID-50212, CERTA-2011-AVI-586, CVE-2011-2237]

An attacker can use a vulnerability of Oracle Web Services Manager, in order to alter information. [severity:2/4; BID-50209, CVE-2011-3523]

An attacker can use a vulnerability of Oracle Outside In Technology, in order to create a denial of service. [severity:1/4; BID-50207, CVE-2011-3541]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information. [severity:1/4; BID-50210, CVE-2011-2318]
Full Vigil@nce bulletin... (Free trial)

threat CVE-2011-3192

Apache httpd: denial of service via Range or Request-Range

Synthesis of the vulnerability

An attacker can use several parallel queries using Range or Request-Range, in order to progressively use the available memory.
Severity: 2/4.
Creation date: 24/08/2011.
Revisions dates: 24/08/2011, 26/08/2011, 14/09/2011.
Identifiers: BID-49303, c02997184, c03011498, c03025215, CERTA-2011-AVI-493, cisco-sa-20110830-apache, CVE-2011-3192, DSA-2298-1, DSA-2298-2, FEDORA-2011-12715, HPSBMU02704, HPSBUX02702, HPSBUX02707, KB73310, MDVSA-2011:130, MDVSA-2011:130-1, openSUSE-SU-2011, openSUSE-SU-2011:0993-1, PSN-2013-02-846, RHSA-2011:1245-01, RHSA-2011:1294-01, RHSA-2011:1300-01, RHSA-2011:1329-01, RHSA-2011:1330-01, RHSA-2011:1369-01, sk65222, SSA:2011-252-01, SSRT100606, SSRT100619, SSRT100626, SUSE-SU-2011:1000-1, SUSE-SU-2011:1007-1, SUSE-SU-2011:1010-1, SUSE-SU-2011:1215-1, SUSE-SU-2011:1216-1, VIGILANCE-VUL-10944, VU#405811.
Full Vigil@nce bulletin... (Free trial)

Description of the vulnerability

The Range header defined in the HTTP protocol indicates a byte range that server should return. For example, to obtain byte between 10 to 30 and 50 to 60:
  Range: bytes=10-30,50-60
The Request-Range header is the obsolete name of Range.

Apache processes the following objects:
 - bucket: an abstract storage area (memory, file, etc.).
 - brigade: a chained list of buckets

When Apache httpd receives a query containing the Range header, it stores each range in a brigade. However, if the range list is large, this brigade consumes a lot of memory.

An attacker can therefore use several parallel queries using Range or Request-Range, in order to progressively use the available memory.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Oracle Application Server: