| The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them. |
|
 |
|
|
Computer vulnerabilities of Oracle OIT
Oracle Outside In Technology: vulnerabilities of April 2018
Synthesis of the vulnerability
Several vulnerabilities were announced in Oracle products.
Impacted products: Exchange, Oracle OIT.
Severity: 3/4.
Consequences: user access/rights.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 20/06/2018.
Identifiers: ADV180010, cpuapr2018, CVE-2018-2768, CVE-2018-2801, CVE-2018-2806, VIGILANCE-VUL-26457.
Description of the vulnerability
Several vulnerabilities were announced in Oracle products.
Full Vigil@nce bulletin... (Free trial) |
Oracle Fusion Middleware: vulnerabilities of October 2017
Synthesis of the vulnerability
Several vulnerabilities were announced in Oracle Fusion Middleware.
Impacted products: Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Oracle Virtual Directory, WebLogic, Oracle Web Tier.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 23.
Creation date: 18/10/2017.
Revision date: 29/01/2018.
Identifiers: cpuoct2017, CVE-2017-10026, CVE-2017-10033, CVE-2017-10034, CVE-2017-10037, CVE-2017-10051, CVE-2017-10055, CVE-2017-10060, CVE-2017-10152, CVE-2017-10154, CVE-2017-10163, CVE-2017-10166, CVE-2017-10259, CVE-2017-10270, CVE-2017-10271, CVE-2017-10334, CVE-2017-10336, CVE-2017-10352, CVE-2017-10360, CVE-2017-10369, CVE-2017-10385, CVE-2017-10391, CVE-2017-10393, CVE-2017-10400, VIGILANCE-VUL-24164.
Description of the vulnerability
Several vulnerabilities were announced in Oracle Fusion Middleware.
Full Vigil@nce bulletin... (Free trial) |
Oracle Fusion Middleware: vulnerabilities of July 2017
Synthesis of the vulnerability
Several vulnerabilities were announced in Oracle Fusion Middleware.
Impacted products: Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Tuxedo, WebLogic.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 25.
Creation date: 19/07/2017.
Identifiers: cpujul2017, CVE-2011-2730, CVE-2013-2027, CVE-2017-10024, CVE-2017-10025, CVE-2017-10028, CVE-2017-10029, CVE-2017-10030, CVE-2017-10035, CVE-2017-10040, CVE-2017-10041, CVE-2017-10043, CVE-2017-10048, CVE-2017-10058, CVE-2017-10059, CVE-2017-10063, CVE-2017-10075, CVE-2017-10119, CVE-2017-10123, CVE-2017-10137, CVE-2017-10141, CVE-2017-10147, CVE-2017-10148, CVE-2017-10156, CVE-2017-10157, CVE-2017-10178, VIGILANCE-VUL-23287.
Description of the vulnerability
Several vulnerabilities were announced in Oracle Fusion Middleware.
Full Vigil@nce bulletin... (Free trial) |
Oracle Outside In Technology: vulnerabilities of January 2017
Synthesis of the vulnerability
An attacker can use several vulnerabilities of Oracle Outside In Technology.
Impacted products: Oracle OIT.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 9.
Creation date: 18/01/2017.
Revisions dates: 31/01/2017, 19/05/2017.
Identifiers: cpujan2017, CVE-2017-3266, CVE-2017-3267, CVE-2017-3268, CVE-2017-3269, CVE-2017-3270, CVE-2017-3271, CVE-2017-3293, CVE-2017-3294, CVE-2017-3295, TALOS-2016-0198, TALOS-2016-0215, VIGILANCE-VUL-21602.
Description of the vulnerability
Several vulnerabilities were announced in Oracle Outside In Technology.
An attacker can use a vulnerability via Outside In Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3266]
An attacker can use a vulnerability via Outside In Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3267]
An attacker can use a vulnerability via Outside In Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3268]
An attacker can use a vulnerability via Outside In Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3269]
An attacker can use a vulnerability via Outside In Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3270]
An attacker can use a vulnerability via Outside In Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3271, TALOS-2016-0198]
An attacker can use a vulnerability via Outside In Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3293, TALOS-2016-0215]
An attacker can use a vulnerability via Outside In Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3294]
An attacker can use a vulnerability via Outside In Filters, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2017-3295]
Full Vigil@nce bulletin... (Free trial) |
JasPer: eight vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of JasPer.
Impacted products: Fedora, openSUSE Leap, Oracle OIT, RHEL, Ubuntu.
Severity: 3/4.
Consequences: user access/rights, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 8.
Creation date: 10/05/2017.
Identifiers: cpujan2019, CVE-2016-9387, CVE-2016-9388, CVE-2016-9389, CVE-2016-9390, CVE-2016-9391, CVE-2016-9392, CVE-2016-9393, CVE-2016-9394, FEDORA-2017-cfc20d5d45, FEDORA-2017-da0b00fd64, openSUSE-SU-2017:1960-1, RHSA-2017:1208-01, USN-3693-1, VIGILANCE-VUL-22694.
Description of the vulnerability
An attacker can use several vulnerabilities of JasPer.
Full Vigil@nce bulletin... (Free trial) |
Apache Batik: external XML entity injection
Synthesis of the vulnerability
An attacker can transmit malicious XML data to Apache Batik, in order to read a file, scan sites, or trigger a denial of service.
Impacted products: Debian, Fedora, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, Ubuntu.
Severity: 2/4.
Consequences: data reading, denial of service on service.
Provenance: document.
Creation date: 02/05/2017.
Identifiers: cpuapr2018, cpujul2018, cpuoct2017, CVE-2017-5662, DLA-926-1, DSA-4215-1, FEDORA-2017-43b46cd2da, FEDORA-2017-aff3dd3101, RHSA-2017:2546-01, RHSA-2017:2547-01, RHSA-2018:0319-01, USN-3280-1, VIGILANCE-VUL-22591.
Description of the vulnerability
XML data can contain external entities (DTD):
<!ENTITY name SYSTEM "file">
<!ENTITY name SYSTEM "http://server/file">
A program which reads these XML data can replace these entities by data coming from the indicated file. When the program uses XML data coming from an untrusted source, this behavior leads to:
- content disclosure from files of the server
- private web site scan
- a denial of service by opening a blocking file
This feature must be disabled to process XML data coming from an untrusted source.
However, the Apache Batik parser allows external entities.
An attacker can therefore transmit malicious XML data to Apache Batik, in order to read a file, scan sites, or trigger a denial of service.
Full Vigil@nce bulletin... (Free trial) |
Apache Struts: code execution via Jakarta Multipart CD/CL
Synthesis of the vulnerability
An attacker can use a malicious Content-Disposition/Content-Length header on Apache Struts with Jakarta Multipart installed, in order to run code.
Impacted products: Struts, Cisco CUCM, Cisco Unified CCX, Avamar, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Oracle Communications, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle OIT, Tuxedo, WebLogic, Percona Server, XtraDB Cluster.
Severity: 4/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 20/03/2017.
Identifiers: 498123, CERTFR-2017-ALE-004, cisco-sa-20170310-struts2, cpuapr2017, cpujul2017, CVE-2017-5638, ESA-2017-042, S2-045, S2-046, VIGILANCE-VUL-22190.
Description of the vulnerability
The Apache Struts product can be configured to use the Multipart parser of Jakarta.
The HTTP Content-Type header can contain the multipart/form-data MIME type to indicate form data. In this case, the Multipart parser of Jakarta is called.
When the Multipart parser of Jakarta is used, and when the Content-Disposition or Content-Length header contains a malformed value, an exception occurs, and the header content is interpreted during the display.
An attacker can therefore use a malicious Content-Disposition/Content-Length header on Apache Struts with Jakarta Multipart installed, in order to run code.
Full Vigil@nce bulletin... (Free trial) |
Apache Struts: code execution via Jakarta Multipart CT
Synthesis of the vulnerability
An attacker can use a malicious Content-Type header on Apache Struts with Jakarta Multipart installed, in order to run code.
Impacted products: Struts, Cisco CUCM, Cisco Unified CCX, Avamar, MariaDB ~ precise, MySQL Community, MySQL Enterprise, Oracle Communications, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle OIT, Tuxedo, WebLogic, Percona Server, XtraDB Cluster, vCenter Server, VMware vSphere.
Severity: 4/4.
Consequences: user access/rights.
Provenance: internet client.
Creation date: 08/03/2017.
Revision date: 14/03/2017.
Identifiers: 498123, CERTFR-2017-ALE-004, CERTFR-2017-AVI-071, cisco-sa-20170310-struts2, cpuapr2017, cpujul2017, CVE-2017-5638, ESA-2017-042, S2-045, S2-046, VIGILANCE-VUL-22047, VMSA-2017-0004, VMSA-2017-0004.6, VU#834067.
Description of the vulnerability
The Apache Struts product can be configured to use the Multipart parser of Jakarta.
The HTTP Content-Type header can contain the multipart/form-data MIME type to indicate form data. In this case, the Multipart parser of Jakarta is called.
When the Multipart parser of Jakarta is used, and when the Content-Type header contains a malformed multipart/form-data header, an exception occurs, and the header content is interpreted during the display.
An attacker can therefore use a malicious Content-Type header on Apache Struts with Jakarta Multipart installed, in order to run code.
Full Vigil@nce bulletin... (Free trial) |
libevent: three vulnerabilities
Synthesis of the vulnerability
An attacker can use several vulnerabilities of libevent.
Impacted products: Debian, Fedora, Firefox, Thunderbird, openSUSE Leap, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Solaris, Tuxedo, WebLogic, pfSense, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: user access/rights, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 6.
Creation date: 15/02/2017.
Identifiers: bulletinjul2018, CERTFR-2017-AVI-134, cpujul2017, CVE-2016-10195, CVE-2016-10196, CVE-2016-10197, CVE-2017-10195-ERROR, CVE-2017-10196-ERROR, CVE-2017-10197-ERROR, DLA-824-1, DSA-3789-1, FEDORA-2017-31c64a0bbf, FEDORA-2017-82265ed89e, FEDORA-2017-87e23bcc34, MFSA-2017-10, MFSA-2017-11, MFSA-2017-12, MFSA-2017-13, openSUSE-SU-2018:0220-1, RHSA-2017:1201-01, SSA:2017-112-01, SUSE-SU-2017:1669-1, SUSE-SU-2017:2235-1, USN-3228-1, USN-3278-1, VIGILANCE-VUL-21846.
Description of the vulnerability
An attacker can use several vulnerabilities of libevent.
Full Vigil@nce bulletin... (Free trial) |
JasPer: out-of-bounds memory reading via jpc_pi_nextpcrl
Synthesis of the vulnerability
An attacker can force a read at an invalid address via jpc_pi_nextpcrl() of JasPer, in order to trigger a denial of service, or to obtain sensitive information.
Impacted products: Fedora, openSUSE Leap, Oracle OIT, RHEL, SUSE Linux Enterprise Desktop, SLES.
Severity: 2/4.
Consequences: data reading, denial of service on service, denial of service on client.
Provenance: document.
Creation date: 02/02/2017.
Identifiers: cpujan2019, CVE-2016-9583, FEDORA-2017-78a77d2450, FEDORA-2017-d90fac5c8f, openSUSE-SU-2017:1034-1, RHSA-2017:1208-01, SUSE-SU-2017:0946-1, VIGILANCE-VUL-21746.
Description of the vulnerability
An attacker can force a read at an invalid address via jpc_pi_nextpcrl() of JasPer, in order to trigger a denial of service, or to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial) |
Our database contains other pages. You can request a free trial to read them.
Display information about Oracle OIT:
|