The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Oracle Portal

vulnerability note CVE-2015-3237 CVE-2015-7182 CVE-2016-1181

Oracle Fusion Middleware: vulnerabilities of July 2016

Synthesis of the vulnerability

An attacker can use several vulnerabilities of Oracle Fusion Middleware.
Impacted products: WebSphere AS Traditional, Oracle Communications, Oracle Directory Server, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Portal, Solaris, Oracle TopLink, WebLogic.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: user account.
Number of vulnerabilities in this bulletin: 22.
Creation date: 20/07/2016.
Identifiers: 7014463, cpuapr2019, cpujul2016, cpuoct2018, CVE-2015-3237, CVE-2015-7182, CVE-2016-1181, CVE-2016-1548, CVE-2016-2107, CVE-2016-3432, CVE-2016-3433, CVE-2016-3445, CVE-2016-3446, CVE-2016-3474, CVE-2016-3482, CVE-2016-3487, CVE-2016-3499, CVE-2016-3502, CVE-2016-3504, CVE-2016-3510, CVE-2016-3544, CVE-2016-3564, CVE-2016-3586, CVE-2016-3607, CVE-2016-3608, CVE-2016-5019, CVE-2016-5477, VIGILANCE-VUL-20164, ZDI-16-441, ZDI-16-442, ZDI-16-443, ZDI-16-444.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion Middleware.

An attacker can use a vulnerability via Oracle Directory Server Enterprise Edition, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-7182]

An attacker can use a vulnerability via Oracle GlassFish Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3607, ZDI-16-442]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3510, ZDI-16-443]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3586, ZDI-16-441]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3499, ZDI-16-444]

An attacker can use a vulnerability via Oracle JDeveloper, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3504, CVE-2016-5019]

An attacker can use a vulnerability via Oracle Business Intelligence Enterprise Edition, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3446]

An attacker can use a vulnerability via Oracle Portal, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-1181]

An attacker can use a vulnerability via Oracle TopLink, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3564]

An attacker can use a vulnerability via Oracle WebCenter Sites, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-3487]

An attacker can use a vulnerability via Oracle Business Intelligence Enterprise Edition, in order to obtain or alter information. [severity:3/4; CVE-2016-3544]

An attacker can use a vulnerability via Oracle Exalogic Infrastructure, in order to alter information, or to trigger a denial of service. [severity:3/4; CVE-2016-1548]

An attacker can use a vulnerability via Oracle GlassFish Server, in order to obtain information, or to trigger a denial of service. [severity:2/4; CVE-2015-3237]

An attacker can use a vulnerability via Oracle WebCenter Sites, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2016-3502]

An attacker can use a vulnerability via Oracle Access Manager, in order to obtain information. [severity:2/4; CVE-2016-2107]

An attacker can use a vulnerability via Oracle GlassFish Server, in order to obtain information. [severity:2/4; CVE-2016-3608]

An attacker can use a vulnerability via Oracle GlassFish Server, in order to obtain information. [severity:2/4; CVE-2016-5477]

An attacker can use a vulnerability via BI Publisher (formerly XML Publisher), in order to obtain or alter information. [severity:2/4; CVE-2016-3432]

An attacker can use a vulnerability via Oracle Business Intelligence Enterprise Edition, in order to obtain or alter information. [severity:2/4; CVE-2016-3433]

An attacker can use a vulnerability via Oracle WebLogic Server, in order to trigger a denial of service. [severity:2/4; CVE-2016-3445]

An attacker can use a vulnerability via BI Publisher (formerly XML Publisher), in order to obtain information. [severity:1/4; CVE-2016-3474]

An attacker can use a vulnerability via Oracle HTTP Server, in order to obtain information. [severity:1/4; CVE-2016-3482]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2007-0009 CVE-2007-1858 CVE-2012-3499

Oracle Fusion: several vulnerabilities of January 2014

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion were announced in January 2014.
Impacted products: Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Internet Directory, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, Oracle Portal, Oracle Web Tier, Sun AS.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: user account.
Number of vulnerabilities in this bulletin: 19.
Creation date: 15/01/2014.
Identifiers: BID-64815, BID-64819, BID-64822, BID-64827, BID-64829, BID-64830, BID-64835, BID-64838, BID-64842, CERTA-2014-AVI-022, cpujan2014, CVE-2007-0009, CVE-2007-1858, CVE-2012-3499, CVE-2012-3544, CVE-2012-4605, CVE-2013-1620, CVE-2013-1654, CVE-2013-1862, CVE-2013-4316, CVE-2013-5785, CVE-2013-5808, CVE-2013-5869, CVE-2013-5900, CVE-2013-5901, CVE-2014-0374, CVE-2014-0383, CVE-2014-0391, CVE-2014-0400, VIGILANCE-VUL-14089.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion.

An attacker can use a vulnerability of Oracle WebCenter Sites, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2013-4316]

An attacker can use a vulnerability of Oracle Reports Developer, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-64819, CVE-2013-5785]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2007-0009]

An attacker can use a vulnerability of Oracle Internet Directory, in order to obtain information. [severity:3/4; BID-64822, CVE-2014-0400]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2013-1862]

An attacker can use a vulnerability of Oracle Enterprise Data Quality, in order to trigger a denial of service. [severity:2/4; CVE-2012-3544]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2013-1654]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information. [severity:2/4; CVE-2012-4605]

An attacker can use a vulnerability of Oracle Identity Manager, in order to obtain information. [severity:2/4; BID-64829, CVE-2014-0391]

An attacker can use a vulnerability of Oracle WebCenter Portal, in order to obtain information. [severity:2/4; BID-64835, CVE-2013-5869]

An attacker can use a vulnerability of Oracle GlassFish Server, in order to obtain information. [severity:2/4; CVE-2013-1620]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2012-3499]

An attacker can use a vulnerability of Oracle Identity Manager, in order to alter information. [severity:2/4; BID-64838, CVE-2013-5900]

An attacker can use a vulnerability of Oracle Identity Manager, in order to obtain information. [severity:2/4; BID-64815, CVE-2013-5901]

An attacker can use a vulnerability of Oracle Portal, in order to alter information. [severity:2/4; BID-64830, CVE-2014-0374]

An attacker can use a vulnerability of Oracle Traffic Director, Oracle iPlanet Web Server and Oracle iPlanet Web Proxy Server, in order to obtain information. [severity:2/4; CVE-2013-1620]

An attacker can use a vulnerability of Oracle Identity Manager, in order to obtain information. [severity:2/4; BID-64842, CVE-2014-0383]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information. [severity:1/4; CVE-2007-1858]

An attacker can use a vulnerability of Oracle iPlanet Web Proxy Server, in order to obtain information. [severity:1/4; BID-64827, CVE-2013-5808]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2011-3389 CVE-2013-0169 CVE-2013-2172

Oracle Fusion Middleware: several vulnerabilities of October 2013

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion Middleware are fixed by the CPU of October 2013.
Impacted products: Oracle AS, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Portal, WebLogic.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 15.
Creation date: 16/10/2013.
Identifiers: BID-63041, BID-63043, BID-63049, BID-63052, BID-63054, BID-63058, BID-63066, BID-63069, BID-63074, CERTA-2013-AVI-575, cpuoct2013, CVE-2011-3389, CVE-2013-0169, CVE-2013-2172, CVE-2013-3827, CVE-2013-3828, CVE-2013-3831, CVE-2013-3833, CVE-2013-3836, CVE-2013-5773, CVE-2013-5798, CVE-2013-5813, CVE-2013-5815, CVE-2013-5816, RHSA-2013:1437-01, RHSA-2014:1369-01, VIGILANCE-VUL-13603, ZDI-13-249.

Description of the vulnerability

A Critical Patch Update fixes several vulnerabilities of Oracle Fusion Middleware.

An attacker can use a vulnerability of Security, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63041, CVE-2013-5815]

An attacker can use a SQL injection in PORTAL_DEMO.ORG_CHART, in order to read or alter data. [severity:2/4; BID-63043, CVE-2013-3831]

An attacker can use a vulnerability of Content Server, in order to obtain or alter information. [severity:2/4; BID-63049, CVE-2013-5813]

An attacker can use a vulnerability of Java Server Faces, in order to obtain information. [severity:2/4; CVE-2013-3827]

An attacker can use a vulnerability of Metro, in order to trigger a denial of service. [severity:2/4; BID-63054, CVE-2013-5816]

An attacker can use a vulnerability of Web Container, in order to obtain information. [severity:2/4; CVE-2013-3827]

An attacker can traverse directories in Test Page BPEL Process Manager, in order to read a file outside the root path. [severity:2/4; BID-63058, CVE-2013-3828, ZDI-13-249]

An attacker can use a vulnerability of Web Container, in order to obtain information. [severity:2/4; BID-63052, CVE-2013-3827]

An attacker can use a vulnerability of Authentication Engine, in order to alter information. [severity:2/4; CVE-2013-3833]

An attacker can use a vulnerability of Servlet Runtime, in order to alter information. [severity:2/4; BID-63066, CVE-2013-5773]

An attacker can use a vulnerability of Metro, in order to alter information. [severity:2/4; CVE-2013-2172]

An attacker can use a vulnerability of End User Self Service, in order to alter information. [severity:2/4; BID-63069, CVE-2013-5798]

An attacker can use a vulnerability of SSL/TLS, in order to obtain information (VIGILANCE-VUL-11014). [severity:2/4; CVE-2011-3389]

An attacker can use a vulnerability of ESI/Partial Page Caching, in order to obtain information. [severity:2/4; BID-63074, CVE-2013-3836]

An attacker can use a vulnerability of SSL/TLS, in order to obtain information (VIGILANCE-VUL-12374). [severity:1/4; CVE-2013-0169]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2011-3368 CVE-2011-3562 CVE-2011-4317

Oracle Fusion Middleware: several vulnerabilities of July 2012

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion Middleware are corrected by the CPU of July 2012.
Impacted products: Oracle AS, Oracle Fusion Middleware, Oracle Identity Management, Oracle Portal.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 8.
Creation date: 18/07/2012.
Identifiers: BID-54492, BID-54494, BID-54495, BID-54514, BID-54516, BID-54520, CERTA-2012-AVI-393, cpujul2012, CVE-2011-3368, CVE-2011-3562, CVE-2011-4317, CVE-2012-1736, CVE-2012-1741, CVE-2012-1749, CVE-2012-3115, CVE-2012-3135, VIGILANCE-VUL-11776.

Description of the vulnerability

A Critical Patch Update corrects several vulnerabilities of Oracle Fusion Middleware.

An attacker can use a vulnerability of Oracle JRockit, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-54494, CVE-2012-3135]

An attacker can use a vulnerability of Enterprise Manager for Fusion Middleware, in order to obtain or alter information. [severity:2/4; BID-54492, CVE-2012-1741]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information. [severity:2/4; CVE-2011-3368]

An attacker can use a vulnerability of Oracle MapViewer, in order to obtain information. [severity:2/4; BID-54514, CVE-2012-1736]

An attacker can use a vulnerability of Oracle MapViewer, in order to obtain information. [severity:2/4; BID-54516, CVE-2012-1749]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2011-4317]

An attacker can use a vulnerability of Oracle MapViewer, in order to alter information. [severity:2/4; BID-54520, CVE-2012-3115]

An attacker can use a vulnerability of Portal, in order to alter information. [severity:2/4; BID-54495, CVE-2011-3562]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2009-3555 CVE-2010-4452 CVE-2011-0785

Oracle Fusion Middleware: several vulnerabilities of April 2011

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion Middleware are corrected by the CPU of April 2011.
Impacted products: DB2 UDB, Oracle AS, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Oracle Portal, WebLogic.
Severity: 4/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 8.
Creation date: 20/04/2011.
Identifiers: 2010-007, BID-46388, BID-47435, BID-47437, BID-47443, BID-47463, BID-47475, BID-47489, CERTA-2009-AVI-528, CERTA-2010-AVI-149, CERTA-2010-AVI-196, CERTA-2010-AVI-239, CERTA-2010-AVI-241, CERTA-2010-AVI-365, CERTA-2010-AVI-513, CERTA-2010-AVI-573, CERTA-2011-AVI-253, CERTA-2011-AVI-492, CERTA-2011-AVI-603, CERTA-2012-AVI-241, cpuapr2011, CVE-2009-3555, CVE-2010-4452, CVE-2011-0785, CVE-2011-0789, CVE-2011-0794, CVE-2011-0795, CVE-2011-0798, CVE-2011-0808, DSECRG-12-018, VIGILANCE-VUL-10579, VU#120541, VU#520721, ZDI-11-084.

Description of the vulnerability

A Critical Patch Update corrects several vulnerabilities of Oracle Fusion Middleware.

An attacker can use a vulnerability of Deployment Applet2ClassLoader, in order to obtain information, to alter information, or to create a denial of service. [severity:4/4; BID-46388, CVE-2010-4452, ZDI-11-084]

A remote attacker can use a vulnerability of TLS in order to insert plain text data during a renegotiation via a man-in-the-middle attack (VIGILANCE-VUL-9181). [severity:2/4; CERTA-2009-AVI-528, CERTA-2010-AVI-149, CERTA-2010-AVI-196, CERTA-2010-AVI-239, CERTA-2010-AVI-241, CERTA-2010-AVI-365, CERTA-2010-AVI-513, CERTA-2010-AVI-573, CERTA-2011-AVI-253, CERTA-2012-AVI-241, CVE-2009-3555, VU#120541]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; BID-47489, CVE-2011-0789]

An attacker can create a Cross Site Scripting in Oracle Help help/topics/iastop_cs/iastop_cs_farm_page.html. [severity:2/4; BID-47443, CVE-2011-0785]

An attacker can use a vulnerability of Portal, in order to alter information. [severity:2/4; BID-47463, CVE-2011-0798]

An attacker can use a vulnerability of Single Sign On, in order to alter information. [severity:2/4; BID-47475, CVE-2011-0795]

An attacker can use a vulnerability of Oracle Outside In Technology, in order to create a denial of service. [severity:1/4; BID-47435, CERTA-2011-AVI-492, CERTA-2011-AVI-603, CVE-2011-0794, VU#520721]

An attacker can use a vulnerability of Oracle Outside In Technology, in order to create a denial of service. [severity:1/4; BID-47437, CVE-2011-0808, VU#520721]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2010-0086 CVE-2010-0853 CVE-2010-0855

Oracle AS, Portal: several vulnerabilities of April 2010

Synthesis of the vulnerability

Several vulnerabilities of Oracle Application Server and Portal are corrected by the CPU of April 2010.
Impacted products: Oracle AS, Oracle Portal.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data creation/edition, data deletion, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 5.
Creation date: 14/04/2010.
Identifiers: BID-39418, BID-39433, BID-39437, BID-39442, BID-39443, cpuapr2010, CVE-2010-0086, CVE-2010-0853, CVE-2010-0855, CVE-2010-0856, CVE-2010-0872, VIGILANCE-VUL-9585.

Description of the vulnerability

The CPU (Critical Patch Update) of April 2010 corrects several vulnerabilities of Oracle Application Server and Portal. Oracle's announce contains a detailed table, summarized below.

An attacker can use a vulnerability of Oracle Internet Directory, in order to obtain information, to alter information, or to generate a denial of service. [severity:3/4; BID-39418, CVE-2010-0853]

An attacker can use a vulnerability of Oracle Internet Directory, in order to generate a denial of service. [severity:2/4; BID-39443, CVE-2010-0872]

An attacker can use a vulnerability of Portal, in order to generate a denial of service. [severity:2/4; BID-39442, CVE-2010-0856]

An attacker can use a vulnerability of Portal, in order to alter information. [severity:2/4; BID-39433, CVE-2010-0086]

An attacker can use a vulnerability of Portal, in order to alter information. [severity:2/4; BID-39437, CVE-2010-0855]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-1990 CVE-2009-1999 CVE-2009-3407

Oracle Application Server: several vulnerabilities of October 2009

Synthesis of the vulnerability

Several vulnerabilities of Oracle Application Server are corrected by the CPU of October 2009.
Impacted products: Oracle AS, Oracle Portal.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 3.
Creation date: 21/10/2009.
Identifiers: BID-36753, cpuoct2009, CVE-2009-1990, CVE-2009-1999, CVE-2009-3407, VIGILANCE-VUL-9105.

Description of the vulnerability

The CPU (Critical Patch Update) of October 2009 corrects several vulnerabilities of Oracle Application Server. Oracle's announce contains a detailed table, summarized below.

An attacker can use a vulnerability of Business Intelligence Enterprise Edition, in order to alter information. [severity:3/4; CVE-2009-1999]

An attacker can use a vulnerability of Portal, in order to alter information. [severity:3/4; BID-36753, CVE-2009-3407]

An attacker can use a vulnerability of Business Intelligence Enterprise Edition, in order to obtain information. [severity:2/4; CVE-2009-1990]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2009-0974 CVE-2009-0983 CVE-2009-0989

Oracle Application Server: several vulnerabilities of April 2009

Synthesis of the vulnerability

Several vulnerabilities are corrected by the CPU of April 2009.
Impacted products: Oracle AS, Oracle Portal.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 12.
Creation date: 15/04/2009.
Identifiers: CPUapr2009, CVE-2009-0974, CVE-2009-0983, CVE-2009-0989, CVE-2009-0990, CVE-2009-0993, CVE-2009-0994, CVE-2009-0996, CVE-2009-1008, CVE-2009-1009, CVE-2009-1010, CVE-2009-1011, CVE-2009-1017, VIGILANCE-VUL-8637, ZDI-09-017.

Description of the vulnerability

The CPU (Critical Patch Update) of April 2009 corrects several vulnerabilities of Oracle Application Server. Oracle's announce contains a detailed table, summarized below.

An attacker can obtain or alter information or create a denial of service via a vulnerability of OPMN. [severity:3/4; CVE-2009-0993]

An attacker can obtain or alter information via a vulnerability of BI Publisher. [severity:3/4; CVE-2009-0989]

An attacker can obtain or alter information via a vulnerability of BI Publisher. [severity:3/4; CVE-2009-0990]

An attacker can obtain or alter information or create a denial of service via a vulnerability of Outside In Technology. [severity:3/4; CVE-2009-1008]

An attacker can obtain or alter information or create a denial of service via a vulnerability of Outside In Technology. [severity:3/4; CVE-2009-1009]

An attacker can obtain or alter information or create a denial of service via a vulnerability of Outside In Technology. [severity:3/4; CVE-2009-1010]

An attacker can obtain or alter information or create a denial of service via a vulnerability of Outside In Technology. [severity:3/4; CVE-2009-1011]

An attacker can alter information via a vulnerability of Portal. [severity:3/4; CVE-2009-0974]

An attacker can alter information via a vulnerability of Portal. [severity:3/4; CVE-2009-0983]

An attacker can obtain information via a vulnerability of BI Publisher. [severity:2/4; CVE-2009-0994]

An attacker can obtain information via a vulnerability of BI Publisher. [severity:2/4; CVE-2009-0996]

An attacker can obtain information via a vulnerability of BI Publisher. [severity:2/4; CVE-2009-1017]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability announce CVE-2008-2623 CVE-2008-4014 CVE-2008-4017

Oracle AS: several vulnerabilities of January 2009

Synthesis of the vulnerability

Several vulnerabilities are corrected by the CPU of January 2009.
Impacted products: Oracle AS, Oracle Portal.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 4.
Creation date: 14/01/2009.
Revision date: 15/01/2009.
Identifiers: CERTA-2009-AVI-013, cpujan2009, CVE-2008-2623, CVE-2008-4014, CVE-2008-4017, CVE-2008-5438, DSECRG-09-001, VIGILANCE-VUL-8387.

Description of the vulnerability

The CPU (Critical Patch Update) of January 2009 corrects several vulnerabilities of Oracle Application Server. Oracle's announce contains a detailed table, summarized below.

An attacker (via LDAP, unauthenticated) can obtain information via a vulnerability of OC4J. [severity:3/4; CVE-2008-4017]

An attacker can use the BPELConsole/default/activities.jsp url to create a Cross Site Scripting in Oracle BPEL Process Manager. [severity:2/4; CVE-2008-4014, DSECRG-09-001]

An attacker (via HTTP, unauthenticated) can create a Cross Site Scripting in Oracle Portal. [severity:3/4; CVE-2008-5438]

An attacker (local, unauthenticated) can obtain information via a vulnerability of Oracle JDeveloper. [severity:2/4; CERTA-2009-AVI-013, CVE-2008-2623]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2008-2588 CVE-2008-2619 CVE-2008-3975

Oracle AS: several vulnerabilities of October 2008

Synthesis of the vulnerability

Several vulnerabilities are corrected by the CPU of October 2008.
Impacted products: Oracle AS, Oracle Portal.
Severity: 3/4.
Consequences: privileged access/rights, data reading, data creation/edition.
Provenance: intranet client.
Number of vulnerabilities in this bulletin: 6.
Creation date: 15/10/2008.
Identifiers: CERTA-2008-AVI-508, CPUOct2008, CVE-2008-2588, CVE-2008-2619, CVE-2008-3975, CVE-2008-3977, CVE-2008-3986, CVE-2008-3987, VIGILANCE-VUL-8179.

Description of the vulnerability

The CPU (Critical Patch Update) of October 2008 corrects several vulnerabilities of Oracle Application Server. Oracle's announce contains a detailed table, summarized below.

An attacker (via HTTP and not authenticated) can alter information via a vulnerability of Oracle Portal. [severity:3/4; CVE-2008-3975]

An attacker (via HTTP and not authenticated) can alter information via a vulnerability of Oracle Portal. [severity:3/4; CVE-2008-3977]

An attacker (via HTTP and authenticated) can create a denial of service via a vulnerability of Oracle Reports Developer. [severity:2/4; CVE-2008-2619]

An attacker (local and not authenticated) can obtain information via a vulnerability of Oracle JDeveloper. [severity:2/4; CERTA-2008-AVI-508, CVE-2008-2588]

An attacker (local and authenticated) can obtain information via a vulnerability of Oracle Discoverer Administrator. [severity:1/4; CVE-2008-3986]

An attacker (local and authenticated) can obtain information via a vulnerability of Oracle Discoverer Desktop. [severity:1/4; CVE-2008-3987]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Oracle Portal: