The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of WebLogic

vulnerability CVE-2014-8157 CVE-2014-8158

JasPer: two vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of JasPer.
Impacted products: Debian, Fedora, MBS, openSUSE, openSUSE Leap, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Internet Directory, Tuxedo, WebLogic, RHEL, Slackware, Ubuntu.
Severity: 2/4.
Consequences: user access/rights.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 22/01/2015.
Identifiers: cpujul2018, CVE-2014-8157, CVE-2014-8158, DSA-3138-1, FEDORA-2015-1062, FEDORA-2015-1068, FEDORA-2015-1125, FEDORA-2015-1159, MDVSA-2015:034, MDVSA-2015:159, oCERT-2015-001, openSUSE-SU-2015:0200-1, openSUSE-SU-2016:2737-1, openSUSE-SU-2016:2833-1, RHSA-2015:0074-01, RHSA-2015:0698-01, SSA:2015-302-02, USN-2483-1, USN-2483-2, VIGILANCE-VUL-16030.

Description of the vulnerability

Several vulnerabilities were announced in JasPer.

An attacker can generate a buffer overflow in jpc_dec_process_sot(), in order to trigger a denial of service, and possibly to execute code. [severity:2/4; CVE-2014-8157]

An attacker can fill the stack in jpc_qmfb.c, in order to trigger a denial of service. [severity:1/4; CVE-2014-8158]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2011-1944 CVE-2011-3389 CVE-2011-3607

Oracle Fusion: several vulnerabilities of January 2015

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion were announced in January 2015.
Impacted products: Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, WebLogic.
Severity: 3/4.
Consequences: user access/rights, client access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 34.
Creation date: 21/01/2015.
Identifiers: cpujan2015, CVE-2011-1944, CVE-2011-3389, CVE-2011-3607, CVE-2013-0338, CVE-2013-1741, CVE-2013-2186, CVE-2013-2877, CVE-2013-4286, CVE-2013-5704, CVE-2013-6438, CVE-2014-0098, CVE-2014-0114, CVE-2014-0191, CVE-2014-0224, CVE-2014-0226, CVE-2014-6526, CVE-2014-6548, CVE-2014-6569, CVE-2014-6571, CVE-2014-6576, CVE-2014-6580, CVE-2014-6592, CVE-2015-0362, CVE-2015-0367, CVE-2015-0372, CVE-2015-0376, CVE-2015-0386, CVE-2015-0389, CVE-2015-0396, CVE-2015-0399, CVE-2015-0401, CVE-2015-0414, CVE-2015-0420, CVE-2015-0434, RHSA-2018:2669-01, VIGILANCE-VUL-16012.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion.

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2011-1944]

An attacker can use a vulnerability of Oracle Exalogic Infrastructure, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-0224]

An attacker can use a vulnerability of Oracle Directory Server Enterprise Edition, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2013-1741]

An attacker can use a vulnerability of Oracle GlassFish Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2015-0396]

An attacker can use a vulnerability of Oracle Real-Time Decision Server, Oracle Waveset or Oracle WebLogic Portal, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-0114]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2013-2186]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-0226]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-6571]

An attacker can use a vulnerability of BI Publisher (XML Publisher), in order to obtain or alter information. [severity:2/4; CVE-2013-4286]

An attacker can use a vulnerability of Oracle Adaptive Access Manager, in order to obtain or alter information. [severity:2/4; CVE-2014-6576]

An attacker can use a vulnerability of BI Publisher (XML Publisher), in order to obtain information. [severity:2/4; CVE-2015-0362]

An attacker can use a vulnerability of Oracle Access Manager, in order to alter information. [severity:2/4; CVE-2015-0367]

An attacker can use a vulnerability of Oracle Containers for J2EE, in order to obtain information. [severity:2/4; CVE-2015-0372]

An attacker can use a vulnerability of Oracle HTTP Server, in order to trigger a denial of service. [severity:2/4; CVE-2013-2877]

An attacker can use a vulnerability of Oracle HTTP Server, in order to trigger a denial of service. [severity:2/4; CVE-2014-0098]

An attacker can use a vulnerability of Oracle HTTP Server, in order to trigger a denial of service. [severity:2/4; CVE-2013-6438]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2013-5704]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information. [severity:2/4; CVE-2014-6569]

An attacker can use a vulnerability of Oracle SOA Suite, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2014-6548]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2011-3607]

An attacker can use a vulnerability of Oracle Access Manager, in order to obtain information. [severity:2/4; CVE-2015-0434]

An attacker can use a vulnerability of Oracle Directory Server Enterprise Edition, in order to alter information. [severity:2/4; CVE-2014-6526]

An attacker can use a vulnerability of Oracle Forms, in order to obtain information. [severity:2/4; CVE-2015-0420]

An attacker can use a vulnerability of Oracle HTTP Server, in order to trigger a denial of service. [severity:2/4; CVE-2014-0191]

An attacker can use a vulnerability of Oracle HTTP Server, in order to trigger a denial of service. [severity:2/4; CVE-2013-0338]

An attacker can use a vulnerability of Oracle HTTP Server, in order to trigger a denial of service. [severity:2/4; CVE-2015-0386]

An attacker can use a vulnerability of Oracle Reports Developer, in order to alter information. [severity:2/4; CVE-2014-6580]

An attacker can use a vulnerability of Oracle Security Service, in order to obtain information. [severity:2/4; CVE-2011-3389]

An attacker can use a vulnerability of Oracle WebCenter Content, in order to alter information. [severity:2/4; CVE-2015-0376]

An attacker can use a vulnerability of Oracle Business Intelligence Enterprise Edition, in order to obtain information. [severity:1/4; CVE-2015-0399]

An attacker can use a vulnerability of Oracle Directory Server Enterprise Edition, in order to alter information. [severity:2/4; CVE-2015-0401]

An attacker can use a vulnerability of Oracle OpenSSO, in order to alter information. [severity:2/4; CVE-2015-0389]

An attacker can use a vulnerability of Oracle OpenSSO, in order to alter information. [severity:1/4; CVE-2014-6592]

An attacker can use a vulnerability of Oracle SOA Suite, in order to obtain information. [severity:2/4; CVE-2015-0414]
Full Vigil@nce bulletin... (Free trial)

vulnerability note CVE-2014-3570 CVE-2014-3571 CVE-2014-3572

OpenSSL: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of OpenSSL.
Impacted products: ArubaOS, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, FabricOS, Brocade Network Advisor, Cisco ATA, AnyConnect VPN Client, Cisco ACE, ASA, AsyncOS, Cisco ESA, IOS by Cisco, IronPort Email, IronPort Web, Nexus by Cisco, NX-OS, Cisco Prime Access Registrar, Prime Collaboration Assurance, Cisco Prime DCNM, Prime Infrastructure, Cisco Prime LMS, Prime Network Control Systems, Cisco PRSM, Cisco Router, Cisco IP Phone, Cisco MeetingPlace, Cisco WSA, Clearswift Email Gateway, Debian, BIG-IP Hardware, TMOS, Fedora, FreeBSD, HP-UX, AIX, DB2 UDB, Domino, Notes, Tivoli Storage Manager, Tivoli Workload Scheduler, WebSphere AS Traditional, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, NSM Central Manager, NSMXpress, Juniper SBR, MBS, McAfee Email Gateway, McAfee Web Gateway, Data ONTAP, NetBSD, NetScreen Firewall, ScreenOS, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle Communications, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Internet Directory, Solaris, Tuxedo, WebLogic, pfSense, Puppet, RHEL, Base SAS Software, SAS SAS/CONNECT, Slackware, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
Severity: 2/4.
Consequences: denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 7.
Creation date: 08/01/2015.
Identifiers: 1610582, 1699810, 1700997, 1902260, 1903541, 1973383, 55767, 9010028, ARUBA-PSA-2015-003, bulletinjan2015, c04556853, c04679334, CERTFR-2015-AVI-008, CERTFR-2015-AVI-108, CERTFR-2015-AVI-146, CERTFR-2016-AVI-303, cisco-sa-20150310-ssl, cpuapr2017, cpujul2018, cpuoct2016, cpuoct2017, CTX216642, CVE-2014-3570, CVE-2014-3571, CVE-2014-3572, CVE-2014-8275, CVE-2015-0204, CVE-2015-0205, CVE-2015-0206, DSA-3125-1, FEDORA-2015-0512, FEDORA-2015-0601, FreeBSD-SA-15:01.openssl, HPSBUX03244, HPSBUX03334, JSA10679, MDVSA-2015:019, MDVSA-2015:062, MDVSA-2015:063, NetBSD-SA2015-006, NetBSD-SA2015-007, NTAP-20150205-0001, openSUSE-SU-2015:0130-1, openSUSE-SU-2015:1277-1, openSUSE-SU-2016:0640-1, RHSA-2015:0066-01, RHSA-2015:0800-01, SA40015, SA88, SB10108, SOL16120, SOL16123, SOL16124, SOL16126, SOL16135, SOL16136, SOL16139, SP-CAAANXD, SPL-95203, SPL-95206, SSA:2015-009-01, SSRT101885, SSRT102000, SUSE-SU-2015:1138-1, SUSE-SU-2015:1161-1, USN-2459-1, VIGILANCE-VUL-15934, VU#243585.

Description of the vulnerability

Several vulnerabilities were announced in OpenSSL.

An attacker can send a DTLS message, to force a NULL pointer to be dereferenced in dtls1_get_record(), in order to trigger a denial of service. [severity:2/4; CVE-2014-3571]

An attacker can send a DTLS message, to create a memory leak in dtls1_buffer_record(), in order to trigger a denial of service. [severity:1/4; CVE-2015-0206]

An attacker can force a TLS client to use ECDH instead of ECDHE (ephemeral). [severity:2/4; CVE-2014-3572]

An attacker can force a TLS client to use EXPORT_RSA instead of RSA (VIGILANCE-VUL-16301). [severity:2/4; CVE-2015-0204, VU#243585]

An attacker can authenticate without using a private key, in the case where the server trusts a certification authority publishing certificates with DH keys (rare case) (VIGILANCE-VUL-16300). [severity:2/4; CVE-2015-0205]

An attacker can change the fingerprint of a certificate, with no known consequence on security. [severity:1/4; CVE-2014-8275]

In some rare cases, the BN_sqr() function produces an invalid result, with no known consequence on security. [severity:1/4; CVE-2014-3570]
Full Vigil@nce bulletin... (Free trial)

vulnerability bulletin CVE-2014-9029

JasPer: two vulnerabilities of jpc_dec.c

Synthesis of the vulnerability

An attacker can use several vulnerabilities of JasPer.
Impacted products: Debian, Fedora, MBS, openSUSE, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle Internet Directory, Tuxedo, WebLogic, RHEL, Slackware, Ubuntu.
Severity: 3/4.
Consequences: user access/rights, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 2.
Creation date: 04/12/2014.
Identifiers: 1167537, cpujul2018, CVE-2014-9029, DSA-3089-1, FEDORA-2014-16292, FEDORA-2014-16349, FEDORA-2014-16465, FEDORA-2014-16961, FEDORA-2014-17027, FEDORA-2014-17032, MDVSA-2014:247, MDVSA-2015:159, openSUSE-SU-2014:1644-1, openSUSE-SU-2016:2737-1, RHSA-2014:2021-01, RHSA-2015:0698-01, SSA:2015-302-02, USN-2434-1, USN-2434-2, VIGILANCE-VUL-15743.

Description of the vulnerability

Several vulnerabilities were announced in JasPer.

An attacker can generate a buffer overflow in jpc_dec_cp_setfromcox(), in order to trigger a denial of service, and possibly to execute code. [severity:3/4]

An attacker can generate a buffer overflow in jpc_dec_cp_setfromrgn(), in order to trigger a denial of service, and possibly to execute code. [severity:3/4]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2014-3566

SSL 3.0: decrypting session, POODLE

Synthesis of the vulnerability

An attacker, located as a Man-in-the-Middle, can decrypt a SSL 3.0 session, in order to obtain sensitive information.
Impacted products: SES, SNS, Apache httpd, Arkoon FAST360, ArubaOS, Asterisk Open Source, BES, ProxyAV, ProxySG par Blue Coat, SGOS by Blue Coat, GAiA, CheckPoint IP Appliance, IPSO, SecurePlatform, CheckPoint Security Appliance, CheckPoint Security Gateway, Cisco ASR, Cisco ACE, ASA, AsyncOS, Cisco CSS, Cisco ESA, IOS by Cisco, IOS XE Cisco, IOS XR Cisco, IronPort Email, Nexus by Cisco, NX-OS, Prime Infrastructure, Cisco PRSM, Cisco Router, WebNS, Clearswift Email Gateway, Clearswift Web Gateway, CUPS, Debian, Black Diamond, ExtremeXOS, Ridgeline, Summit, BIG-IP Hardware, TMOS, Fedora, FortiGate, FortiGate Virtual Appliance, FortiManager, FortiManager Virtual Appliance, FortiOS, FreeBSD, F-Secure AV, hMailServer, HPE BSM, HP Data Protector, HPE NNMi, HP Operations, ProCurve Switch, SiteScope, HP Switch, TippingPoint IPS, HP-UX, AIX, Domino, Notes, Security Directory Server, SPSS Data Collection, Tivoli System Automation, Tivoli Workload Scheduler, WebSphere AS Traditional, WebSphere MQ, WS_FTP Server, IVE OS, Juniper J-Series, Junos OS, Junos Space, Junos Space Network Management Platform, MAG Series by Juniper, NSM Central Manager, NSMXpress, Juniper SA, MBS, McAfee Email and Web Security, McAfee Email Gateway, ePO, VirusScan, McAfee Web Gateway, IE, Windows 2003, Windows 2008 R0, Windows 2008 R2, Windows 2012, Windows 7, Windows 8, Windows (platform) ~ not comprehensive, Windows RT, Windows Vista, NETASQ, NetBSD, NetIQ Sentinel, NetScreen Firewall, ScreenOS, nginx, Nodejs Core, OpenSSL, openSUSE, openSUSE Leap, Oracle DB, Oracle Fusion Middleware, Oracle Identity Management, Oracle OIT, Solaris, Tuxedo, WebLogic, Palo Alto Firewall PA***, PAN-OS, Polycom CMA, HDX, RealPresence Collaboration Server, RealPresence Distributed Media Application, Polycom VBP, Postfix, SSL protocol, Puppet, RHEL, JBoss EAP by Red Hat, RSA Authentication Manager, ROS, ROX, RuggedSwitch, Slackware, Orolia SecureSync, Splunk Enterprise, stunnel, SUSE Linux Enterprise Desktop, SLES, Synology DSM, Ubuntu, Unix (platform) ~ not comprehensive, ESXi, vCenter Server, VMware vSphere, VMware vSphere Hypervisor, WindRiver Linux, WinSCP.
Severity: 3/4.
Consequences: data reading, data creation/edition.
Provenance: internet client.
Creation date: 15/10/2014.
Identifiers: 10923, 1589583, 1595265, 1653364, 1657963, 1663874, 1687167, 1687173, 1687433, 1687604, 1687611, 1690160, 1690185, 1690342, 1691140, 1692551, 1695392, 1696383, 1699051, 1700706, 2977292, 3009008, 7036319, aid-10142014, AST-2014-011, bulletinapr2015, bulletinjan2015, bulletinjan2016, bulletinjul2015, bulletinjul2016, bulletinoct2015, c04486577, c04487990, c04492722, c04497114, c04506802, c04510230, c04567918, c04616259, c04626982, c04676133, c04776510, CERTFR-2014-ALE-007, CERTFR-2014-AVI-454, CERTFR-2014-AVI-509, CERTFR-2015-AVI-169, CERTFR-2016-AVI-303, cisco-sa-20141015-poodle, cpujul2017, CTX216642, CVE-2014-3566, DSA-3053-1, DSA-3253-1, DSA-3489-1, ESA-2014-178, ESA-2015-098, ESXi500-201502001, ESXi500-201502101-SG, ESXi510-201503001, ESXi510-201503001-SG, ESXi510-201503101-SG, ESXi550-201501001, ESXi550-201501101-SG, FEDORA-2014-12989, FEDORA-2014-12991, FEDORA-2014-13012, FEDORA-2014-13017, FEDORA-2014-13040, FEDORA-2014-13069, FEDORA-2014-13070, FEDORA-2014-13444, FEDORA-2014-13451, FEDORA-2014-13764, FEDORA-2014-13777, FEDORA-2014-13781, FEDORA-2014-13794, FEDORA-2014-14234, FEDORA-2014-14237, FEDORA-2014-15379, FEDORA-2014-15390, FEDORA-2014-15411, FEDORA-2014-17576, FEDORA-2014-17587, FEDORA-2015-9090, FEDORA-2015-9110, FreeBSD-SA-14:23.openssl, FSC-2014-8, HPSBGN03256, HPSBGN03305, HPSBGN03332, HPSBHF03156, HPSBHF03300, HPSBMU03152, HPSBMU03184, HPSBMU03213, HPSBMU03416, HPSBUX03162, HPSBUX03194, JSA10656, MDVSA-2014:203, MDVSA-2014:218, MDVSA-2015:062, NetBSD-SA2014-015, nettcp_advisory, openSUSE-SU-2014:1331-1, openSUSE-SU-2014:1384-1, openSUSE-SU-2014:1395-1, openSUSE-SU-2014:1426-1, openSUSE-SU-2016:0640-1, openSUSE-SU-2016:1586-1, openSUSE-SU-2017:0980-1, PAN-SA-2014-0005, POODLE, RHSA-2014:1652-01, RHSA-2014:1653-01, RHSA-2014:1692-01, RHSA-2014:1920-01, RHSA-2014:1948-01, RHSA-2015:0010-01, RHSA-2015:0011-01, RHSA-2015:0012-01, RHSA-2015:1545-01, RHSA-2015:1546-01, SA83, SB10090, SB10104, sk102989, SOL15702, SP-CAAANKE, SP-CAAANST, SPL-91947, SPL-91948, SSA:2014-288-01, SSA-396873, SSA-472334, SSRT101767, STORM-2014-02-FR, SUSE-SU-2014:1357-1, SUSE-SU-2014:1361-1, SUSE-SU-2014:1386-1, SUSE-SU-2014:1387-1, SUSE-SU-2014:1387-2, SUSE-SU-2014:1409-1, SUSE-SU-2015:0010-1, SUSE-SU-2016:1457-1, SUSE-SU-2016:1459-1, T1021439, TSB16540, USN-2839-1, VIGILANCE-VUL-15485, VMSA-2015-0001, VMSA-2015-0001.1, VMSA-2015-0001.2, VN-2014-003, VU#577193.

Description of the vulnerability

An SSL/TLS session can be established using several protocols:
 - SSL 2.0 (obsolete)
 - SSL 3.0
 - TLS 1.0
 - TLS 1.1
 - TLS 1.2

An attacker can downgrade the version to SSLv3. However, with SSL 3.0, an attacker can change the padding position with a CBC encryption, in order to progressively guess clear text fragments.

This vulnerability is named POODLE (Padding Oracle On Downgraded Legacy Encryption).

An attacker, located as a Man-in-the-Middle, can therefore decrypt a SSL 3.0 session, in order to obtain sensitive information.
Full Vigil@nce bulletin... (Free trial)

vulnerability alert CVE-2013-1741 CVE-2014-0050 CVE-2014-0114

Oracle Fusion: several vulnerabilities of October 2014

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion were announced in October 2014.
Impacted products: Oracle Fusion Middleware, Oracle Identity Management, WebLogic, Ubuntu.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 16.
Creation date: 15/10/2014.
Identifiers: cpuoct2014, CVE-2013-1741, CVE-2014-0050, CVE-2014-0114, CVE-2014-0119, CVE-2014-0224, CVE-2014-2880, CVE-2014-6462, CVE-2014-6487, CVE-2014-6499, CVE-2014-6522, CVE-2014-6534, CVE-2014-6552, CVE-2014-6553, CVE-2014-6554, ERPSCAN-14-022, RHSA-2018:2669-01, USN-2654-1, VIGILANCE-VUL-15481.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion.

An attacker can use a vulnerability of Oracle Adaptive Access Manager, Oracle Enterprise Data Quality, and Oracle Identity Manager, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-14799). [severity:3/4; CVE-2014-0114]

An attacker can use a vulnerability of Oracle OpenSSO, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-13789). [severity:3/4; CVE-2013-1741]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-14844). [severity:3/4; CVE-2014-0224]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:2/4; CVE-2014-6499]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service (VIGILANCE-VUL-14799). [severity:2/4; CVE-2014-0114]

An attacker can use a vulnerability of Oracle Access Manager, in order to alter information. [severity:2/4; CVE-2014-6553]

An attacker can use a vulnerability of Oracle Access Manager, in order to obtain or alter information. [severity:2/4; CVE-2014-6554]

An attacker can use a vulnerability of Oracle Endeca Information Discovery Studio, in order to trigger a denial of service (VIGILANCE-VUL-14183). [severity:2/4; CVE-2014-0050]

An attacker can use a vulnerability of Oracle Access Manager, in order to alter information. [severity:2/4; CVE-2014-6552]

An attacker can use a vulnerability of Oracle Access Manager, in order to alter information. [severity:2/4; CVE-2014-6462]

An attacker can use a vulnerability of Oracle Enterprise Data Quality, in order to obtain information (VIGILANCE-VUL-14809). [severity:2/4; CVE-2014-0119]

An attacker can use a vulnerability of Oracle Identity Manager, in order to alter information. [severity:2/4; CVE-2014-2880]

An attacker can use a vulnerability of Oracle JDeveloper, in order to alter information. [severity:2/4; CVE-2014-6522]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; CVE-2014-6534]

An attacker can use a vulnerability of Oracle Identity Manager, in order to alter information. [severity:1/4; CVE-2014-6487]

An attacker can use a vulnerability of Oracle JDeveloper (VIGILANCE-VUL-14799). [severity:1/4; CVE-2014-0114]
Full Vigil@nce bulletin... (Free trial)

vulnerability announce CVE-2013-1620 CVE-2013-1739 CVE-2013-1740

Oracle Fusion: several vulnerabilities of July 2014

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion were announced in July 2014.
Impacted products: Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Proxy Server, Oracle iPlanet Web Server, WebLogic, Oracle Web Tier.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: document.
Number of vulnerabilities in this bulletin: 26.
Creation date: 16/07/2014.
Identifiers: CERTFR-2014-AVI-313, cpujul2014, CVE-2013-1620, CVE-2013-1739, CVE-2013-1740, CVE-2013-1741, CVE-2013-5605, CVE-2013-5606, CVE-2013-5855, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492, CVE-2014-2479, CVE-2014-2480, CVE-2014-2481, CVE-2014-2493, CVE-2014-4201, CVE-2014-4202, CVE-2014-4210, CVE-2014-4211, CVE-2014-4212, CVE-2014-4217, CVE-2014-4222, CVE-2014-4241, CVE-2014-4242, CVE-2014-4249, CVE-2014-4251, CVE-2014-4253, CVE-2014-4254, CVE-2014-4255, CVE-2014-4256, CVE-2014-4257, CVE-2014-4267, VIGILANCE-VUL-15052.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion.

Several vulnerabilities impact NSS (VIGILANCE-VUL-13598, VIGILANCE-VUL-13789, VIGILANCE-VUL-14099, VIGILANCE-VUL-14456) in Oracle GlassFish Server, Oracle iPlanet Web Proxy Server and Oracle iPlanet Web Server. [severity:3/4; CVE-2013-1739, CVE-2013-1740, CVE-2013-1741, CVE-2013-5605, CVE-2013-5606, CVE-2014-1490, CVE-2014-1491, CVE-2014-1492]

An attacker can use a vulnerability of Oracle WebCenter Portal, in order to obtain information. [severity:3/4; CVE-2014-4257]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-2481]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-2480]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-4255]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-4254]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-2479]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-4267]

An attacker can use a vulnerability of Oracle JDeveloper, in order to obtain information, or to trigger a denial of service. [severity:3/4; CVE-2014-2493]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain or alter information. [severity:3/4; CVE-2014-4256]

An attacker can use a vulnerability of BI Publisher, in order to obtain information. [severity:2/4; CVE-2014-4249]

An attacker can use a vulnerability of Oracle WebCenter Portal, in order to alter information. [severity:2/4; CVE-2014-4211]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to trigger a denial of service. [severity:2/4; CVE-2014-4201]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to trigger a denial of service. [severity:2/4; CVE-2014-4202]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information. [severity:2/4; CVE-2014-4210]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to trigger a denial of service. [severity:2/4; CVE-2014-4253]

An attacker can use a vulnerability of GlassFish Communications Server, in order to obtain information. [severity:2/4; CVE-2013-1620]

An attacker can use a vulnerability of Oracle Fusion Middleware, in order to obtain information. [severity:2/4; CVE-2014-4212]

An attacker can use a vulnerability of Oracle GlassFish Server, in order to alter information. [severity:2/4; CVE-2013-5855]

An attacker can use a vulnerability of Oracle JDeveloper, in order to alter information. [severity:2/4; CVE-2013-5855]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; CVE-2014-4242]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; CVE-2014-4217]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; CVE-2014-4241]

An attacker can use a vulnerability of Oracle WebLogic Server, in order to alter information. [severity:2/4; CVE-2013-5855]

An attacker can use a vulnerability of Oracle HTTP Server, in order to alter information. [severity:2/4; CVE-2014-4251]

An attacker can use a vulnerability of Oracle HTTP Server, in order to obtain information. [severity:1/4; CVE-2014-4222]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2014-0114

Apache Struts 1: code execution via ClassLoader

Synthesis of the vulnerability

An attacker can use the "class" parameter, to manipulate the ClassLoader, in order to execute code.
Impacted products: Struts, Debian, BIG-IP Hardware, TMOS, Fedora, SiteScope, IRAD, Tivoli Storage Manager, Tivoli System Automation, WebSphere AS Traditional, IBM WebSphere ESB, MBS, MES, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Tuxedo, Oracle Virtual Directory, WebLogic, Oracle Web Tier, Puppet, RHEL, RSA Authentication Manager, SUSE Linux Enterprise Desktop, SLES, Unix (platform) ~ not comprehensive, vCenter Server, VMware vSphere.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights.
Provenance: internet client.
Creation date: 26/05/2014.
Identifiers: 1672316, 1673982, 1674339, 1675822, 2016214, c04399728, c05324755, CERTFR-2014-AVI-382, cpuapr2017, cpujan2018, cpujan2019, cpuoct2017, cpuoct2018, CVE-2014-0114, DSA-2940-1, ESA-2014-080, FEDORA-2014-9380, HPSBGN03669, HPSBMU03090, ibm10719287, ibm10719297, ibm10719301, ibm10719303, ibm10719307, MDVSA-2014:095, RHSA-2014:0474-01, RHSA-2014:0497-01, RHSA-2014:0500-01, RHSA-2014:0511-01, RHSA-2018:2669-01, SOL15282, SUSE-SU-2014:0902-1, swg22017525, VIGILANCE-VUL-14799, VMSA-2014-0008, VMSA-2014-0008.1, VMSA-2014-0008.2, VMSA-2014-0012.

Description of the vulnerability

The Apache Struts product is used to develop Java EE applications.

However, the "class" parameter is mapped to getClass(), and can be used to manipulate the ClassLoader.

An attacker can therefore use the "class" parameter, to manipulate the ClassLoader, in order to execute code.
Full Vigil@nce bulletin... (Free trial)

vulnerability CVE-2013-1620 CVE-2014-0413 CVE-2014-0414

Oracle Fusion: several vulnerabilities of April 2014

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion were announced in April 2014.
Impacted products: Oracle Fusion Middleware, Oracle Identity Management, WebLogic.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service, denial of service on client.
Provenance: internet client.
Number of vulnerabilities in this bulletin: 20.
Creation date: 16/04/2014.
Identifiers: cpuapr2014, CVE-2013-1620, CVE-2014-0413, CVE-2014-0414, CVE-2014-0426, CVE-2014-0450, CVE-2014-0465, CVE-2014-2399, CVE-2014-2400, CVE-2014-2404, CVE-2014-2407, CVE-2014-2411, CVE-2014-2415, CVE-2014-2416, CVE-2014-2417, CVE-2014-2418, CVE-2014-2424, CVE-2014-2425, CVE-2014-2426, CVE-2014-2452, CVE-2014-2470, VIGILANCE-VUL-14600, ZDI-14-106, ZDI-14-107, ZDI-14-108, ZDI-14-109, ZDI-14-110, ZDI-14-111.

Description of the vulnerability

Several vulnerabilities were announced in Oracle Fusion.

An attacker can use a vulnerability of Oracle WebLogic Server, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-2470]

An attacker can use a vulnerability of Oracle Identity Analytics, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; CVE-2014-2411]

An attacker can use a vulnerability of Oracle Containers for J2EE, in order to obtain information. [severity:2/4; CVE-2014-0414]

An attacker can use a vulnerability of Oracle Data Integrator DateTimeWrapper, in order to trigger a denial of service. [severity:2/4; CVE-2014-2416, ZDI-14-107]

An attacker can use a vulnerability of Oracle Data Integrator onloadstatechange, in order to trigger a denial of service. [severity:2/4; CVE-2014-2417, ZDI-14-108]

An attacker can use a vulnerability of Oracle Data Integrator PostcardPreviewInt, in order to trigger a denial of service. [severity:2/4; CVE-2014-2415, ZDI-14-109]

An attacker can use a vulnerability of Oracle Data Integrator FileChooserDlg, in order to trigger a denial of service. [severity:2/4; CVE-2014-2418, ZDI-14-110]

An attacker can use a vulnerability of Oracle Data Integrator LoaderWizard, in order to trigger a denial of service. [severity:2/4; CVE-2014-2407, ZDI-14-111]

An attacker can use a vulnerability of Oracle WebCenter Portal, in order to obtain information. [severity:2/4; CVE-2014-0450]

An attacker can use a vulnerability of Oracle OpenSSO, in order to trigger a denial of service. [severity:2/4; CVE-2014-2426]

An attacker can use a vulnerability of Oracle Containers for J2EE, in order to alter information. [severity:2/4; CVE-2014-0426]

An attacker can use a vulnerability of Oracle Containers for J2EE, in order to alter information. [severity:2/4; CVE-2014-0413]

An attacker can use a vulnerability of Oracle Endeca Server, in order to alter information. [severity:2/4; CVE-2014-2400]

An attacker can use a vulnerability of Oracle Endeca Server, in order to alter information. [severity:2/4; CVE-2014-2399]

An attacker can use a vulnerability of Oracle OpenSSO, in order to obtain information. [severity:2/4; CVE-2013-1620]

An attacker can use a vulnerability of Oracle Access Manager, in order to obtain information. [severity:2/4; CVE-2014-2404]

An attacker can use a vulnerability of Oracle Access Manager, in order to trigger a denial of service. [severity:2/4; CVE-2014-2452]

An attacker can use a vulnerability of Oracle Event Processing FileUploadServlet, in order to alter information. [severity:2/4; CVE-2014-2424, ZDI-14-106]

An attacker can use a vulnerability of Oracle OpenSSO, in order to obtain information. [severity:2/4; CVE-2014-2425]

An attacker can use a vulnerability of Oracle OpenSSO, in order to alter information. [severity:1/4; CVE-2014-0465]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability note CVE-2013-1741 CVE-2013-2566 CVE-2013-5605

NSS: multiple vulnerabilities

Synthesis of the vulnerability

An attacker can use several vulnerabilities of NSS.
Impacted products: Debian, Fedora, Junos Space, Firefox, NSS, SeaMonkey, Thunderbird, openSUSE, Oracle Communications, Oracle Directory Server, Oracle Directory Services Plus, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle iPlanet Web Server, Oracle OIT, Solaris, Oracle Virtual Directory, WebLogic, Oracle Web Tier, RHEL, Slackware, SUSE Linux Enterprise Desktop, SLES.
Severity: 3/4.
Consequences: user access/rights, data reading, data creation/edition, data flow, denial of service on service, denial of service on client.
Provenance: document.
Number of vulnerabilities in this bulletin: 4.
Creation date: 18/11/2013.
Revision date: 19/11/2013.
Identifiers: BID-58796, BID-63736, BID-63737, BID-63738, CERTA-2013-AVI-642, CERTFR-2014-AVI-318, CERTFR-2017-AVI-012, cpuapr2017, cpujul2014, cpuoct2016, cpuoct2017, CVE-2013-1741, CVE-2013-2566, CVE-2013-5605, CVE-2013-5606, DSA-2800-1, DSA-2994-1, DSA-3071-1, FEDORA-2013-22456, FEDORA-2013-22467, FEDORA-2013-23301, FEDORA-2013-23479, JSA10770, MFSA 2013-103, openSUSE-SU-2013:1730-1, openSUSE-SU-2013:1732-1, RHSA-2013:1791-01, RHSA-2013:1829-01, RHSA-2013:1840-01, RHSA-2013:1841-01, RHSA-2014:0041-01, SSA:2013-339-01, SSA:2013-339-02, SSA:2013-339-03, SUSE-SU-2013:1807-1, VIGILANCE-VUL-13789.

Description of the vulnerability

Several vulnerabilities were announced in NSS.

On a 64 bit computer, an attacker can generate the initialization of a large memory area, in order to trigger a denial of service. [severity:1/4; BID-63736, CVE-2013-1741]

An attacker can generate a buffer overflow in Null Cipher, in order to trigger a denial of service, and possibly to execute code. [severity:3/4; BID-63738, CVE-2013-5605]

When verifyLog is used, the return code of CERT_VerifyCert() is incorrect, so an invalid certificate may be accepted. [severity:2/4; BID-63737, CVE-2013-5606]

When an attacker has 2^30 RC4 encrypted messages with different keys, he can guess the clear text message (VIGILANCE-VUL-12530). [severity:1/4; BID-58796, CVE-2013-2566]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about WebLogic: