The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Vulnerability of Oracle Fusion Middleware: several vulnerabilities of October 2013

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion Middleware are fixed by the CPU of October 2013.
Severity of this announce: 3/4.
Number of vulnerabilities in this bulletin: 15.
Creation date: 16/10/2013.
Références of this computer vulnerability: BID-63041, BID-63043, BID-63049, BID-63052, BID-63054, BID-63058, BID-63066, BID-63069, BID-63074, CERTA-2013-AVI-575, cpuoct2013, CVE-2011-3389, CVE-2013-0169, CVE-2013-2172, CVE-2013-3827, CVE-2013-3828, CVE-2013-3831, CVE-2013-3833, CVE-2013-3836, CVE-2013-5773, CVE-2013-5798, CVE-2013-5813, CVE-2013-5815, CVE-2013-5816, RHSA-2013:1437-01, RHSA-2014:1369-01, VIGILANCE-VUL-13603, ZDI-13-249.

Description of the vulnerability

A Critical Patch Update fixes several vulnerabilities of Oracle Fusion Middleware.

An attacker can use a vulnerability of Security, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63041, CVE-2013-5815]

An attacker can use a SQL injection in PORTAL_DEMO.ORG_CHART, in order to read or alter data. [severity:2/4; BID-63043, CVE-2013-3831]

An attacker can use a vulnerability of Content Server, in order to obtain or alter information. [severity:2/4; BID-63049, CVE-2013-5813]

An attacker can use a vulnerability of Java Server Faces, in order to obtain information. [severity:2/4; CVE-2013-3827]

An attacker can use a vulnerability of Metro, in order to trigger a denial of service. [severity:2/4; BID-63054, CVE-2013-5816]

An attacker can use a vulnerability of Web Container, in order to obtain information. [severity:2/4; CVE-2013-3827]

An attacker can traverse directories in Test Page BPEL Process Manager, in order to read a file outside the root path. [severity:2/4; BID-63058, CVE-2013-3828, ZDI-13-249]

An attacker can use a vulnerability of Web Container, in order to obtain information. [severity:2/4; BID-63052, CVE-2013-3827]

An attacker can use a vulnerability of Authentication Engine, in order to alter information. [severity:2/4; CVE-2013-3833]

An attacker can use a vulnerability of Servlet Runtime, in order to alter information. [severity:2/4; BID-63066, CVE-2013-5773]

An attacker can use a vulnerability of Metro, in order to alter information. [severity:2/4; CVE-2013-2172]

An attacker can use a vulnerability of End User Self Service, in order to alter information. [severity:2/4; BID-63069, CVE-2013-5798]

An attacker can use a vulnerability of SSL/TLS, in order to obtain information (VIGILANCE-VUL-11014). [severity:2/4; CVE-2011-3389]

An attacker can use a vulnerability of ESI/Partial Page Caching, in order to obtain information. [severity:2/4; BID-63074, CVE-2013-3836]

An attacker can use a vulnerability of SSL/TLS, in order to obtain information (VIGILANCE-VUL-12374). [severity:1/4; CVE-2013-0169]
Full Vigil@nce bulletin... (Free trial)

This security note impacts software or systems such as Oracle AS, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Portal, WebLogic.

Our Vigil@nce team determined that the severity of this threat announce is important.

The trust level is of type confirmed by the editor, with an origin of internet client.

This bulletin is about 15 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a technician ability can exploit this computer weakness announce.

Solutions for this threat

Oracle Fusion Middleware: CPU of Octobre 2013.
A Critical Patch Update is available:
  https://support.oracle.com/rs?type=doc&id=1571391.1

Red Hat Fuse ESB Enterprise: version 7.1.0 R1 P6.
The version 7.1.0 R1 P6 is fixed:
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.esb.enterprise&downloadType=securityPatches&version=7.1.0
  https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=fuse.mq.enterprise&downloadType=securityPatches&version=7.1.0

Red Hat JBoss Portal: version 6.1.0.
The version 6.1.0 is fixed:
https://access.redhat.com/jbossnetwork/restricted/listSoftware.html?product=jbportal&downloadType=distributions
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides software vulnerabilities announces. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.