The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability bulletin CVE-2011-3389 CVE-2013-0169 CVE-2013-2172

Oracle Fusion Middleware: several vulnerabilities of October 2013

Synthesis of the vulnerability

Several vulnerabilities of Oracle Fusion Middleware are fixed by the CPU of October 2013.
Vulnerable software: Oracle AS, Oracle Fusion Middleware, Oracle GlassFish Server, Oracle Identity Management, Oracle Portal, WebLogic.
Severity of this announce: 3/4.
Consequences of an intrusion: privileged access/rights, user access/rights, client access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Attacker's origin: internet client.
Number of vulnerabilities in this bulletin: 15.
Creation date: 16/10/2013.
Références of this computer vulnerability: BID-63041, BID-63043, BID-63049, BID-63052, BID-63054, BID-63058, BID-63066, BID-63069, BID-63074, CERTA-2013-AVI-575, cpuoct2013, CVE-2011-3389, CVE-2013-0169, CVE-2013-2172, CVE-2013-3827, CVE-2013-3828, CVE-2013-3831, CVE-2013-3833, CVE-2013-3836, CVE-2013-5773, CVE-2013-5798, CVE-2013-5813, CVE-2013-5815, CVE-2013-5816, RHSA-2013:1437-01, RHSA-2014:1369-01, VIGILANCE-VUL-13603, ZDI-13-249.

Description of the vulnerability

A Critical Patch Update fixes several vulnerabilities of Oracle Fusion Middleware.

An attacker can use a vulnerability of Security, in order to obtain information, to alter information, or to trigger a denial of service. [severity:3/4; BID-63041, CVE-2013-5815]

An attacker can use a SQL injection in PORTAL_DEMO.ORG_CHART, in order to read or alter data. [severity:2/4; BID-63043, CVE-2013-3831]

An attacker can use a vulnerability of Content Server, in order to obtain or alter information. [severity:2/4; BID-63049, CVE-2013-5813]

An attacker can use a vulnerability of Java Server Faces, in order to obtain information. [severity:2/4; CVE-2013-3827]

An attacker can use a vulnerability of Metro, in order to trigger a denial of service. [severity:2/4; BID-63054, CVE-2013-5816]

An attacker can use a vulnerability of Web Container, in order to obtain information. [severity:2/4; CVE-2013-3827]

An attacker can traverse directories in Test Page BPEL Process Manager, in order to read a file outside the root path. [severity:2/4; BID-63058, CVE-2013-3828, ZDI-13-249]

An attacker can use a vulnerability of Web Container, in order to obtain information. [severity:2/4; BID-63052, CVE-2013-3827]

An attacker can use a vulnerability of Authentication Engine, in order to alter information. [severity:2/4; CVE-2013-3833]

An attacker can use a vulnerability of Servlet Runtime, in order to alter information. [severity:2/4; BID-63066, CVE-2013-5773]

An attacker can use a vulnerability of Metro, in order to alter information. [severity:2/4; CVE-2013-2172]

An attacker can use a vulnerability of End User Self Service, in order to alter information. [severity:2/4; BID-63069, CVE-2013-5798]

An attacker can use a vulnerability of SSL/TLS, in order to obtain information (VIGILANCE-VUL-11014). [severity:2/4; CVE-2011-3389]

An attacker can use a vulnerability of ESI/Partial Page Caching, in order to obtain information. [severity:2/4; BID-63074, CVE-2013-3836]

An attacker can use a vulnerability of SSL/TLS, in order to obtain information (VIGILANCE-VUL-12374). [severity:1/4; CVE-2013-0169]
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a software vulnerability note. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system. The technology watch team tracks security threats targeting the computer system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.