Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Multiple Vulnerabilities in Oracle Products

 

Systems Affected


Oracle Access Manager, version(s) 11.1.2.2, 11.1.2.3
Oracle Business Intelligence Enterprise Edition, version(s) 11.1.1.7, 11.1.1.9
Oracle Endeca Server, version(s) 7.3.0.0, 7.4.0.0, 7.5.1.1, 7.6.1.0.0
Oracle Enterprise Data Quality, version(s) 8.1, 9.0, 11.1.1.7.4, 12.1.3.0.0
Oracle Exalogic Infrastructure, version(s) EECS 2.0.6.2.3
Oracle Fusion Middleware, version(s) 10.1.3.5, 11.1.1.7, 11.1.1.8, 11.1.1.9, 11.1.2.1, 11.1.2.2, 11.1.2.3, 12.1.2.0, 12.1.3.0
Oracle GlassFish Server, version(s) 3.0.1, 3.1.2
Oracle HTTP Server, version(s) 10.1.3.5, 11.1.1.7, 11.1.1.9, 12.1.2.0, 12.1.3.0
Oracle Identity Manager, version(s) 11.1.1.7, 11.1.2.2, 11.1.2.3
Oracle JDeveloper, version(s) 11.1.2.4.0, 12.1.2.0.0, 12.1.3.0.0
Oracle Mobile Security Suite, version(s) MSS 3.0
Oracle Outside In Technology, version(s) 8.5.0, 8.5.1, 8.5.2
Oracle Traffic Director, version(s) 11.1.1.7.0, 11.1.1.9.0
Oracle WebCenter Content, version(s) 10.1.3.5.1
Oracle WebCenter Sites, version(s) 7.6.2, 11.1.1.6.1, 11.1.1.8.0
Hyperion Installation Technology, version(s) 11.1.2.3
Enterprise Manager Base Platform, version(s) 12.1.0.4, 12.1.0.5
Enterprise Manager Ops Center, version(s) 12.1.0.1, 12.2.2
OSS Support Tools, version(s) prior to 8.8.15.7.15
Oracle E-Business Suite, version(s) 11.5.10.2, 12.0.6, 12.1.3, 12.2.3, 12.2.4
Oracle Agile Engineering Data Management, version(s) 6.1.2.2, 6.1.3.0, 6.2.0.0
Oracle Agile PLM, version(s) 9.3.3, 9.3.4
Oracle Configurator, version(s) 12.0.6, 12.1.3, 12.2.3, 12.2.4
Oracle Transportation Management, version(s) 6.1, 6.2
PeopleSoft Enterprise FIN Expenses, version(s) 9.2
PeopleSoft Enterprise FSCM, version(s) 9.2
PeopleSoft Enterprise HCM, version(s) 9.2
PeopleSoft Enterprise HCM Talent Acquistion Managment, version(s) 9.2
PeopleSoft Enterprise PeopleTools, version(s) 8.53, 8.54
Siebel Applications, version(s) IP2014, IP2015
Oracle Fusion Applications, version(s) 11.1.2 through 11.1.9
Oracle Utilities Work and Asset Management, version(s) 1.9.1.1.2
Oracle Communications Convergence, version(s) 2.0, 3.0.1
Oracle Communications Diameter Signaling Router (DSR), version(s) 4.1.6 and prior, 5.1.0 and prior, 6.0.2 and prior, 7.1.0 and prior
Oracle Communications LSMS, version(s) 13.1
Oracle Communications Messaging Server, version(s) 7.0.5, 8.0
Oracle Communications Performance Intelligence Center Software, version(s) 9.0.3 and prior, 10.1.5 and prior
Oracle Communications Policy Management, version(s) 9.9.0 and prior, 10.5.0 and prior, 11.5.0 and prior, 12.1.0 and prior
Oracle Communications Tekelec HLR Router, version(s) 4.0.0
Oracle Communications User Data Repository, version(s) 10.2.0 and prior
Oracle Retail Back Office, version(s) 12.0, 12.0IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0., RM2.0
Oracle Retail Central Office, version(s) 12.0, 12.0IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0., RM2.0
Oracle Retail Open Commerce Platform, version(s) 3.0
Oracle Retail Returns Management:, version(s) 12.0, 12.0IN, 13.0, 13.1, 13.2, 13.3, 13.4, 14.0., RM2.0
Oracle FS1-2 Flash Storage System, version(s) 6.1, 6.2, 6.3
Oracle VM VirtualBox, version(s) prior to 4.0.34, prior to 4.1.42, prior to 4.2.34, prior to 4.3.32, prior to 5.0.8
Mobile Server, version(s) 10.3.0.3, 11.3.0.2, 12.1.0.0

Threat Level


High


Overview


Multiple vulnerabilities have been reported in various Oracle products which could be exploited by a remote attacker to cause Denial-of-Service attacks, disclosure of sensitive information and arbitrary code execution.


Description


1.Multiple vulnerabilities in Oracle Fusion Middleware
( CVE-2014-3576 CVE-2014-1569 CVE-2015-1791 CVE-2015-0286 CVE-2015-1829 CVE-2015-4909 CVE-2015-3571 CVE-2015-1622 CVE-2015-4912 CVE-2015-4899 CVE-2015-0191 CVE-2015-4832 CVE-2015-4867 CVE-2015-4880 CVE-2015-4799 CVE-2015-4838 CVE-2015-4914 CVE-2015-4812 CVE-2015-4877 CVE-2015-4878 CVE-2015-4809 CVE-2015-4811 )
Multiple vulnerabilities exist in various components of Oracle Fusion Middleware which could be exploited by a remote attacker by launching network attacks via HTTP/HTTPS. Successful exploitation of these vulnerabilities could lead to Denial-of-Service(DOS) or unauthorized access to any arbitrary Operating System location.

2. Vulnerability in Oracle Hyperion ( CVE-2015-4823 )
This vulnerability exists in the Hyperion Installation Technology component of Oracle Hyperion which could be exploited by a remote attacker by launching network attacks via HTTP. Successful exploitation of this vulnerability could lead to unauthorized access to the component accessible data.

3. Multiple vulnerabilities in Oracle Enterprise Manager Grid Control ( CVE-2015-1793 CVE-2015-4859 CVE-2015-4875 CVE-2015-4874 CVE-2015-2633 )
Multiple vulnerabilities exist in various components of Oracle Enterprise Manager Grid Control which could be exploited by a remote attacker by launching network attacks via HTTP. Successful exploitation of these vulnerabilities could lead to unauthorized access to the component accessible data or could result in partial Denial-of-Service (DOS) conditions.

4. Multiple vulnerabilities in Oracle E-Business Suite ( CVE-2015-4798 )
Multiple vulnerabilities exist in various components of Oracle E-Business Suite which could be exploited by a remote attacker by launching network attacks via HTTP/HTTPS.
Successful exploitation of these vulnerabilities could lead to unauthorized access to the component accessible data or could result in partial Denial-of-Service(DOS) conditions.

5. Multiple vulnerabilities in Oracle Supply Chain Products Suite ( CVE-2015-1791 )
Multiple vulnerabilities exist in various components of Oracle Supply Chain Products Suite which could be exploited by a remote attacker by launching network attacks via HTTP. Successful exploitation of these vulnerabilities could lead to unauthorized access to the component accessible data or could result in partial Denial-of-Service (DOS) conditions.

6. Multiple vulnerabilities in Oracle PeopleSoft Products ( CVE-2015-4887 )
Multiple vulnerabilities exist in various components of Oracle PeopleSoft Products which could be exploited by a remote attacker by launching network attacks via HTTP. Successful exploitation of these vulnerabilities could lead to unauthorized access to the component accessible data , unauthorized operating System takeover including arbitrary code execution or could result in partial Denial-of-Service (DOS) conditions.

7. Vulnerability in in Oracle Siebel CRM ( CVE-2015-4841 )
The vulnerability exists in various components of Oracle Siebel CRM which could be exploited by a remote attacker by launching network attacks via HTTPS. Successful exploitation of this vulnerability could lead to unauthorized access to the component accessible data.

8. Vulnerability in in Oracle Industry Applications ( CVE-2015-4795 )
The vulnerability exists in the oracle utilities work and Asset Management component of Oracle Industry Applications which could be exploited by a remote attacker by launching unauthenticated network attacks via HTTP.
Successful exploitation of this vulnerability can result in unauthorized update, insert or delete access to Oracle Utilities Work and Asset Management accessible data, access to a subset of Oracle Utilities Work and Asset Management accessible data or could result in partial Denial-of-Service (DOS) conditions.

9. Multiple vulnerabilities in Oracle Communications Applications ( CVE-2015-2608 CVE-2015-7940 CVE-2015-0235 CVE-2015-4793 CVE-2015-4000 )
Multiple vulnerabilities exist in various components of Oracle Communications Applications which could be exploited by a remote attacker by launching unauthenticated network attacks via HTTP or SSL/TLS . Successful exploitation of these vulnerabilities could lead to unauthorized access to the component accessible data , unauthorized operating System takeover including arbitrary code execution or could result in partial Denial-of-Service (DOS) conditions.

10. Multiple vulnerabilities in Oracle Retail Applications ( CVE-2015-0050 CVE-2015-4827 )
Multiple vulnerabilities exist in various components of Oracle Retail Applications which could be exploited by a remote attacker by launching unauthenticated network attacks via HTTP.
Successful attack of this vulnerability can result in unauthorized update, insert or delete access to some Oracle Retail Open Commerce Platform accessible data or subset of Oracle Retail Open Commerce Platform accessible data.


Impact



Solution/ Workarounds


Apply appropriate patches as mentioned in Oracle Security Bulletin available at

http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.