Computer Security
[EN] securityvulns.ru no-pyccku


Oracle / Sun applications multiple security vulneraebilities
updated since 15.07.2010
Published:20.07.2010
Source:
SecurityVulns ID:10999
Type:remote
Threat Level:
8/10
Description:Quarterly update fixed 59 different vulnerabilities.
Affected:ORACLE : Solaris 8
 ORACLE : Solaris 9
 ORACLE : WebLogic Server 7.0
 ORACLE : Oracle 9i
 ORACLE : Oracle E-Business Suite 11.5
 ORACLE : Solaris 10
 ORACLE : Oracle 10g
 ORACLE : WebLogic Server 8.1
 ORACLE : Oracle Application Server 10g
 ORACLE : Oracle 11g
 ORACLE : PeopleSoft Enterprise PeopleTools 8.49
 ORACLE : WebLogic Server 10.0
 ORACLE : WebLogic Server 9.0
 ORACLE : PeopleSoft Enterprise CRM 9.0
 ORACLE : TimesTen In-Memory Database 7.0
 ORACLE : JRockit 27.6
 ORACLE : Oracle E-Business Suite 12.1
 ORACLE : Oracle E-Business Suite 12.0
 ORACLE : PeopleSoft Enterprise HCM 9.0
 ORACLE : PeopleSoft Enterprise HCM 8.9
 ORACLE : Oracle Transportation Manager 5.5
 ORACLE : Oracle Transportation Manager 6.0
 ORACLE : PeopleSoft Enterprise PeopleTools 8.50
 ORACLE : Oracle Secure Backup 10.3
 ORACLE : Oracle Identity Management 10g
 ORACLE : WebLogic Server 11g
 ORACLE : WebLogic Server 10g
 ORACLE : JRockit 28.0
 ORACLE : Oracle Business Process Management 5.7
 ORACLE : Oracle Business Process Management 6.0
 ORACLE : Oracle Business Process Management 10.3
 ORACLE : PeopleSoft Enterprise Campus Solutions 9.0
 ORACLE : PeopleSoft Enterprise CRM 9.1
 ORACLE : PeopleSoft Enterprise FSCM 8.9
 ORACLE : PeopleSoft Enterprise FSCM 9.0
 ORACLE : PeopleSoft Enterprise FSCM 9.1
 ORACLE : PeopleSoft Enterprise HCM 9.1
CVE:CVE-2010-2403 (Unspecified vulnerability in the PeopleSoft Enterprise Campus Solutions component in Oracle PeopleSoft and JDEdwards Suite Campus Solutions 9.0 Bundle #17 allows remote authenticated users to affect confidentiality via unknown vectors.)
 CVE-2010-2402 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft and JDEdwards Suite 8.49.27 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.)
 CVE-2010-2401 (Unspecified vulnerability in the PeopleSoft Enterprise HCM - eProfile Mgr component in Oracle PeopleSoft and JDEdwards Suite HCM 9.0 Bundle #9 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.)
 CVE-2010-2400 (Unspecified vulnerability in Oracle Solaris 9 and 10, and OpenSolaris, allows local users to affect availability via unknown vectors related to Kernel/Filesystem.)
 CVE-2010-2399 (Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local users to affect availability via unknown vectors related to Kernel/VM.)
 CVE-2010-2398 (Unspecified vulnerability in the PeopleSoft Enterprise HCM component in Oracle PeopleSoft and JDEdwards Suite HCM 9.0 Bundle #12 allows remote authenticated users to affect confidentiality via unknown vectors.)
 CVE-2010-2397 (Unspecified vulnerability in Oracle Sun Java System Application Server 8.0, 8.1, and 8.2; and GlassFish Enterprise Server 2.1.1; allows local users to affect confidentiality and integrity, related to the GUI.)
 CVE-2010-2394 (Unspecified vulnerability in Oracle Solaris 10 allows local users to affect availability, related to TCP/IP.)
 CVE-2010-2393 (Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local users to affect availability, related to RPC.)
 CVE-2010-2392 (Unspecified vulnerability in Oracle Solaris 10 and OpenSolaris allows local users to affect integrity and availability, related to ZFS.)
 CVE-2010-2386 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10, and OpenSolaris, allows local users to affect availability via unknown vectors related to GigaSwift Ethernet Driver.)
 CVE-2010-2385 (Unspecified vulnerability in Oracle Sun Java System Web Proxy Server 4.0.13 allows remote attackers to affect confidentiality and integrity via unknown vectors related to Administration Server.)
 CVE-2010-2384 (Unspecified vulnerability in Oracle Solaris 9 and 10 allows local users to affect confidentiality and integrity via unknown vectors related to Solaris Management Console.)
 CVE-2010-2383 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10, and OpenSolaris, allows local users to affect confidentiality and integrity, related to NFS.)
 CVE-2010-2382 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local users to affect confidentiality and integrity via unknown vectors.)
 CVE-2010-2381 (Unspecified vulnerability in the Application Server Control component in Oracle Fusion Middleware 10.1.2.3 and 10.1.4.0.1 allows remote authenticated users to affect integrity via unknown vectors.)
 CVE-2010-2380 (Unspecified vulnerability in the PeopleSoft Enterprise FSCM component in Oracle PeopleSoft and JDEdwards Suite SCM 8.9 Bundle #37, SCM 9.0 Bundle #30, and SCM 9.1 Bundle #4 allows local users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2010-2379 (Unspecified vulnerability in the PeopleSoft Enterprise HCM - Time & Labor component in Oracle PeopleSoft and JDEdwards Suite HCM 9.0 Bundle #13 and HCM 9.1 Bundle #2 allows remote authenticated users to affect confidentiality via unknown vectors.)
 CVE-2010-2378 (Unspecified vulnerability in the PeopleSoft Enterprise CRM component in Oracle PeopleSoft and JDEdwards Suite CRM 9.0 Bundle #28 and CRM 9.1 Bundle #4 allows local users to affect confidentiality and integrity via unknown vectors.)
 CVE-2010-2377 (Unspecified vulnerability in the PeopleSoft Enterprise PeopleTools component in Oracle PeopleSoft and JDEdwards Suite 8.49.27 and 8.50.10 allows remote authenticated users to affect integrity via unknown vectors.)
 CVE-2010-2376 (Unspecified vulnerability in Oracle Solaris 8, 9, and 10 allows local users to affect confidentiality and integrity via unknown vectors related to Solaris Management Console.)
 CVE-2010-2375 (Package/Privilege: Plugins for Apache, Sun and IIS web servers Unspecified vulnerability in the WebLogic Server component in Oracle Fusion Middleware 7.0 SP7, 8.1 SP6, 9.0, 9.1, 9.2 MP3, 10.0 MP2, 10.3.2, and 10.3.3 allows remote attackers to affect confidentiality and integrity, related to IIS.)
 CVE-2010-2374 (Unspecified vulnerability in Solaris Studio 12 update 1 allows local users to affect confidentiality and integrity via unknown vectors.)
 CVE-2010-2373 (Unspecified vulnerability in the Console component in Oracle Enterprise Manager Grid Control 10.1.0.6 and 10.2.0.5 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2010-2372 (Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1.1 allows remote attackers to affect integrity via unknown vectors, a different vulnerability than CVE-2010-2371.)
 CVE-2010-2371 (Unspecified vulnerability in the Oracle Transportation Management component in Oracle Supply Chain Products Suite 6.1.1 allows local users to affect confidentiality via unknown vectors, a different vulnerability than CVE-2010-2372.)
 CVE-2010-2370 (Unspecified vulnerability in the Oracle Business Process Management component in Oracle Fusion Middleware 5.7 MP3, 6.0 MP5, and 10.3 MP2 allows remote attackers to affect integrity, related to BPM.)
 CVE-2010-0916 (Unspecified vulnerability in Oracle OpenSolaris 10 allows local users to affect confidentiality, integrity, and availability via unknown vectors related to rdist.)
 CVE-2010-0915 (Unspecified vulnerability in the Oracle Advanced Product Catalog component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote authenticated users to affect confidentiality and integrity via unknown vectors.)
 CVE-2010-0914 (Unspecified vulnerability in Oracle Sun Convergence 1.0 allows remote attackers to affect confidentiality via unknown vectors related to Mail, Calendar, Address Book, and Instant Messaging.)
 CVE-2010-0913 (Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2010-0912 (Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2010-0911 (Unspecified vulnerability in the Listener component in Oracle Database Server 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote attackers to affect availability via unknown vectors.)
 CVE-2010-0910 (Unspecified vulnerability in the Data Server component in Oracle TimesTen In-Memory Database 7.0.6.0 and 11.2.1.4.1 allows remote attackers to affect availability via unknown vectors.)
 CVE-2010-0909 (Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote authenticated users to affect confidentiality via unknown vectors.)
 CVE-2010-0908 (Unspecified vulnerability in the Oracle Applications Framework component in Oracle E-Business Suite 12.1.2 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2010-0907 (Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2010-0898, CVE-2010-0899, CVE-2010-0904, and CVE-2010-0906.)
 CVE-2010-0906 (Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2010-0905 (Unspecified vulnerability in the Oracle Applications Manager component in Oracle E-Business Suite 11.5.10.2 and 12.0.4 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2010-0904 (Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2010-0903 (Unspecified vulnerability in the Net Foundation Layer component in Oracle Database Server 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1, when running on Windows, allows remote attackers to affect availability via unknown vectors.)
 CVE-2010-0902 (Unspecified vulnerability in the Oracle OLAP component in Oracle Database Server 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2010-0901 (Unspecified vulnerability in the Export component in Oracle Database Server 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1 allows remote authenticated users to affect confidentiality via unknown vectors related to Select Any Dictionary.)
 CVE-2010-0900 (Unspecified vulnerability in the Network Layer component in Oracle Database Server 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7, and 11.2.0.1, when running on Windows, allows remote attackers to affect availability via unknown vectors.)
 CVE-2010-0899 (Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors, a different vulnerability than CVE-2010-0898, CVE-2010-0907, and CVE-2010-0906.)
 CVE-2010-0898 (Unspecified vulnerability in Oracle Secure Backup 10.3.0.1 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2010-0892 (Unspecified vulnerability in the Application Express component in Oracle Database Server 3.2.0.00.27 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2010-0873 (Unspecified vulnerability in the Data Server component in Oracle TimesTen In-Memory Database 7.0.6.0 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2010-0849 (Unspecified vulnerability in the Java 2D component in Oracle Java SE and Java for Business 6 Update 18, 5.0 Update 23, 1.4.2_25, and 1.3.1_27 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the March 2010 CPU. Oracle has not commented on claims from a reliable researcher that this is a heap-based buffer overflow in a decoding routine used by the JPEGImageDecoderImpl interface, which allows code execution via a crafted JPEG image.)
 CVE-2010-0836 (Unspecified vulnerability in the Oracle Knowledge Management component in Oracle E-Business Suite 11.5.10.2, 12.0.6, and 12.1.2 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2010-0835 (Unspecified vulnerability in the Wireless component in Oracle Fusion Middleware 10.1.2.3 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2010-0083 (Unspecified vulnerability in Oracle OpenSolaris 8, 9, and 10 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.)
 CVE-2010-0081 (Unspecified vulnerability in the Application Server Control component in Oracle Fusion Middleware 10.1.2.3 and 10.1.4.0.1 allows remote authenticated users to affect integrity via unknown vectors.)
 CVE-2009-3764 (Unspecified vulnerability in the OpenSSO component in Oracle OpenSSO Enterprise 8.0 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2009-3763 (Unspecified vulnerability in the Access Manager / OpenSSO component in Oracle OpenSSO Enterprise 7.1, 7, 2005Q4, and 8.0 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2009-3762 (Unspecified vulnerability in Oracle OpenSSO Enterprise 8.0 allows remote attackers to affect integrity via unknown vectors.)
 CVE-2009-3555 (The TLS protocol, and the SSL protocol 3.0 and possibly earlier, as used in Microsoft Internet Information Services (IIS) 7.0, mod_ssl in the Apache HTTP Server 2.2.14 and earlier, OpenSSL before 0.9.8l, GnuTLS 2.8.5 and earlier, Mozilla Network Security Services (NSS) 3.12.4 and earlier, multiple Cisco products, and other products, does not properly associate renegotiation handshakes with an existing connection, which allows man-in-the-middle attackers to insert data into HTTPS sessions, and possibly other types of sessions protected by TLS or SSL, by sending an unauthenticated request that is processed retroactively by a server in a post-renegotiation context, related to a "plaintext injection" attack, aka the "Project Mogul" issue.)
 CVE-2009-0217 (The design of the W3C XML Signature Syntax and Processing (XMLDsig) recommendation, as implemented in products including (1) the Oracle Security Developer Tools component in Oracle Application Server 10.1.2.3, 10.1.3.4, and 10.1.4.3IM; (2) the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, 9.0, and 8.1 SP6; (3) Mono before 2.4.2.2; (4) XML Security Library before 1.2.12; (5) IBM WebSphere Application Server Versions 6.0 through 6.0.2.33, 6.1 through 6.1.0.23, and 7.0 through 7.0.0.1; (6) Sun JDK and JRE Update 14 and earlier; (7) Microsoft .NET Framework 3.0 through 3.0 SP2, 3.5, and 4.0; and other products uses a parameter that defines an HMAC truncation length (HMACOutputLength) but does not require a minimum for this length, which allows attackers to spoof HMAC-based signatures and bypass authentication by specifying a truncation length with a small number of bits.)
 CVE-2008-4247 (ftpd in OpenBSD 4.3, FreeBSD 7.0, NetBSD 4.0, Solaris, and possibly other operating systems interprets long commands from an FTP client as multiple commands, which allows remote attackers to conduct cross-site request forgery (CSRF) attacks and execute arbitrary FTP commands via a long ftp:// URI that leverages an existing session from the FTP client implementation in a web browser.)
Original documentdocumentFrank Stuart, CVE-2010-2384: Solaris wbem unsafe use of temporary files (20.07.2010)
 documentFrank Stuart, CVE-2010-2383: Solaris nfslogd unsafe use of temporary files (20.07.2010)
 documentFrank Stuart, CVE-2010-2382: Solaris flar unsafe use of temporary files (20.07.2010)
 documentZDI, TPTI-10-04: Oracle Secure Backup Scheduler Service Remote Code Execution Vulnerability (15.07.2010)
 documentZDI, ZDI-10-118: Oracle Secure Backup Administration uname Authentication Bypass Vulnerability (15.07.2010)
 documentZDI, ZDI-10-119: Oracle Secure Backup Administration $other Variable Command Injection Remote Code Execution Vulnerability (15.07.2010)
 documentZDI, ZDI-10-120: Oracle Secure Backup Administration objectname Command Injection Remote Code Execution Vulnerability (15.07.2010)
 documentZDI, ZDI-10-121: Command Injection Remote Code Execution Vulnerability (15.07.2010)
 documentZDI, ZDI-10-122: Oracle Secure Backup Administration Command Injection Remote Code Execution Vulnerability (15.07.2010)
 documentZDI, ZDI-10-123: Oracle Secure Backup Administration Authentication Bypass Vulnerability (15.07.2010)
 documentZDI, ZDI-10-124: Oracle Secure Backup Web Interface Various Post-Auth Command Injection Remote Code Execution Vulnerabilities (15.07.2010)
 documentVSR Advisories, CVE-2010-2375: WebLogic Plugin HTTP Injection via Encoded URLs (15.07.2010)
 documentCERT, US-CERT Technical Cyber Security Alert TA10-194B -- Oracle Updates for Multiple Vulnerabilities (15.07.2010)
 documentORACLE, Oracle Critical Patch Update Advisory - July 2010 (15.07.2010)
Files:Oracle Critical Patch Update Advisory - July 2010

About | Terms of use | Privacy Policy
© SecurityVulns, 3APA3A, Vladimir Dubrovin
Nizhny Novgorod