38 replies to this topic

[AplusWebMaster]

FYI...

Oracle - Security Alert for CVE-2012-1675 - TNS listener
- http://www.oracle.co...75-1608180.html
2012-April-30 - "This security alert addresses the security issue CVE-2012-1675, a vulnerability in the TNS listener which has been recently disclosed as "TNS Listener Poison Attack" affecting the Oracle Database Server. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the confidentiality, integrity and availability of systems that do not have recommended solution applied.
Affected Products and Versions:
Oracle Database 11g Release 2, versions 11.2.0.2, 11.2.0.3
Oracle Database 11g Release 1, version 11.1.0.7
Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4, 10.2.0.5
Solution:
Recommendations for protecting against this vulnerability can be found at:
- http://support.oracl...mp;id=1340831.1 - for Oracle Database deployments that use Oracle Real Application Clusters (RAC).
- http://support.oracl...mp;id=1453883.1 - for Oracle Database deployments that do not use RAC.
Please note that Oracle has added Oracle Advanced Security SSL/TLS to the Oracle Database Standard Edition license when used with the Real Application Clusters and Oracle has added Oracle Advanced Security SSL/TLS to the Enterprise Edition Real Application Clusters (Oracle RAC) and RAC One Node options so that the directions provided in the Support Notes referenced above can be applied by all Oracle customers without additional cost..."
___

- http://www.securityt....com/id/1027000
May 2 2012
CVE Reference: CVE-2012-1675
Impact: User access via network
Version(s): 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3; and prior versions
Description: A vulnerability was reported in Oracle Database. A remote user can hijack database instance connections...
Solution: No solution was available at the time of this entry.
The vendor has issued recommendations in the following support notes:
- My Oracle Support Note 1340831.1 for Oracle Database deployments that use Oracle Real Application Clusters (RAC):
http://support.oracl...mp;id=1340831.1
- My Oracle Support Note 1453883.1 for Oracle Database deployments that do not use RAC
http://support.oracl...mp;id=1453883.1 ...
___

- https://blogs.oracle...rt_for_cve_2012
Apr 30, 2012

- http://h-online.com/-1565661
2 May 2012

Edited by AplusWebMaster, 03 May 2012 - 12:56 AM.

[AplusWebMaster]

FYI...

- http://www.oracle.co...012-392727.html
2012-July-17 - "... This Critical Patch Update contains 87 new security fixes..."
* http://www.oracle.co...392727.html#PIN

July 2012 Risk Matrices
- http://www.oracle.co...ose-392736.html
___

- https://www.us-cert...._patch_update20
July 18, 2012 - "... 87 vulnerabilities across multiple products. This update contains the following security fixes:
• 4 for Oracle Database Server
• 1 for Oracle Application Express Listener
• 2 for Oracle Secure Backup
• 22 for Oracle Fusion Middleware
• 1 for Oracle Hyperion
• 1 for Oracle Enterprise Manager Grid Control
• 4 for Oracle E-Business Suite
• 5 for Oracle Supply Chain Products
• 9 for Oracle PeopleSoft Products
• 7 for Oracle Siebel CRM
• 1 for Oracle Industry Applications
• 24 for Oracle Sun Products
• 6 for Oracle MySQL ..."
___

- http://h-online.com/-1644934
18 July 2012

Edited by AplusWebMaster, 18 July 2012 - 11:19 AM.

[AplusWebMaster]

FYI...

Oracle Outside In Advisory ...
- http://atlas.arbor.n...index#101557049
Severity: Elevated Severity
Published: Thursday, July 19, 2012 21:19
The Oracle Outside In library is used by many other applications and has multiple security holes in it's parsing routines. Patches are available.
Analysis: Security holes in such a library are good news for the attackers, who have multiple targets to choose from. Defenders should patch ASAP. Of the 15 vulnerable vendors, heavyweights such as Microsoft, IBM and Cisco appear along with others. It is a positive development that this security hole was found by a Google security researcher instead of a cyber-criminal.
Source: http://www.kb.cert.org/vuls/id/118913
Last revised: 27 Jul 2012 - "... used by a variety of applications, including Microsoft Exchange, Oracle Fusion Middleware, Guidance Encase Forensics, AccessData FTK, and Novell Groupwise. Outside In 8.3.7.77 and earlier fail to properly handle multiple file types when the data is malformed..."

Vendor Information for VU#118913
- http://www.kb.cert.o...p;SearchOrder=4

> http://www.oracle.co...dded/025613.htm

>> http://support.oracl...mp;id=1455387.1
Oracle Outside In Technology, versions 8.3.5, 8.3.7 - Fusion Middleware
... Oracle Critical Patch Update Advisory - July 2012

Edited by AplusWebMaster, 28 July 2012 - 09:28 AM.

[AplusWebMaster]

FYI...

Oracle database bug...
- http://www.securityt....com/id/1027367
Aug 12 2012
CVE Reference: http://web.nvd.nist....d=CVE-2012-3132
Last revised: 08/13/2012
Version(s): 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
Description: A vulnerability was reported in Oracle Database. A remote authenticated user can gain elevated privileges on the target system...
Impact: A remote authenticated user with 'Create Table' privileges can gain 'SYS' privileges on the target system.
Solution: The vendor has issued a fix.
The vendor's advisory is available at:
http://www.oracle.co...32-1721017.html
2012-August-10

- https://isc.sans.edu...l?storyid=13885
Last Updated: 2012-08-12 15:56:01 UTC

- https://threatpost.c...e-server-081312
August 13, 2012
___

- http://h-online.com/-1666898
14 August 2012

Edited by AplusWebMaster, 14 August 2012 - 10:13 AM.

[AplusWebMaster]

FYI...

Oracle Critical Patch Update Advisory - October 2012
- http://www.oracle.co...12-1515893.html
Oct 16, 2012 - "... Critical Patch Update patches are usually cumulative but each advisory describes only the security fixes added since the previous Critical Patch Update advisory... Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains 109 new security fixes..."

Patch Availability Table
- http://www.oracle.co...515893.html#PIN

Risk Matrices
- http://www.oracle.co...se-1515934.html
___

- http://atlas.arbor.n...index#968980828
Severity: High Severity
October 17, 2012
In addition to patching Java, Oracle releases patches for other products as well.
Analysis: While the Java security issues get the most press due it's widespread exploitation, the Oracle database and other products are often used to protect sensitive information and should also be protected. Some of these other products don't have the same attack footprint as Java however if an attacker is already inside the network then other Oracle software is easier to reach and exploit.
Source: http://h-online.com/-1731176

Oct 17 2012
Sun SPARC Server Bug in Integrated Lights Out Manager Lets Local Users Access Data
http://www.securityt....com/id/1027677
Sun GlassFish Enterprise Server CORBA Bug Lets Remote Users Cause Partial DoS Conditions
http://www.securityt....com/id/1027676
Oracle Industry Applications Bugs Let Remote Users Partially Access and Modify Data and Deny Service
http://www.securityt....com/id/1027675
Oracle Siebel CRM Bugs Let Remote Users Access Data on the Target System
http://www.securityt....com/id/1027674
Oracle Financial Services Software Bugs Lets Remote Authenticated Users Access and Modify Data and Deny Service
http://www.securityt....com/id/1027673
Oracle Java Runtime Environment (JRE) Bugs Let Remote Users Gain Full Control of the Target System
http://www.securityt....com/id/1027672
Oracle PeopleSoft Products Bugs Lets Remote Authenticated Users Partially Access Data, Modify Data, and Deny Service
http://www.securityt....com/id/1027671
Oracle Supply Chain Products Suite Bugs Let Remote Users Access and Modify Data
http://www.securityt....com/id/1027670
Oracle Fusion Middleware Bugs Let Remote Users Access and Modify Data and Local and Remote Users Deny Service
http://www.securityt....com/id/1027669
Oracle E-Business Suite Bugs Let Remote Users Partially Access and Modify Data and Partially Deny Service
http://www.securityt....com/id/1027668
Solaris Lets Local Users Gain Root Privileges and Remote Users Deny Service
http://www.securityt....com/id/1027667
Oracle Virtualization Bugs Let Remote Users Partially Modify Data and Local Users Partially Deny Service
http://www.securityt....com/id/1027666
MySQL Multiple Bugs Let Remote Authenticated Users Access and Modify Data and Deny Service and Local Users Access Data
http://www.securityt....com/id/1027665
Oracle Database Bugs Let Remote Authenticated Users Partially Modify Data and Cause Partial Denial of Service Conditions
http://www.securityt....com/id/1027664

.

Edited by AplusWebMaster, 17 October 2012 - 10:16 PM.

[AplusWebMaster]

FYI...

Oracle Critical Patch Update Advisory - Jan 2013
- http://www.oracle.co...13-1515902.html
Jan 15, 2013 - "... Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply CPU fixes as soon as possible. This Critical Patch Update contains -86- new security fixes across the product families listed below...

Patch Availability Table
- http://www.oracle.co...515902.html#PIN

- https://blogs.oracle...al_patch_update
Jan 15, 2013

- https://www.us-cert....y_2013_security
Jan 16, 2013 - "... 86 vulnerabilities across multiple products. This update contains the following security fixes:
• 6 for Oracle Database Server
• 7 for Oracle Fusion Middleware
• 13 for Oracle Enterprise Manager Grid Control
• 9 for Oracle E-Business Suite
• 1 for Oracle Supply Chain Products Suite
• 12 for Oracle PeopleSoft Products
• 1 for Oracle JD Edwards Products
• 10 for Oracle Siebel CRM
• 8 for Oracle Sun Products Suite
• 1 for Oracle Visualization
• 18 for Oracle MySQL ..."
___

MySQL Multiple Bugs Let Remote Authenticated Users Take Full Control or Deny Service and Let Local Users Access and Modify Data
- http://www.securityt....com/id/1028004
Oracle VM Bug Lets Local Users Deny Service and Partially Modify Data
- http://www.securityt....com/id/1028003
Solaris Bugs Let Remote Users Partially Access Data and Local Users Gain Elevated Privileges
- http://www.securityt....com/id/1028002
Oracle Siebel Enterprise Bugs Let Remote Users Partially Deny Service, Access Data, and Modify Data
- http://www.securityt....com/id/1028001
Oracle PeopleSoft and JD Edwards Products Bugs Let Remote Users Partially Access and Modify Data
- http://www.securityt....com/id/1028000
Oracle E-Business Suite Bugs Let Remote Users Partially Access and Modify Data
- http://www.securityt....com/id/1027999
Oracle Enterprise Manager Grid Control Multiple Bugs Let Remote Users Partially Access and Modify Data and Cause Partial Denial of Service Conditions
- http://www.securityt....com/id/1027998
Oracle Supply Chain Products Suite Bug Lets Remote Users Partially Access Data
- http://www.securityt....com/id/1027997
Oracle Fusion Middleware Bugs Let Remote Users Deny Service and Modify Data
- http://www.securityt....com/id/1027996
Oracle Database Mobile Server Multiple Bugs Let Remote Users Gain Access and Obtain Potentially Sensitive Information
- http://www.securityt....com/id/1027995
Oracle Database Bug in Spatial Component Lets Remote Authenticated Users Gain Full Control
- http://www.securityt....com/id/1027994
Jan 16 2013

Edited by AplusWebMaster, 16 January 2013 - 03:42 PM.

[AplusWebMaster]

FYI...

Oracle Solaris multiple updates
- https://secunia.com/advisories/52239/
Release Date: 2013-02-20
Criticality level: Highly critical
Impact: Security Bypass, Exposure of system information, DoS, System access
Where: From remote...
CVE Reference(s): CVE-2011-1202, CVE-2012-2733, CVE-2012-2825, CVE-2012-2870, CVE-2012-2871, CVE-2012-2893, CVE-2012-3403, CVE-2012-3481, CVE-2012-3546, CVE-2012-4431, CVE-2012-4534, CVE-2012-5885, CVE-2012-5886, CVE-2012-5887
Description: Oracle has acknowledged a weakness and multiple vulnerabilities in Oracle Solaris, which can be exploited by malicious people to bypass certain security restrictions, disclose system information, cause a DoS (Denial of Service), and compromise a user's system...
Solution: Apply update.
Original Advisory:
https://blogs.oracle..._apache_tomcat3
https://blogs.oracle...ilities_in_gimp
https://blogs.oracle...ties_in_libxslt

[AplusWebMaster]

FYI...

Oracle Solaris updates ...
- https://blogs.oracle.com/sunsecurity/
Mar 13, 2013

- https://secunia.com/...ories/historic/
14th Mar, 2013
Oracle Solaris libxslt Multiple Vulnerabilities - Highly critical
Oracle Solaris FreeType Font Parsing Vulnerabilities - Highly critical
Oracle Solaris Gzip Input Sanitation Vulnerability - Moderately critical
Oracle Solaris Python Multiple Integer Overflow Vulnerabilities - Moderately critical
Oracle Solaris libpng Two Vulnerabilities - Moderately critical
Oracle Solaris Thunderbird Multiple Vulnerabilities - Highly critical
Oracle Solaris Multiple Vulnerabilities - Highly critical
Oracle Solaris FreeType 2 Multiple Vulnerabilities - Highly critical
Oracle Solaris libxslt Multiple Vulnerabilities - Highly critical

[AplusWebMaster]

FYI...

Oracle Solaris - multiple vulnerabilities fixed in third-party components
- https://blogs.oracle.com/sunsecurity/
Sep 24, 2013 - Third Party Vulnerability Resolution Blog
"... vulnerabilities fixed in third-party components that are included in Oracle's product distributions..." (many - see blog for release notes)

- https://secunia.com/...=Oracle Solaris
Oracle Solaris Tomcat FormAuthenticator Session Hijacking Weakness 2013-09-25
Oracle Solaris ImageMagick Multiple Denial of Service Vulnerabilities
Oracle Solaris Ruby Certificate Verification Security Issue and Safe Level Security Bypass Vulnerability
Oracle Solaris LibXSLT "xsltDocumentFunction()" and "xsltAddKey()" Denial of Service Vulnerabilities
Oracle Solaris Wireshark Multiple Denial of Service Vulnerabilities
Oracle Solaris Kerberos KDC Two Vulnerabilities
Oracle Solaris Apache HTTP Server Multiple Vulnerabilities
Oracle Solaris X.org Multiple Vulnerabilities
Oracle Solaris Poppler Unspecified Vulnerabilities
Oracle Solaris Key Distribution Center (KDC) Denial of Service Vulnerabilities
Oracle Solaris Kerberos kpasswd UDP Packet Processing Denial of Service Vulnerability
Oracle Solaris id3lib Insecure Temporary File Privilege Escalation