var-201102-0003

Vulnerability from variot

Rejected reason: DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2009-1016. Reason: This candidate is a reservation duplicate of CVE-2009-1016. Notes: All CVE users should reference CVE-2009-1016 instead of this candidate. All references and descriptions in this candidate have been removed to prevent accidental usage. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. ======================================================================

                 Secunia Research 15/04/2009

• Oracle BEA WebLogic Server Plug-ins Certificate Buffer Overflow -

====================================================================== Table of Contents

Affected Software....................................................1 Severity.............................................................2 Vendor's Description of Software.....................................3 Description of Vulnerability.........................................4 Solution.............................................................5 Time Table...........................................................6 Credits..............................................................7 References...........................................................8 About Secunia........................................................9 Verification........................................................10

====================================================================== 1) Affected Software

• Oracle BEA WebLogic Server Plug-ins version 1.0.1166189.

NOTE: Other versions may also be affected.

====================================================================== 2) Severity

Rating: Highly critical Impact: System access Where: From Remote

====================================================================== 3) Vendor's Description of Software

"... the world's best application server for building and deploying enterprise applications and services ...".

Product Link: http://www.oracle.com/technology/products/weblogic/index.html

====================================================================== 4) Description of Vulnerability

Secunia Research has discovered a vulnerability in the Oracle BEA WebLogic Server plug-ins for web servers, which can be exploited by malicious people to compromise a vulnerable system.

The Oracle BEA WebLogic Server can be configured to receive requests via an Apache web server. In this case, a plug-in is installed in the Internet-facing web server that passes the request to a WebLogic server.

The Apache web server may be configured to accept SSL connections and forward the request to the WebLogic server along with any SSL-related information. If the SSL client supplies a certificate (and the Apache server is configured to accept it), then the certificate is passed to the WebLogic plug-in via an environment variable.

The vulnerability is caused by a boundary error when parsing certificates and can be exploited to cause a stack-based buffer overflow by supplying a specially crafted certificate.

Successful exploitation may allow execution of arbitrary code.

====================================================================== 5) Solution

Apply patches released by the vendor.

====================================================================== 6) Time Table

01/03/2009 - Vendor notified. 06/03/2009 - Vendor confirms vulnerability. 17/03/2009 - Vendor provides preliminary patch. 15/04/2009 - Public disclosure.

====================================================================== 7) Credits

Discovered by Dyon Balding, Secunia Research.

====================================================================== 8) References

The Common Vulnerabilities and Exposures (CVE) project has assigned CVE-2009-0190 for the vulnerability.

====================================================================== 9) About Secunia

Secunia offers vulnerability management solutions to corporate customers with verified and reliable vulnerability intelligence relevant to their specific system configuration:

http://secunia.com/advisories/business_solutions/

Secunia also provides a publicly accessible and comprehensive advisory database as a service to the security community and private individuals, who are interested in or concerned about IT-security.

http://secunia.com/advisories/

Secunia believes that it is important to support the community and to do active vulnerability research in order to aid improving the security and reliability of software in general:

http://secunia.com/secunia_research/

Secunia regularly hires new skilled team members. Check the URL below to see currently vacant positions:

http://secunia.com/corporate/jobs/

Secunia offers a FREE mailing list called Secunia Security Advisories:

http://secunia.com/advisories/mailing_lists/

====================================================================== 10) Verification

Please verify this advisory by visiting the Secunia website: http://secunia.com/secunia_research/2009-23/

Complete list of vulnerability reports published by Secunia Research: http://secunia.com/secunia_research/

======================================================================

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201102-0003",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "jrockit r27.1.0",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "5.6.2"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.01"
      },
      {
        "model": "systems weblogic portal sp1",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle9i personal edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "peoplesoft enterprise peopletools",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.49"
      },
      {
        "model": "oracle11g standard edition one",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "data service integrator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.3"
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.2.1"
      },
      {
        "model": "oracle10g application server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.2.3.0"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.0"
      },
      {
        "model": "oracle9i enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8.0"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.06"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.0.1"
      },
      {
        "model": "systems weblogic portal sp6",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.2"
      },
      {
        "model": "oracle11g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.11"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.13"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.04"
      },
      {
        "model": "oracle11g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.1.0.7"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.1"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.0"
      },
      {
        "model": "jrockit r27.6.2",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.07"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "systems weblogic portal sp2",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "systems weblogic portal sp5",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "oracle10g application server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.2"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.3"
      },
      {
        "model": "systems weblogic portal sp3",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "systems weblogic portal",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.1"
      },
      {
        "model": "systems weblogic server maintenance pack",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.2"
      },
      {
        "model": "oracle9i standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.13"
      },
      {
        "model": "oracle9i standard edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "oracle9i enterprise edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.0"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.1"
      },
      {
        "model": "peoplesoft enterprise hrms",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.0"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.2"
      },
      {
        "model": "e-business suite 11i",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.5.10.2"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.12"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.15"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.05"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.16"
      },
      {
        "model": "systems weblogic server mp1",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.0"
      },
      {
        "model": "peoplesoft enterprise hrms",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.9"
      },
      {
        "model": "audit vault",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "jrockit r27.6.0",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.02"
      },
      {
        "model": "systems weblogic portal sp4",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.4"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.14"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.12"
      },
      {
        "model": "weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.11"
      },
      {
        "model": "e-business suite",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "12.0.6"
      },
      {
        "model": "outside in sdk html export",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.3"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "oracle9i personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8"
      },
      {
        "model": "oracle11g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.14"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.03"
      },
      {
        "model": "systems weblogic server sp7",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.2"
      },
      {
        "model": "outside in sdk html export",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.2.2"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.2"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.0"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Dyon Balding of Secunia Research, Joshua J. Drake of iDefense, Gerhard Eschelbeck of Qualys, Inc., Esteban Martinez Fayo of Application Security, Inc., Franz Huell of Red Database Security, Mike Janowski of Neohapsis, Inc., Joxean Koret, Joxean Koret of Ti",
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      }
    ],
    "trust": 0.3
  },
  "cve": "CVE-2009-0190",
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Rejected reason: DO NOT USE THIS CANDIDATE NUMBER.  ConsultIDs: CVE-2009-1016.  Reason: This candidate is a reservation duplicate of CVE-2009-1016.  Notes: All CVE users should reference CVE-2009-1016 instead of this candidate.  All references and descriptions in this candidate have been removed to prevent accidental usage. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:\nOracle Database\nOracle Audit Vault\nOracle Application Server\nOracle Outside In SDK HTML Export\nOracle XML Publisher\nOracle BI Publisher\nOracle E-Business Suite\nPeopleSoft Enterprise PeopleTools\nPeopleSoft Enterprise HRMS\nOracle WebLogic Server (formerly BEA WebLogic Server)\nOracle Data Service Integrator\nOracle AquaLogic Data Services Platform\nOracle JRockit. ====================================================================== \n\n                     Secunia Research 15/04/2009\n\n - Oracle BEA WebLogic Server Plug-ins Certificate Buffer Overflow -\n\n====================================================================== \nTable of Contents\n\nAffected Software....................................................1\nSeverity.............................................................2\nVendor\u0027s Description of Software.....................................3\nDescription of Vulnerability.........................................4\nSolution.............................................................5\nTime Table...........................................................6\nCredits..............................................................7\nReferences...........................................................8\nAbout Secunia........................................................9\nVerification........................................................10\n\n====================================================================== \n1) Affected Software \n\n* Oracle BEA WebLogic Server Plug-ins version 1.0.1166189. \n\nNOTE: Other versions may also be affected. \n\n====================================================================== \n2) Severity \n\nRating: Highly critical\nImpact: System access\nWhere:  From Remote\n\n====================================================================== \n3) Vendor\u0027s Description of Software \n\n\"... the world\u0027s best application server for building and deploying\nenterprise applications and services ...\". \n\nProduct Link:\nhttp://www.oracle.com/technology/products/weblogic/index.html\n\n====================================================================== \n4) Description of Vulnerability\n\nSecunia Research has discovered a vulnerability in the Oracle BEA\nWebLogic Server plug-ins for web servers, which can be exploited by\nmalicious people to compromise a vulnerable system. \n\nThe Oracle BEA WebLogic Server can be configured to receive requests\nvia an Apache web server. In this case, a plug-in is installed in the\nInternet-facing web server that passes the request to a WebLogic\nserver. \n\nThe Apache web server may be configured to accept SSL connections and\nforward the request to the WebLogic server along with any SSL-related\ninformation. If the SSL client supplies a certificate (and the Apache\nserver is configured to accept it), then the certificate is passed to\nthe WebLogic plug-in via an environment variable. \n\nThe vulnerability is caused by a boundary error when parsing \ncertificates and can be exploited to cause a stack-based buffer \noverflow by supplying a specially crafted certificate. \n\nSuccessful exploitation may allow execution of arbitrary code. \n\n====================================================================== \n5) Solution \n\nApply patches released by the vendor. \n\n====================================================================== \n6) Time Table \n\n01/03/2009 - Vendor notified. \n06/03/2009 - Vendor confirms vulnerability. \n17/03/2009 - Vendor provides preliminary patch. \n15/04/2009 - Public disclosure. \n\n====================================================================== \n7) Credits \n\nDiscovered by Dyon Balding, Secunia Research. \n\n====================================================================== \n8) References\n\nThe Common Vulnerabilities and Exposures (CVE) project has assigned \nCVE-2009-0190 for the vulnerability. \n\n====================================================================== \n9) About Secunia\n\nSecunia offers vulnerability management solutions to corporate\ncustomers with verified and reliable vulnerability intelligence\nrelevant to their specific system configuration:\n\nhttp://secunia.com/advisories/business_solutions/\n\nSecunia also provides a publicly accessible and comprehensive advisory\ndatabase as a service to the security community and private \nindividuals, who are interested in or concerned about IT-security. \n\nhttp://secunia.com/advisories/\n\nSecunia believes that it is important to support the community and to\ndo active vulnerability research in order to aid improving the \nsecurity and reliability of software in general:\n\nhttp://secunia.com/secunia_research/\n\nSecunia regularly hires new skilled team members. Check the URL below\nto see currently vacant positions:\n\nhttp://secunia.com/corporate/jobs/\n\nSecunia offers a FREE mailing list called Secunia Security Advisories:\n\nhttp://secunia.com/advisories/mailing_lists/\n\n====================================================================== \n10) Verification \n\nPlease verify this advisory by visiting the Secunia website:\nhttp://secunia.com/secunia_research/2009-23/\n\nComplete list of vulnerability reports published by Secunia Research:\nhttp://secunia.com/secunia_research/\n\n======================================================================\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-0190"
      },
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "PACKETSTORM",
        "id": "76692"
      }
    ],
    "trust": 1.26
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2009-0190",
        "trust": 1.4
      },
      {
        "db": "ZDI",
        "id": "ZDI-09-017",
        "trust": 0.3
      },
      {
        "db": "BID",
        "id": "34461",
        "trust": 0.3
      },
      {
        "db": "PACKETSTORM",
        "id": "76692",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "PACKETSTORM",
        "id": "76692"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-0190"
      }
    ]
  },
  "id": "VAR-201102-0003",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.065972224
  },
  "last_update_date": "2024-08-14T12:37:54.894000Z",
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 0.6,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html"
      },
      {
        "trust": 0.4,
        "url": "http://secunia.com/secunia_research/2009-23/"
      },
      {
        "trust": 0.3,
        "url": "http://secunia.com/secunia_research/2009-22/"
      },
      {
        "trust": 0.3,
        "url": "http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502845"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502707"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502697"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502727"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502723"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/506160"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502724"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502683"
      },
      {
        "trust": 0.3,
        "url": "http://www.zerodayinitiative.com/advisories/zdi-09-017/"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1001.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1002.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1003.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1004.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1005.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1006.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1012.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1016.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.red-database-security.com/advisory/apex_password_hashes.html"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/products/weblogic/index.html"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/secunia_research/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/corporate/jobs/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/mailing_lists/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/business_solutions/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2009-0190"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "PACKETSTORM",
        "id": "76692"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "PACKETSTORM",
        "id": "76692"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-0190"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-04-09T00:00:00",
        "db": "BID",
        "id": "34461"
      },
      {
        "date": "2009-04-15T21:09:02",
        "db": "PACKETSTORM",
        "id": "76692"
      },
      {
        "date": "2011-02-01T19:00:39.033000",
        "db": "NVD",
        "id": "CVE-2009-0190"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-09-01T16:22:00",
        "db": "BID",
        "id": "34461"
      },
      {
        "date": "2023-11-07T02:03:35.157000",
        "db": "NVD",
        "id": "CVE-2009-0190"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "network",
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      }
    ],
    "trust": 0.3
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Oracle April 2009 Critical Patch Update Multiple Vulnerabilities",
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      }
    ],
    "trust": 0.3
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Unknown",
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      }
    ],
    "trust": 0.3
  }
}

var-200904-0420

Vulnerability from variot

Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. (DoS) An attack may be carried out. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. ----------------------------------------------------------------------

Are you missing:

SECUNIA ADVISORY ID:

Critical:

Impact:

Where:

within the advisory below?

This is now part of the Secunia commercial solutions.

For more information see vulnerability #6 through #9 in: SA34693

SOLUTION: The vendor recommends to delete the GdFileConv.exe file. See vendor's advisory for additional details.

Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

I. Description

The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components.

Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database.

II. Impact

The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information.

III. Solution

Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed.

IV. References

• Oracle Critical Patch Update Advisory - April 2009 - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html

• Critical Patch Updates and Security Alerts - http://www.oracle.com/technology/deploy/security/alerts.htm

• Map of Public Vulnerability to Advisory/Alert - http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html

The most recent version of this document can be found at:

 <http://www.us-cert.gov/cas/techalerts/TA09-105A.html>

Feedback can be directed to US-CERT Technical Staff. Please send email to cert@cert.org with "TA09-105A Feedback VU#955892" in the subject.

For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html.

Produced 2009 by US-CERT, a government organization.

Terms of use:

 <http://www.us-cert.gov/legal.html>

Revision History

April 15, 2009: Initial release

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE----- . ----------------------------------------------------------------------

Secunia is pleased to announce the release of the annual Secunia report for 2008. Some have unknown impacts, others can be exploited by malicious users to conduct SQL injection attacks or disclose sensitive information, and by malicious people compromise a vulnerable system.

1) A format string error exists within the Oracle Process Manager and Notification (opmn) daemon, which can be exploited to execute arbitrary code via a specially crafted POST request to port 6000/TCP.

2) Input passed to the "DBMS_AQIN" package is not properly sanitised before being used. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

3) An error in the Application Express component included in Oracle Database can be exploited by unprivileged database users to disclose APEX password hashes in "LOWS_030000.WWV_FLOW_USER".

The remaining vulnerabilities are caused due to unspecified errors. No more information is currently available.

PROVIDED AND/OR DISCOVERED BY: 1) Joxean Koret of TippingPoint 2, 3) Alexander Kornbrust of Red Database Security

The vendor also credits: * Joshua J. Drake of iDefense * Gerhard Eschelbeck of Qualys, Inc. * Esteban Martinez Fayo of Application Security, Inc. * Franz Huell of Red Database Security; * Mike Janowski of Neohapsis, Inc. * Joxean Koret * David Litchfield of NGS Software * Tanel Poder * Sven Vetter of Trivadis * Dennis Yurichev

ORIGINAL ADVISORY: Oracle: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html

ZDI: http://www.zerodayinitiative.com/advisories/ZDI-09-017/

Red Database Security: http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html http://www.red-database-security.com/advisory/apex_password_hashes.html

About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.

Subscribe: http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/

Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.

Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-200904-0420",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "e-business suite",
        "scope": "eq",
        "trust": 2.7,
        "vendor": "oracle",
        "version": "12.0.6"
      },
      {
        "model": "jrockit r27.1.0",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "5.6.2"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.01"
      },
      {
        "model": "systems weblogic portal sp1",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle9i personal edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "peoplesoft enterprise peopletools",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.49"
      },
      {
        "model": "oracle11g standard edition one",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "data service integrator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.3"
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.2.1"
      },
      {
        "model": "oracle10g application server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.2.3.0"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.0"
      },
      {
        "model": "oracle9i enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8.0"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.06"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.0.1"
      },
      {
        "model": "systems weblogic portal sp6",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.2"
      },
      {
        "model": "oracle11g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.11"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.13"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.04"
      },
      {
        "model": "oracle11g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.1.0.7"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.1"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.0"
      },
      {
        "model": "jrockit r27.6.2",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.07"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "systems weblogic portal sp2",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "systems weblogic portal sp5",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "oracle10g application server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.2"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.3"
      },
      {
        "model": "systems weblogic portal sp3",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "systems weblogic portal",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.1"
      },
      {
        "model": "systems weblogic server maintenance pack",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.2"
      },
      {
        "model": "oracle9i standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.13"
      },
      {
        "model": "oracle9i standard edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "oracle9i enterprise edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.0"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.1"
      },
      {
        "model": "peoplesoft enterprise hrms",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.0"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.2"
      },
      {
        "model": "e-business suite 11i",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.5.10.2"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.12"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.15"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.05"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.16"
      },
      {
        "model": "systems weblogic server mp1",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.0"
      },
      {
        "model": "peoplesoft enterprise hrms",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.9"
      },
      {
        "model": "audit vault",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "jrockit r27.6.0",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.02"
      },
      {
        "model": "systems weblogic portal sp4",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.4"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.14"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.12"
      },
      {
        "model": "weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.11"
      },
      {
        "model": "outside in sdk html export",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.3"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "oracle9i personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8"
      },
      {
        "model": "oracle11g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.14"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.03"
      },
      {
        "model": "systems weblogic server sp7",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.2"
      },
      {
        "model": "outside in sdk html export",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.2.2"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.2"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.0"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-004531"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-317"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-0999"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:oracle:e-business_suite",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-004531"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Esteban Martinez Fayo Joxean Koret   joxeankoret@yahoo.es",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-317"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2009-0999",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 6.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "CVE-2009-0999",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2009-0999",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2009-0999",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-200904-317",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-004531"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-317"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-0999"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite 12.0.6 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. (DoS) An attack may be carried out. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:\nOracle Database\nOracle Audit Vault\nOracle Application Server\nOracle Outside In SDK HTML Export\nOracle XML Publisher\nOracle BI Publisher\nOracle E-Business Suite\nPeopleSoft Enterprise PeopleTools\nPeopleSoft Enterprise HRMS\nOracle WebLogic Server (formerly BEA WebLogic Server)\nOracle Data Service Integrator\nOracle AquaLogic Data Services Platform\nOracle JRockit. ----------------------------------------------------------------------\n\nAre you missing:\n\nSECUNIA ADVISORY ID:\n\nCritical:\n\nImpact:\n\nWhere:\n\nwithin the advisory below?\n\nThis is now part of the Secunia commercial solutions. \n\nFor more information see vulnerability #6 through #9 in:\nSA34693\n\nSOLUTION:\nThe vendor recommends to delete the GdFileConv.exe file. See vendor\u0027s\nadvisory for additional details. \n\nFixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include\n   remote execution of arbitrary code, information disclosure, and\n   denial of service. \n\n\nI. Description\n\n   The Oracle Critical Patch Update Advisory - April 2009 addresses 43\n   vulnerabilities in various Oracle products and components. \n   \n   Oracle has associated CVE identifiers with the vulnerabilities\n   addressed in this Critical Patch Update. If significant additional\n   details about vulnerabilities and remediation techniques become\n   available, we will update the Vulnerability Notes Database. \n\n\nII. Impact\n\n   The impact of these vulnerabilities varies depending on the\n   product, component, and configuration of the system. Potential\n   consequences include the execution of arbitrary code or commands,\n   information disclosure, and denial of service. Vulnerable\n   components may be available to unauthenticated, remote attackers. \n   An attacker who compromises an Oracle database may be able to\n   access sensitive information. \n\n\nIII. Solution\n\n   Apply the appropriate patches or upgrade as specified in the Oracle\n   Critical Patch Update Advisory - April 2009. Note that this\n   document only lists newly corrected issues. Updates to patches for\n   previously known issues are not listed. \n\n\nIV. References\n\n * Oracle Critical Patch Update Advisory - April 2009 -\n   \u003chttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html\u003e\n\n * Critical Patch Updates and Security Alerts -\n   \u003chttp://www.oracle.com/technology/deploy/security/alerts.htm\u003e\n\n * Map of Public Vulnerability to Advisory/Alert -\n   \u003chttp://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html\u003e\n\n ____________________________________________________________________\n\n   The most recent version of this document can be found at:\n\n     \u003chttp://www.us-cert.gov/cas/techalerts/TA09-105A.html\u003e\n ____________________________________________________________________\n\n   Feedback can be directed to US-CERT Technical Staff. Please send\n   email to \u003ccert@cert.org\u003e with \"TA09-105A Feedback VU#955892\" in\n   the subject. \n ____________________________________________________________________\n\n   For instructions on subscribing to or unsubscribing from this\n   mailing list, visit \u003chttp://www.us-cert.gov/cas/signup.html\u003e. \n ____________________________________________________________________\n\n   Produced 2009 by US-CERT, a government organization. \n\n   Terms of use:\n\n     \u003chttp://www.us-cert.gov/legal.html\u003e\n ____________________________________________________________________\n\nRevision History\n  \n  April 15, 2009: Initial release\n\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.5 (GNU/Linux)\n\niQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4\n2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do\ndsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM\nh6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy\n11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU\nbsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==\n=kziE\n-----END PGP SIGNATURE-----\n. ----------------------------------------------------------------------\n\nSecunia is pleased to announce the release of the annual Secunia\nreport for 2008. \nSome have unknown impacts, others can be exploited by malicious users\nto conduct SQL injection attacks or disclose sensitive information,\nand by malicious people  compromise a vulnerable system. \n\n1) A format string error exists within the Oracle Process Manager and\nNotification (opmn) daemon, which can be exploited to execute\narbitrary code via a specially crafted POST request to port\n6000/TCP. \n\n2) Input passed to the \"DBMS_AQIN\" package is not properly sanitised\nbefore being used. This can be exploited to manipulate SQL queries by\ninjecting arbitrary SQL code. \n\n3) An error in the Application Express component included in Oracle\nDatabase can be exploited by unprivileged database users to disclose\nAPEX password hashes in \"LOWS_030000.WWV_FLOW_USER\". \n\nThe remaining vulnerabilities are caused due to unspecified errors. \nNo more information is currently available. \n\nPROVIDED AND/OR DISCOVERED BY:\n1) Joxean Koret of TippingPoint\n2, 3) Alexander Kornbrust of Red Database Security\n\nThe vendor also credits:\n* Joshua J. Drake of iDefense\n* Gerhard Eschelbeck of Qualys, Inc. \n* Esteban Martinez Fayo of Application Security, Inc. \n* Franz Huell of Red Database Security;\n* Mike Janowski of Neohapsis, Inc. \n* Joxean Koret\n* David Litchfield of NGS Software\n* Tanel Poder\n* Sven Vetter of Trivadis\n* Dennis Yurichev\n\nORIGINAL ADVISORY:\nOracle:\nhttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html\n\nZDI:\nhttp://www.zerodayinitiative.com/advisories/ZDI-09-017/\n\nRed Database Security:\nhttp://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html\nhttp://www.red-database-security.com/advisory/apex_password_hashes.html\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-0999"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-004531"
      },
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "PACKETSTORM",
        "id": "76704"
      }
    ],
    "trust": 2.16
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2009-0999",
        "trust": 2.7
      },
      {
        "db": "USCERT",
        "id": "TA09-105A",
        "trust": 2.5
      },
      {
        "db": "SECUNIA",
        "id": "34693",
        "trust": 1.8
      },
      {
        "db": "SECTRACK",
        "id": "1022056",
        "trust": 1.6
      },
      {
        "db": "OSVDB",
        "id": "53753",
        "trust": 1.6
      },
      {
        "db": "BID",
        "id": "34461",
        "trust": 1.3
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-004531",
        "trust": 0.8
      },
      {
        "db": "CERT/CC",
        "id": "TA09-105A",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-317",
        "trust": 0.6
      },
      {
        "db": "ZDI",
        "id": "ZDI-09-017",
        "trust": 0.4
      },
      {
        "db": "SECUNIA",
        "id": "35135",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "77574",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "76710",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "76704",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-004531"
      },
      {
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "PACKETSTORM",
        "id": "76704"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-317"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-0999"
      }
    ]
  },
  "id": "VAR-200904-0420",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.065972224
  },
  "last_update_date": "2024-11-23T20:28:36.205000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Oracle Critical Patch Update Advisory - April 2009",
        "trust": 0.8,
        "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-004531"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-noinfo",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-0999"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.4,
        "url": "http://www.us-cert.gov/cas/techalerts/ta09-105a.html"
      },
      {
        "trust": 1.6,
        "url": "http://www.securitytracker.com/id?1022056"
      },
      {
        "trust": 1.6,
        "url": "http://secunia.com/advisories/34693"
      },
      {
        "trust": 1.6,
        "url": "http://osvdb.org/53753"
      },
      {
        "trust": 1.3,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html"
      },
      {
        "trust": 1.0,
        "url": "http://www.securityfocus.com/bid/34461"
      },
      {
        "trust": 1.0,
        "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0999"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-0999"
      },
      {
        "trust": 0.4,
        "url": "http://www.zerodayinitiative.com/advisories/zdi-09-017/"
      },
      {
        "trust": 0.4,
        "url": "http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html"
      },
      {
        "trust": 0.4,
        "url": "http://www.red-database-security.com/advisory/apex_password_hashes.html"
      },
      {
        "trust": 0.3,
        "url": "http://secunia.com/secunia_research/2009-23/"
      },
      {
        "trust": 0.3,
        "url": "http://secunia.com/secunia_research/2009-22/"
      },
      {
        "trust": 0.3,
        "url": "http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502845"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502707"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502697"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502727"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502723"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/506160"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502724"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502683"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1001.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1002.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1003.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1004.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1005.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1006.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1012.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1016.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html"
      },
      {
        "trust": 0.2,
        "url": "http://secunia.com/advisories/secunia_security_advisories/"
      },
      {
        "trust": 0.2,
        "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
      },
      {
        "trust": 0.2,
        "url": "http://secunia.com/advisories/34693/"
      },
      {
        "trust": 0.2,
        "url": "http://secunia.com/advisories/about_secunia_advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/35135/"
      },
      {
        "trust": 0.1,
        "url": "http://www.good.com/faq/18431.html"
      },
      {
        "trust": 0.1,
        "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=799"
      },
      {
        "trust": 0.1,
        "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=800"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/business_solutions/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/try_vi/"
      },
      {
        "trust": 0.1,
        "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=801"
      },
      {
        "trust": 0.1,
        "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=798"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/cas/techalerts/ta09-105a.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/alerts.htm\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/cas/signup.html\u003e."
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/legal.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/try_vi/request_2008_report/"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-004531"
      },
      {
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "PACKETSTORM",
        "id": "76704"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-317"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-0999"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-004531"
      },
      {
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "PACKETSTORM",
        "id": "76704"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-317"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-0999"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-04-09T00:00:00",
        "db": "BID",
        "id": "34461"
      },
      {
        "date": "2012-09-25T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-004531"
      },
      {
        "date": "2009-05-18T15:35:49",
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "date": "2009-04-15T23:15:44",
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "date": "2009-04-15T15:08:54",
        "db": "PACKETSTORM",
        "id": "76704"
      },
      {
        "date": "2009-04-15T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200904-317"
      },
      {
        "date": "2009-04-15T10:30:00.797000",
        "db": "NVD",
        "id": "CVE-2009-0999"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-09-01T16:22:00",
        "db": "BID",
        "id": "34461"
      },
      {
        "date": "2012-09-25T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-004531"
      },
      {
        "date": "2009-04-28T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200904-317"
      },
      {
        "date": "2024-11-21T01:01:25.517000",
        "db": "NVD",
        "id": "CVE-2009-0999"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-317"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Oracle E-Business Suite of  Oracle Application Object Library Component vulnerabilities",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-004531"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "lack of information",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-317"
      }
    ],
    "trust": 0.6
  }
}

var-200904-0428

Vulnerability from variot

Unspecified vulnerability in the Outside In Technology component in Oracle Application Server 8.2.2 and 8.3.0 allows local users to affect confidentiality, integrity, and availability, related to HTML, a different vulnerability than CVE-2009-1010. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. ----------------------------------------------------------------------

Are you missing:

SECUNIA ADVISORY ID:

Critical:

Impact:

Where:

within the advisory below?

This is now part of the Secunia commercial solutions.

For more information see vulnerability #6 through #9 in: SA34693

SOLUTION: The vendor recommends to delete the GdFileConv.exe file. See vendor's advisory for additional details.

Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

I. Description

The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components. The document provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability.

Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database.

II. Impact

The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information.

III. Solution

Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed.

IV. References

• Oracle Critical Patch Update Advisory - April 2009 - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html

• Critical Patch Updates and Security Alerts - http://www.oracle.com/technology/deploy/security/alerts.htm

• Map of Public Vulnerability to Advisory/Alert - http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html

The most recent version of this document can be found at:

 <http://www.us-cert.gov/cas/techalerts/TA09-105A.html>

Feedback can be directed to US-CERT Technical Staff. Please send email to cert@cert.org with "TA09-105A Feedback VU#955892" in the subject.

For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html.

Produced 2009 by US-CERT, a government organization.

Terms of use:

 <http://www.us-cert.gov/legal.html>

Revision History

April 15, 2009: Initial release

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE----- . ----------------------------------------------------------------------

Secunia is pleased to announce the release of the annual Secunia report for 2008. Some have unknown impacts, others can be exploited by malicious users to conduct SQL injection attacks or disclose sensitive information, and by malicious people compromise a vulnerable system.

1) A format string error exists within the Oracle Process Manager and Notification (opmn) daemon, which can be exploited to execute arbitrary code via a specially crafted POST request to port 6000/TCP.

2) Input passed to the "DBMS_AQIN" package is not properly sanitised before being used. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

3) An error in the Application Express component included in Oracle Database can be exploited by unprivileged database users to disclose APEX password hashes in "LOWS_030000.WWV_FLOW_USER".

The remaining vulnerabilities are caused due to unspecified errors. No more information is currently available.

PROVIDED AND/OR DISCOVERED BY: 1) Joxean Koret of TippingPoint 2, 3) Alexander Kornbrust of Red Database Security

The vendor also credits: * Joshua J. Drake of iDefense * Gerhard Eschelbeck of Qualys, Inc. * Esteban Martinez Fayo of Application Security, Inc. * Franz Huell of Red Database Security; * Mike Janowski of Neohapsis, Inc. * Joxean Koret * David Litchfield of NGS Software * Tanel Poder * Sven Vetter of Trivadis * Dennis Yurichev

ORIGINAL ADVISORY: Oracle: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html

ZDI: http://www.zerodayinitiative.com/advisories/ZDI-09-017/

Red Database Security: http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html http://www.red-database-security.com/advisory/apex_password_hashes.html

About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.

Subscribe: http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/

Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.

Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-200904-0428",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "application server",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "oracle",
        "version": "8.2.2"
      },
      {
        "model": "application server",
        "scope": "eq",
        "trust": 1.8,
        "vendor": "oracle",
        "version": "8.3.0"
      },
      {
        "model": "websphere portal",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "8.0.0.0"
      },
      {
        "model": "websphere portal",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "6.1.5.0"
      },
      {
        "model": "websphere portal",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "6.0.0.0"
      },
      {
        "model": "websphere portal",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "7.0.0.0"
      },
      {
        "model": "websphere portal",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "ibm",
        "version": "6.1.0.0"
      },
      {
        "model": "websphere portal",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "ibm",
        "version": "6.0.1.0"
      },
      {
        "model": "websphere portal",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "6.0.1"
      },
      {
        "model": "websphere portal",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "6.0.0"
      },
      {
        "model": "websphere portal",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "6.1.5"
      },
      {
        "model": "websphere portal",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "6.1.0"
      },
      {
        "model": "websphere portal",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "8"
      },
      {
        "model": "websphere portal",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "6.1.5.3 cf27"
      },
      {
        "model": "websphere portal",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "7.0.0.2 cf25"
      },
      {
        "model": "websphere portal",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "8.0.0.1 cf08"
      },
      {
        "model": "websphere portal",
        "scope": "lt",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "7"
      },
      {
        "model": "websphere portal",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "6.1.0.6 cf27"
      },
      {
        "model": "websphere portal",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "ibm",
        "version": "6.0.0.1"
      },
      {
        "model": "jrockit r27.1.0",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "5.6.2"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.01"
      },
      {
        "model": "systems weblogic portal sp1",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle9i personal edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "peoplesoft enterprise peopletools",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.49"
      },
      {
        "model": "oracle11g standard edition one",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "data service integrator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.3"
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.2.1"
      },
      {
        "model": "oracle10g application server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.2.3.0"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.0"
      },
      {
        "model": "oracle9i enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8.0"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.06"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.0.1"
      },
      {
        "model": "systems weblogic portal sp6",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.2"
      },
      {
        "model": "oracle11g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.11"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.13"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.04"
      },
      {
        "model": "oracle11g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.1.0.7"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.1"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.0"
      },
      {
        "model": "jrockit r27.6.2",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.07"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "systems weblogic portal sp2",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "systems weblogic portal sp5",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "oracle10g application server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.2"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.3"
      },
      {
        "model": "systems weblogic portal sp3",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "systems weblogic portal",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.1"
      },
      {
        "model": "systems weblogic server maintenance pack",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.2"
      },
      {
        "model": "oracle9i standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.13"
      },
      {
        "model": "oracle9i standard edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "oracle9i enterprise edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.0"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.1"
      },
      {
        "model": "peoplesoft enterprise hrms",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.0"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.2"
      },
      {
        "model": "e-business suite 11i",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.5.10.2"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.12"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.15"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.05"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.16"
      },
      {
        "model": "systems weblogic server mp1",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.0"
      },
      {
        "model": "peoplesoft enterprise hrms",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.9"
      },
      {
        "model": "audit vault",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "jrockit r27.6.0",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.02"
      },
      {
        "model": "systems weblogic portal sp4",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.4"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.14"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.12"
      },
      {
        "model": "weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.11"
      },
      {
        "model": "e-business suite",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "12.0.6"
      },
      {
        "model": "outside in sdk html export",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.3"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "oracle9i personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8"
      },
      {
        "model": "oracle11g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.14"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.03"
      },
      {
        "model": "systems weblogic server sp7",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.2"
      },
      {
        "model": "outside in sdk html export",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.2.2"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.2"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.0"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001238"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-325"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1008"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:ibm:websphere_portal",
                "vulnerable": true
              },
              {
                "cpe22Uri": "cpe:/a:oracle:application_server",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001238"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Esteban Martinez Fayo Joxean Koret   joxeankoret@yahoo.es",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-325"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2009-1008",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "LOCAL",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 4.4,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 3.4,
            "id": "CVE-2009-1008",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:L/AC:M/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2009-1008",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2009-1008",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-200904-325",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001238"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-325"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1008"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Unspecified vulnerability in the Outside In Technology component in Oracle Application Server 8.2.2 and 8.3.0 allows local users to affect confidentiality, integrity, and availability, related to HTML, a different vulnerability than CVE-2009-1010. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:\nOracle Database\nOracle Audit Vault\nOracle Application Server\nOracle Outside In SDK HTML Export\nOracle XML Publisher\nOracle BI Publisher\nOracle E-Business Suite\nPeopleSoft Enterprise PeopleTools\nPeopleSoft Enterprise HRMS\nOracle WebLogic Server (formerly BEA WebLogic Server)\nOracle Data Service Integrator\nOracle AquaLogic Data Services Platform\nOracle JRockit. ----------------------------------------------------------------------\n\nAre you missing:\n\nSECUNIA ADVISORY ID:\n\nCritical:\n\nImpact:\n\nWhere:\n\nwithin the advisory below?\n\nThis is now part of the Secunia commercial solutions. \n\nFor more information see vulnerability #6 through #9 in:\nSA34693\n\nSOLUTION:\nThe vendor recommends to delete the GdFileConv.exe file. See vendor\u0027s\nadvisory for additional details. \n\nFixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. The impacts of these vulnerabilities include\n   remote execution of arbitrary code, information disclosure, and\n   denial of service. \n\n\nI. Description\n\n   The Oracle Critical Patch Update Advisory - April 2009 addresses 43\n   vulnerabilities in various Oracle products and components. The\n   document provides information about affected components, access and\n   authorization required for successful exploitation, and the impact\n   from the vulnerabilities on data confidentiality, integrity, and\n   availability. \n   \n   Oracle has associated CVE identifiers with the vulnerabilities\n   addressed in this Critical Patch Update. If significant additional\n   details about vulnerabilities and remediation techniques become\n   available, we will update the Vulnerability Notes Database. \n\n\nII. Impact\n\n   The impact of these vulnerabilities varies depending on the\n   product, component, and configuration of the system. Potential\n   consequences include the execution of arbitrary code or commands,\n   information disclosure, and denial of service. Vulnerable\n   components may be available to unauthenticated, remote attackers. \n   An attacker who compromises an Oracle database may be able to\n   access sensitive information. \n\n\nIII. Solution\n\n   Apply the appropriate patches or upgrade as specified in the Oracle\n   Critical Patch Update Advisory - April 2009. Note that this\n   document only lists newly corrected issues. Updates to patches for\n   previously known issues are not listed. \n\n\nIV. References\n\n * Oracle Critical Patch Update Advisory - April 2009 -\n   \u003chttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html\u003e\n\n * Critical Patch Updates and Security Alerts -\n   \u003chttp://www.oracle.com/technology/deploy/security/alerts.htm\u003e\n\n * Map of Public Vulnerability to Advisory/Alert -\n   \u003chttp://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html\u003e\n\n ____________________________________________________________________\n\n   The most recent version of this document can be found at:\n\n     \u003chttp://www.us-cert.gov/cas/techalerts/TA09-105A.html\u003e\n ____________________________________________________________________\n\n   Feedback can be directed to US-CERT Technical Staff. Please send\n   email to \u003ccert@cert.org\u003e with \"TA09-105A Feedback VU#955892\" in\n   the subject. \n ____________________________________________________________________\n\n   For instructions on subscribing to or unsubscribing from this\n   mailing list, visit \u003chttp://www.us-cert.gov/cas/signup.html\u003e. \n ____________________________________________________________________\n\n   Produced 2009 by US-CERT, a government organization. \n\n   Terms of use:\n\n     \u003chttp://www.us-cert.gov/legal.html\u003e\n ____________________________________________________________________\n\nRevision History\n  \n  April 15, 2009: Initial release\n\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.5 (GNU/Linux)\n\niQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4\n2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do\ndsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM\nh6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy\n11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU\nbsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==\n=kziE\n-----END PGP SIGNATURE-----\n. ----------------------------------------------------------------------\n\nSecunia is pleased to announce the release of the annual Secunia\nreport for 2008. \nSome have unknown impacts, others can be exploited by malicious users\nto conduct SQL injection attacks or disclose sensitive information,\nand by malicious people  compromise a vulnerable system. \n\n1) A format string error exists within the Oracle Process Manager and\nNotification (opmn) daemon, which can be exploited to execute\narbitrary code via a specially crafted POST request to port\n6000/TCP. \n\n2) Input passed to the \"DBMS_AQIN\" package is not properly sanitised\nbefore being used. This can be exploited to manipulate SQL queries by\ninjecting arbitrary SQL code. \n\n3) An error in the Application Express component included in Oracle\nDatabase can be exploited by unprivileged database users to disclose\nAPEX password hashes in \"LOWS_030000.WWV_FLOW_USER\". \n\nThe remaining vulnerabilities are caused due to unspecified errors. \nNo more information is currently available. \n\nPROVIDED AND/OR DISCOVERED BY:\n1) Joxean Koret of TippingPoint\n2, 3) Alexander Kornbrust of Red Database Security\n\nThe vendor also credits:\n* Joshua J. Drake of iDefense\n* Gerhard Eschelbeck of Qualys, Inc. \n* Esteban Martinez Fayo of Application Security, Inc. \n* Franz Huell of Red Database Security;\n* Mike Janowski of Neohapsis, Inc. \n* Joxean Koret\n* David Litchfield of NGS Software\n* Tanel Poder\n* Sven Vetter of Trivadis\n* Dennis Yurichev\n\nORIGINAL ADVISORY:\nOracle:\nhttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html\n\nZDI:\nhttp://www.zerodayinitiative.com/advisories/ZDI-09-017/\n\nRed Database Security:\nhttp://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html\nhttp://www.red-database-security.com/advisory/apex_password_hashes.html\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-1008"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001238"
      },
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "PACKETSTORM",
        "id": "76704"
      }
    ],
    "trust": 2.16
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2009-1008",
        "trust": 2.7
      },
      {
        "db": "SECUNIA",
        "id": "34693",
        "trust": 2.6
      },
      {
        "db": "USCERT",
        "id": "TA09-105A",
        "trust": 2.5
      },
      {
        "db": "OSVDB",
        "id": "53747",
        "trust": 2.4
      },
      {
        "db": "SECTRACK",
        "id": "1022055",
        "trust": 2.4
      },
      {
        "db": "BID",
        "id": "34461",
        "trust": 1.3
      },
      {
        "db": "VUPEN",
        "id": "ADV-2009-1042",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001238",
        "trust": 0.8
      },
      {
        "db": "CERT/CC",
        "id": "TA09-105A",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-325",
        "trust": 0.6
      },
      {
        "db": "ZDI",
        "id": "ZDI-09-017",
        "trust": 0.4
      },
      {
        "db": "SECUNIA",
        "id": "35135",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "77574",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "76710",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "76704",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001238"
      },
      {
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "PACKETSTORM",
        "id": "76704"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-325"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1008"
      }
    ]
  },
  "id": "VAR-200904-0428",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.065972224
  },
  "last_update_date": "2024-11-23T20:47:37.389000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "cpuapr2009",
        "trust": 0.8,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html"
      },
      {
        "title": "1660640",
        "trust": 0.8,
        "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21660640"
      },
      {
        "title": "1660774",
        "trust": 0.8,
        "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21660774"
      },
      {
        "title": "090417_86",
        "trust": 0.8,
        "url": "http://www.oracle.com/technology/global/jp/security/090417_86/top.html"
      },
      {
        "title": "TA09-105A",
        "trust": 0.8,
        "url": "http://software.fujitsu.com/jp/security/vulnerabilities/ta09-105a.html"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001238"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-noinfo",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-1008"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.4,
        "url": "http://osvdb.org/53747"
      },
      {
        "trust": 2.4,
        "url": "http://secunia.com/advisories/34693"
      },
      {
        "trust": 2.4,
        "url": "http://www.securitytracker.com/id?1022055"
      },
      {
        "trust": 2.4,
        "url": "http://www.us-cert.gov/cas/techalerts/ta09-105a.html"
      },
      {
        "trust": 1.3,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html"
      },
      {
        "trust": 1.0,
        "url": "http://www.securityfocus.com/bid/34461"
      },
      {
        "trust": 1.0,
        "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"
      },
      {
        "trust": 1.0,
        "url": "http://www-01.ibm.com/support/docview.wss?uid=swg21660640"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1008"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/cert/jvnta09-105a/index.html"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/tr/jvntr-2009-11/index.html"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1008"
      },
      {
        "trust": 0.8,
        "url": "http://www.vupen.com/english/advisories/2009/1042"
      },
      {
        "trust": 0.4,
        "url": "http://www.zerodayinitiative.com/advisories/zdi-09-017/"
      },
      {
        "trust": 0.4,
        "url": "http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html"
      },
      {
        "trust": 0.4,
        "url": "http://www.red-database-security.com/advisory/apex_password_hashes.html"
      },
      {
        "trust": 0.3,
        "url": "http://secunia.com/secunia_research/2009-23/"
      },
      {
        "trust": 0.3,
        "url": "http://secunia.com/secunia_research/2009-22/"
      },
      {
        "trust": 0.3,
        "url": "http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502845"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502707"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502697"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502727"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502723"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/506160"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502724"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502683"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1001.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1002.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1003.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1004.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1005.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1006.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1012.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1016.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html"
      },
      {
        "trust": 0.2,
        "url": "http://secunia.com/advisories/secunia_security_advisories/"
      },
      {
        "trust": 0.2,
        "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
      },
      {
        "trust": 0.2,
        "url": "http://secunia.com/advisories/34693/"
      },
      {
        "trust": 0.2,
        "url": "http://secunia.com/advisories/about_secunia_advisories/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/35135/"
      },
      {
        "trust": 0.1,
        "url": "http://www.good.com/faq/18431.html"
      },
      {
        "trust": 0.1,
        "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=799"
      },
      {
        "trust": 0.1,
        "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=800"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/business_solutions/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/try_vi/"
      },
      {
        "trust": 0.1,
        "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=801"
      },
      {
        "trust": 0.1,
        "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=798"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/cas/techalerts/ta09-105a.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/alerts.htm\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/cas/signup.html\u003e."
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/legal.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/try_vi/request_2008_report/"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001238"
      },
      {
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "PACKETSTORM",
        "id": "76704"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-325"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1008"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001238"
      },
      {
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "PACKETSTORM",
        "id": "76704"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-325"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1008"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-04-09T00:00:00",
        "db": "BID",
        "id": "34461"
      },
      {
        "date": "2009-05-20T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-001238"
      },
      {
        "date": "2009-05-18T15:35:49",
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "date": "2009-04-15T23:15:44",
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "date": "2009-04-15T15:08:54",
        "db": "PACKETSTORM",
        "id": "76704"
      },
      {
        "date": "2009-04-15T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200904-325"
      },
      {
        "date": "2009-04-15T10:30:00.953000",
        "db": "NVD",
        "id": "CVE-2009-1008"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-09-01T16:22:00",
        "db": "BID",
        "id": "34461"
      },
      {
        "date": "2014-02-21T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-001238"
      },
      {
        "date": "2009-04-28T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200904-325"
      },
      {
        "date": "2024-11-21T01:01:27.107000",
        "db": "NVD",
        "id": "CVE-2009-1008"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "local",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-325"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Oracle Application Server of  Outside In Technology Component vulnerabilities",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001238"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "lack of information",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-325"
      }
    ],
    "trust": 0.6
  }
}

var-200904-0423

Vulnerability from variot

Unspecified vulnerability in Oracle BEA WebLogic Server 10.3, 10.0 Gold through MP1, 9.2 Gold through MP3, 9.1, 9.0, 8.1 Gold through SP6, and 7.0 Gold through SP7 allows remote attackers to gain privileges via unknown vectors. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

I. Description

The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components. The document provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability.

Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database.

II. Impact

The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information.

III. Solution

Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed.

IV. References

• Oracle Critical Patch Update Advisory - April 2009 - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html

• Critical Patch Updates and Security Alerts - http://www.oracle.com/technology/deploy/security/alerts.htm

• Map of Public Vulnerability to Advisory/Alert - http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html

The most recent version of this document can be found at:

 <http://www.us-cert.gov/cas/techalerts/TA09-105A.html>

Feedback can be directed to US-CERT Technical Staff. Please send email to cert@cert.org with "TA09-105A Feedback VU#955892" in the subject.

For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html.

Produced 2009 by US-CERT, a government organization.

Terms of use:

 <http://www.us-cert.gov/legal.html>

Revision History

April 15, 2009: Initial release

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE-----

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-200904-0423",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 2.4,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 2.4,
        "vendor": "oracle",
        "version": "9.0"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 2.4,
        "vendor": "oracle",
        "version": "9.1"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "oracle",
        "version": "10.0"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "oracle",
        "version": "7.0"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "oracle",
        "version": "8.1"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "oracle",
        "version": "10.0 mp1"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "oracle",
        "version": "7.0 sp7"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "oracle",
        "version": "8.1 sp6"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "oracle",
        "version": "9.2 mp3"
      },
      {
        "model": "jrockit r27.1.0",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "5.6.2"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.01"
      },
      {
        "model": "systems weblogic portal sp1",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle9i personal edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "peoplesoft enterprise peopletools",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.49"
      },
      {
        "model": "oracle11g standard edition one",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "data service integrator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.3"
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.2.1"
      },
      {
        "model": "oracle10g application server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.2.3.0"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.0"
      },
      {
        "model": "oracle9i enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8.0"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.06"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.0.1"
      },
      {
        "model": "systems weblogic portal sp6",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.2"
      },
      {
        "model": "oracle11g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.11"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.13"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.04"
      },
      {
        "model": "oracle11g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.1.0.7"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.1"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.0"
      },
      {
        "model": "jrockit r27.6.2",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.07"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "systems weblogic portal sp2",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "systems weblogic portal sp5",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "oracle10g application server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.2"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.3"
      },
      {
        "model": "systems weblogic portal sp3",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "systems weblogic portal",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.1"
      },
      {
        "model": "systems weblogic server maintenance pack",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.2"
      },
      {
        "model": "oracle9i standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.13"
      },
      {
        "model": "oracle9i standard edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "oracle9i enterprise edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.0"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.1"
      },
      {
        "model": "peoplesoft enterprise hrms",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.0"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.2"
      },
      {
        "model": "e-business suite 11i",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.5.10.2"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.12"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.15"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.05"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.16"
      },
      {
        "model": "systems weblogic server mp1",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.0"
      },
      {
        "model": "peoplesoft enterprise hrms",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.9"
      },
      {
        "model": "audit vault",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "jrockit r27.6.0",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.02"
      },
      {
        "model": "systems weblogic portal sp4",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.4"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.14"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.12"
      },
      {
        "model": "weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.11"
      },
      {
        "model": "e-business suite",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "12.0.6"
      },
      {
        "model": "outside in sdk html export",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.3"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "oracle9i personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8"
      },
      {
        "model": "oracle11g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.14"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.03"
      },
      {
        "model": "systems weblogic server sp7",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.2"
      },
      {
        "model": "outside in sdk html export",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.2.2"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.2"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.0"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001250"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-320"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1002"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:oracle:bea_product_suite",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001250"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Esteban Martinez Fayo Joxean Koret   joxeankoret@yahoo.es",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-320"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2009-1002",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 5.8,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 8.6,
            "id": "CVE-2009-1002",
            "impactScore": 4.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2009-1002",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2009-1002",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-200904-320",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001250"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-320"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1002"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Unspecified vulnerability in Oracle BEA WebLogic Server 10.3, 10.0 Gold through MP1, 9.2 Gold through MP3, 9.1, 9.0, 8.1 Gold through SP6, and 7.0 Gold through SP7 allows remote attackers to gain privileges via unknown vectors. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:\nOracle Database\nOracle Audit Vault\nOracle Application Server\nOracle Outside In SDK HTML Export\nOracle XML Publisher\nOracle BI Publisher\nOracle E-Business Suite\nPeopleSoft Enterprise PeopleTools\nPeopleSoft Enterprise HRMS\nOracle WebLogic Server (formerly BEA WebLogic Server)\nOracle Data Service Integrator\nOracle AquaLogic Data Services Platform\nOracle JRockit. The impacts of these vulnerabilities include\n   remote execution of arbitrary code, information disclosure, and\n   denial of service. \n\n\nI. Description\n\n   The Oracle Critical Patch Update Advisory - April 2009 addresses 43\n   vulnerabilities in various Oracle products and components. The\n   document provides information about affected components, access and\n   authorization required for successful exploitation, and the impact\n   from the vulnerabilities on data confidentiality, integrity, and\n   availability. \n   \n   Oracle has associated CVE identifiers with the vulnerabilities\n   addressed in this Critical Patch Update. If significant additional\n   details about vulnerabilities and remediation techniques become\n   available, we will update the Vulnerability Notes Database. \n\n\nII. Impact\n\n   The impact of these vulnerabilities varies depending on the\n   product, component, and configuration of the system. Potential\n   consequences include the execution of arbitrary code or commands,\n   information disclosure, and denial of service. Vulnerable\n   components may be available to unauthenticated, remote attackers. \n   An attacker who compromises an Oracle database may be able to\n   access sensitive information. \n\n\nIII. Solution\n\n   Apply the appropriate patches or upgrade as specified in the Oracle\n   Critical Patch Update Advisory - April 2009. Note that this\n   document only lists newly corrected issues. Updates to patches for\n   previously known issues are not listed. \n\n\nIV. References\n\n * Oracle Critical Patch Update Advisory - April 2009 -\n   \u003chttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html\u003e\n\n * Critical Patch Updates and Security Alerts -\n   \u003chttp://www.oracle.com/technology/deploy/security/alerts.htm\u003e\n\n * Map of Public Vulnerability to Advisory/Alert -\n   \u003chttp://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html\u003e\n\n ____________________________________________________________________\n\n   The most recent version of this document can be found at:\n\n     \u003chttp://www.us-cert.gov/cas/techalerts/TA09-105A.html\u003e\n ____________________________________________________________________\n\n   Feedback can be directed to US-CERT Technical Staff. Please send\n   email to \u003ccert@cert.org\u003e with \"TA09-105A Feedback VU#955892\" in\n   the subject. \n ____________________________________________________________________\n\n   For instructions on subscribing to or unsubscribing from this\n   mailing list, visit \u003chttp://www.us-cert.gov/cas/signup.html\u003e. \n ____________________________________________________________________\n\n   Produced 2009 by US-CERT, a government organization. \n\n   Terms of use:\n\n     \u003chttp://www.us-cert.gov/legal.html\u003e\n ____________________________________________________________________\n\nRevision History\n  \n  April 15, 2009: Initial release\n\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.5 (GNU/Linux)\n\niQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4\n2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do\ndsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM\nh6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy\n11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU\nbsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==\n=kziE\n-----END PGP SIGNATURE-----\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-1002"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001250"
      },
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      }
    ],
    "trust": 1.98
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2009-1002",
        "trust": 2.7
      },
      {
        "db": "USCERT",
        "id": "TA09-105A",
        "trust": 2.5
      },
      {
        "db": "SECTRACK",
        "id": "1022059",
        "trust": 2.4
      },
      {
        "db": "XF",
        "id": "50052",
        "trust": 1.4
      },
      {
        "db": "BID",
        "id": "34461",
        "trust": 1.3
      },
      {
        "db": "VUPEN",
        "id": "ADV-2009-1042",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001250",
        "trust": 0.8
      },
      {
        "db": "XF",
        "id": "2",
        "trust": 0.6
      },
      {
        "db": "CERT/CC",
        "id": "TA09-105A",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-320",
        "trust": 0.6
      },
      {
        "db": "ZDI",
        "id": "ZDI-09-017",
        "trust": 0.3
      },
      {
        "db": "PACKETSTORM",
        "id": "76710",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001250"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-320"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1002"
      }
    ]
  },
  "id": "VAR-200904-0423",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.065972224
  },
  "last_update_date": "2024-11-23T20:26:34.084000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "cpuapr2009",
        "trust": 0.8,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html"
      },
      {
        "title": "1002",
        "trust": 0.8,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1002.html"
      },
      {
        "title": "090417_86",
        "trust": 0.8,
        "url": "http://www.oracle.com/technology/global/jp/security/090417_86/top.html"
      },
      {
        "title": "TA09-105A",
        "trust": 0.8,
        "url": "http://software.fujitsu.com/jp/security/vulnerabilities/ta09-105a.html"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001250"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-noinfo",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-1002"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.4,
        "url": "http://www.securitytracker.com/id?1022059"
      },
      {
        "trust": 2.4,
        "url": "http://www.us-cert.gov/cas/techalerts/ta09-105a.html"
      },
      {
        "trust": 1.9,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1002.html"
      },
      {
        "trust": 1.4,
        "url": "http://xforce.iss.net/xforce/xfdb/50052"
      },
      {
        "trust": 1.2,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html"
      },
      {
        "trust": 1.0,
        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50052"
      },
      {
        "trust": 1.0,
        "url": "http://www.securityfocus.com/bid/34461"
      },
      {
        "trust": 1.0,
        "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1002"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/cert/jvnta09-105a/index.html"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/tr/jvntr-2009-11/index.html"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1002"
      },
      {
        "trust": 0.8,
        "url": "http://www.vupen.com/english/advisories/2009/1042"
      },
      {
        "trust": 0.3,
        "url": "http://secunia.com/secunia_research/2009-23/"
      },
      {
        "trust": 0.3,
        "url": "http://secunia.com/secunia_research/2009-22/"
      },
      {
        "trust": 0.3,
        "url": "http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502845"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502707"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502697"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502727"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502723"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/506160"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502724"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502683"
      },
      {
        "trust": 0.3,
        "url": "http://www.zerodayinitiative.com/advisories/zdi-09-017/"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1001.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1003.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1004.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1005.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1006.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1012.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1016.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.red-database-security.com/advisory/apex_password_hashes.html"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/cas/techalerts/ta09-105a.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/alerts.htm\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/cas/signup.html\u003e."
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/legal.html\u003e"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001250"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-320"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1002"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001250"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-320"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1002"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-04-09T00:00:00",
        "db": "BID",
        "id": "34461"
      },
      {
        "date": "2009-05-22T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-001250"
      },
      {
        "date": "2009-04-15T23:15:44",
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "date": "2009-04-15T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200904-320"
      },
      {
        "date": "2009-04-15T10:30:00.860000",
        "db": "NVD",
        "id": "CVE-2009-1002"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-09-01T16:22:00",
        "db": "BID",
        "id": "34461"
      },
      {
        "date": "2009-05-22T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-001250"
      },
      {
        "date": "2009-05-06T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200904-320"
      },
      {
        "date": "2024-11-21T01:01:26.450000",
        "db": "NVD",
        "id": "CVE-2009-1002"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-320"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "BEA Product Suite of  WebLogic Server Elevation of privilege vulnerability in components",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001250"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "lack of information",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-320"
      }
    ],
    "trust": 0.6
  }
}

var-200904-0424

Vulnerability from variot

Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, and 9.0 allows remote attackers to affect integrity via unknown vectors related to "access to source code of web pages.". Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

I. Description

The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components. The document provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability.

Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database.

II. Impact

The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information.

III. Solution

Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed.

IV. References

• Oracle Critical Patch Update Advisory - April 2009 - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html

• Critical Patch Updates and Security Alerts - http://www.oracle.com/technology/deploy/security/alerts.htm

• Map of Public Vulnerability to Advisory/Alert - http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html

The most recent version of this document can be found at:

 <http://www.us-cert.gov/cas/techalerts/TA09-105A.html>

Feedback can be directed to US-CERT Technical Staff. Please send email to cert@cert.org with "TA09-105A Feedback VU#955892" in the subject.

For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html.

Produced 2009 by US-CERT, a government organization.

Terms of use:

 <http://www.us-cert.gov/legal.html>

Revision History

April 15, 2009: Initial release

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE-----

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-200904-0424",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 2.4,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 2.4,
        "vendor": "oracle",
        "version": "9.0"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 2.4,
        "vendor": "oracle",
        "version": "9.1"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "oracle",
        "version": "10.0"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 1.6,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "oracle",
        "version": "10.0 mp1"
      },
      {
        "model": "bea product suite",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "oracle",
        "version": "9.2 mp3"
      },
      {
        "model": "jrockit r27.1.0",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "5.6.2"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.01"
      },
      {
        "model": "systems weblogic portal sp1",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle9i personal edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "peoplesoft enterprise peopletools",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.49"
      },
      {
        "model": "oracle11g standard edition one",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "data service integrator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.3"
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.2.1"
      },
      {
        "model": "oracle10g application server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.2.3.0"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.0"
      },
      {
        "model": "oracle9i enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8.0"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.06"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.0.1"
      },
      {
        "model": "systems weblogic portal sp6",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.2"
      },
      {
        "model": "oracle11g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.11"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.13"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.04"
      },
      {
        "model": "oracle11g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.1.0.7"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.1"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.0"
      },
      {
        "model": "jrockit r27.6.2",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.07"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "systems weblogic portal sp2",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "systems weblogic portal sp5",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "oracle10g application server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.2"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.3"
      },
      {
        "model": "systems weblogic portal sp3",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "systems weblogic portal",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.1"
      },
      {
        "model": "systems weblogic server maintenance pack",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.2"
      },
      {
        "model": "oracle9i standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.13"
      },
      {
        "model": "oracle9i standard edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "oracle9i enterprise edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.0"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.1"
      },
      {
        "model": "peoplesoft enterprise hrms",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.0"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.2"
      },
      {
        "model": "e-business suite 11i",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.5.10.2"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.12"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.15"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.05"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.16"
      },
      {
        "model": "systems weblogic server mp1",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.0"
      },
      {
        "model": "peoplesoft enterprise hrms",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.9"
      },
      {
        "model": "audit vault",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "jrockit r27.6.0",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.02"
      },
      {
        "model": "systems weblogic portal sp4",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.4"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.14"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.12"
      },
      {
        "model": "weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.11"
      },
      {
        "model": "e-business suite",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "12.0.6"
      },
      {
        "model": "outside in sdk html export",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.3"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "oracle9i personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8"
      },
      {
        "model": "oracle11g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.14"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.03"
      },
      {
        "model": "systems weblogic server sp7",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.2"
      },
      {
        "model": "outside in sdk html export",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.2.2"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.2"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.0"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001249"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-321"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1003"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:oracle:bea_product_suite",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001249"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Esteban Martinez Fayo Joxean Koret   joxeankoret@yahoo.es",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-321"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2009-1003",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 5.0,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 10.0,
            "id": "CVE-2009-1003",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2009-1003",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2009-1003",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-200904-321",
            "trust": 0.6,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001249"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-321"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1003"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, and 9.0 allows remote attackers to affect integrity via unknown vectors related to \"access to source code of web pages.\". Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:\nOracle Database\nOracle Audit Vault\nOracle Application Server\nOracle Outside In SDK HTML Export\nOracle XML Publisher\nOracle BI Publisher\nOracle E-Business Suite\nPeopleSoft Enterprise PeopleTools\nPeopleSoft Enterprise HRMS\nOracle WebLogic Server (formerly BEA WebLogic Server)\nOracle Data Service Integrator\nOracle AquaLogic Data Services Platform\nOracle JRockit. The impacts of these vulnerabilities include\n   remote execution of arbitrary code, information disclosure, and\n   denial of service. \n\n\nI. Description\n\n   The Oracle Critical Patch Update Advisory - April 2009 addresses 43\n   vulnerabilities in various Oracle products and components. The\n   document provides information about affected components, access and\n   authorization required for successful exploitation, and the impact\n   from the vulnerabilities on data confidentiality, integrity, and\n   availability. \n   \n   Oracle has associated CVE identifiers with the vulnerabilities\n   addressed in this Critical Patch Update. If significant additional\n   details about vulnerabilities and remediation techniques become\n   available, we will update the Vulnerability Notes Database. \n\n\nII. Impact\n\n   The impact of these vulnerabilities varies depending on the\n   product, component, and configuration of the system. Potential\n   consequences include the execution of arbitrary code or commands,\n   information disclosure, and denial of service. Vulnerable\n   components may be available to unauthenticated, remote attackers. \n   An attacker who compromises an Oracle database may be able to\n   access sensitive information. \n\n\nIII. Solution\n\n   Apply the appropriate patches or upgrade as specified in the Oracle\n   Critical Patch Update Advisory - April 2009. Note that this\n   document only lists newly corrected issues. Updates to patches for\n   previously known issues are not listed. \n\n\nIV. References\n\n * Oracle Critical Patch Update Advisory - April 2009 -\n   \u003chttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html\u003e\n\n * Critical Patch Updates and Security Alerts -\n   \u003chttp://www.oracle.com/technology/deploy/security/alerts.htm\u003e\n\n * Map of Public Vulnerability to Advisory/Alert -\n   \u003chttp://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html\u003e\n\n ____________________________________________________________________\n\n   The most recent version of this document can be found at:\n\n     \u003chttp://www.us-cert.gov/cas/techalerts/TA09-105A.html\u003e\n ____________________________________________________________________\n\n   Feedback can be directed to US-CERT Technical Staff. Please send\n   email to \u003ccert@cert.org\u003e with \"TA09-105A Feedback VU#955892\" in\n   the subject. \n ____________________________________________________________________\n\n   For instructions on subscribing to or unsubscribing from this\n   mailing list, visit \u003chttp://www.us-cert.gov/cas/signup.html\u003e. \n ____________________________________________________________________\n\n   Produced 2009 by US-CERT, a government organization. \n\n   Terms of use:\n\n     \u003chttp://www.us-cert.gov/legal.html\u003e\n ____________________________________________________________________\n\nRevision History\n  \n  April 15, 2009: Initial release\n\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.5 (GNU/Linux)\n\niQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4\n2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do\ndsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM\nh6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy\n11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU\nbsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==\n=kziE\n-----END PGP SIGNATURE-----\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-1003"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001249"
      },
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      }
    ],
    "trust": 1.98
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2009-1003",
        "trust": 2.7
      },
      {
        "db": "USCERT",
        "id": "TA09-105A",
        "trust": 2.5
      },
      {
        "db": "SECTRACK",
        "id": "1022059",
        "trust": 2.4
      },
      {
        "db": "OSVDB",
        "id": "53762",
        "trust": 2.4
      },
      {
        "db": "XF",
        "id": "50054",
        "trust": 1.4
      },
      {
        "db": "BID",
        "id": "34461",
        "trust": 1.3
      },
      {
        "db": "VUPEN",
        "id": "ADV-2009-1042",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001249",
        "trust": 0.8
      },
      {
        "db": "CERT/CC",
        "id": "TA09-105A",
        "trust": 0.6
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-321",
        "trust": 0.6
      },
      {
        "db": "ZDI",
        "id": "ZDI-09-017",
        "trust": 0.3
      },
      {
        "db": "PACKETSTORM",
        "id": "76710",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001249"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-321"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1003"
      }
    ]
  },
  "id": "VAR-200904-0424",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.065972224
  },
  "last_update_date": "2024-11-23T21:11:49.041000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "cpuapr2009",
        "trust": 0.8,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html"
      },
      {
        "title": "1003",
        "trust": 0.8,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1003.html"
      },
      {
        "title": "090417_86",
        "trust": 0.8,
        "url": "http://www.oracle.com/technology/global/jp/security/090417_86/top.html"
      },
      {
        "title": "TA09-105A",
        "trust": 0.8,
        "url": "http://software.fujitsu.com/jp/security/vulnerabilities/ta09-105a.html"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001249"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-noinfo",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-1003"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.4,
        "url": "http://osvdb.org/53762"
      },
      {
        "trust": 2.4,
        "url": "http://www.securitytracker.com/id?1022059"
      },
      {
        "trust": 2.4,
        "url": "http://www.us-cert.gov/cas/techalerts/ta09-105a.html"
      },
      {
        "trust": 1.9,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1003.html"
      },
      {
        "trust": 1.4,
        "url": "http://xforce.iss.net/xforce/xfdb/50054"
      },
      {
        "trust": 1.2,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html"
      },
      {
        "trust": 1.0,
        "url": "http://www.securityfocus.com/bid/34461"
      },
      {
        "trust": 1.0,
        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50054"
      },
      {
        "trust": 1.0,
        "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1003"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/cert/jvnta09-105a/index.html"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/tr/jvntr-2009-11/index.html"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1003"
      },
      {
        "trust": 0.8,
        "url": "http://www.vupen.com/english/advisories/2009/1042"
      },
      {
        "trust": 0.3,
        "url": "http://secunia.com/secunia_research/2009-23/"
      },
      {
        "trust": 0.3,
        "url": "http://secunia.com/secunia_research/2009-22/"
      },
      {
        "trust": 0.3,
        "url": "http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502845"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502707"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502697"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502727"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502723"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/506160"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502724"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502683"
      },
      {
        "trust": 0.3,
        "url": "http://www.zerodayinitiative.com/advisories/zdi-09-017/"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1001.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1002.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1004.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1005.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1006.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1012.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1016.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.red-database-security.com/advisory/apex_password_hashes.html"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/cas/techalerts/ta09-105a.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/alerts.htm\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/cas/signup.html\u003e."
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/legal.html\u003e"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001249"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-321"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1003"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001249"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-321"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-1003"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-04-09T00:00:00",
        "db": "BID",
        "id": "34461"
      },
      {
        "date": "2009-05-22T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-001249"
      },
      {
        "date": "2009-04-15T23:15:44",
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "date": "2009-04-15T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200904-321"
      },
      {
        "date": "2009-04-15T10:30:00.877000",
        "db": "NVD",
        "id": "CVE-2009-1003"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-09-01T16:22:00",
        "db": "BID",
        "id": "34461"
      },
      {
        "date": "2009-05-22T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-001249"
      },
      {
        "date": "2009-05-06T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200904-321"
      },
      {
        "date": "2024-11-21T01:01:26.557000",
        "db": "NVD",
        "id": "CVE-2009-1003"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-321"
      }
    ],
    "trust": 0.7
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "BEA Product Suite of  WebLogic Server Component vulnerabilities",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001249"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "lack of information",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-321"
      }
    ],
    "trust": 0.6
  }
}

var-201801-0036

Vulnerability from variot

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. jQuery Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. JQuery is prone to a cross-site-scripting vulnerability because it fails to sufficiently sanitize user-supplied input. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. Versions prior to JQuery 3.0.0 are vulnerable. jQuery is an open source, cross-browser JavaScript library developed by American John Resig programmers. The library simplifies the operation between HTML and JavaScript, and has the characteristics of modularization and plug-in extension. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied. JIRA issues fixed (https://issues.jboss.org/):

JBEAP-23864 - (7.4.z) Upgrade xmlsec from 2.1.7.redhat-00001 to 2.2.3.redhat-00001 JBEAP-23865 - GSS Upgrade Apache CXF from 3.3.13.redhat-00001 to 3.4.10.redhat-00001 JBEAP-23866 - (7.4.z) Upgrade wss4j from 2.2.7.redhat-00001 to 2.3.3.redhat-00001 JBEAP-23928 - Tracker bug for the EAP 7.4.9 release for RHEL-9 JBEAP-24055 - (7.4.z) Upgrade HAL from 3.3.15.Final-redhat-00001 to 3.3.16.Final-redhat-00001 JBEAP-24081 - (7.4.z) Upgrade Elytron from 1.15.14.Final-redhat-00001 to 1.15.15.Final-redhat-00001 JBEAP-24095 - (7.4.z) Upgrade elytron-web from 1.9.2.Final-redhat-00001 to 1.9.3.Final-redhat-00001 JBEAP-24100 - GSS Upgrade Undertow from 2.2.20.SP1-redhat-00001 to 2.2.22.SP3-redhat-00001 JBEAP-24127 - (7.4.z) UNDERTOW-2123 - Update AsyncContextImpl.dispatch to use proper value JBEAP-24128 - (7.4.z) Upgrade Hibernate Search from 5.10.7.Final-redhat-00001 to 5.10.13.Final-redhat-00001 JBEAP-24132 - GSS Upgrade Ironjacamar from 1.5.3.SP2-redhat-00001 to 1.5.10.Final-redhat-00001 JBEAP-24147 - (7.4.z) Upgrade jboss-ejb-client from 4.0.45.Final-redhat-00001 to 4.0.49.Final-redhat-00001 JBEAP-24167 - (7.4.z) Upgrade WildFly Core from 15.0.19.Final-redhat-00001 to 15.0.21.Final-redhat-00002 JBEAP-24191 - GSS Upgrade remoting from 5.0.26.SP1-redhat-00001 to 5.0.27.Final-redhat-00001 JBEAP-24195 - GSS Upgrade JSF API from 3.0.0.SP06-redhat-00001 to 3.0.0.SP07-redhat-00001 JBEAP-24207 - (7.4.z) Upgrade Soteria from 1.0.1.redhat-00002 to 1.0.1.redhat-00003 JBEAP-24248 - (7.4.z) ELY-2492 - Upgrade sshd-common in Elytron from 2.7.0 to 2.9.2 JBEAP-24426 - (7.4.z) Upgrade Elytron from 1.15.15.Final-redhat-00001 to 1.15.16.Final-redhat-00001 JBEAP-24427 - (7.4.z) Upgrade WildFly Core from 15.0.21.Final-redhat-00002 to 15.0.22.Final-redhat-00001

1. Description:

Red Hat Fuse provides a small-footprint, flexible, open source enterprise service bus and integration platform. Red Hat A-MQ is a standards compliant messaging system that is tailored for use in mission critical applications. It includes bug fixes, which are documented in the patch notes accompanying the package on the download page. See the download link given in the references section below. Solution:

Before applying the update, back up your existing installation, including all applications, configuration files, databases and database settings, and so on.

Installation instructions are located in the download section of the customer portal.

The References section of this erratum contains a download link (you must log in to download the update). -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update Advisory ID: RHSA-2020:4670-01 Product: Red Hat Enterprise Linux Advisory URL: https://access.redhat.com/errata/RHSA-2020:4670 Issue date: 2020-11-03 CVE Names: CVE-2015-9251 CVE-2016-10735 CVE-2018-14040 CVE-2018-14042 CVE-2018-20676 CVE-2018-20677 CVE-2019-8331 CVE-2019-11358 CVE-2020-1722 CVE-2020-11022 ==================================================================== 1. Summary:

An update for the idm:DL1 and idm:client modules is now available for Red Hat Enterprise Linux 8.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

1. Relevant releases/architectures:

Red Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64

1. Description:

Red Hat Identity Management (IdM) is a centralized authentication, identity management, and authorization solution for both traditional and cloud-based enterprise environments.

The following packages have been upgraded to a later upstream version: ipa (4.8.7), softhsm (2.6.0), opendnssec (2.1.6). (BZ#1759888, BZ#1818765, BZ#1818877)

Security Fix(es):

• js-jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)

• bootstrap: XSS in the data-target attribute (CVE-2016-10735)

• bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute (CVE-2018-14040)

• bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip (CVE-2018-14042)

• bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676)

• bootstrap: XSS in the affix configuration target property (CVE-2018-20677)

• bootstrap: XSS in the tooltip or popover data-template attribute (CVE-2019-8331)

• js-jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection (CVE-2019-11358)

• jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method (CVE-2020-11022)

• ipa: No password length restriction leads to denial of service (CVE-2020-1722)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 8.3 Release Notes linked from the References section.

1. Solution:

For details on how to apply this update, which includes the changes described in this advisory, refer to:

https://access.redhat.com/articles/11258

1. Bugs fixed (https://bugzilla.redhat.com/):

1399546 - CVE-2015-9251 jquery: Cross-site scripting via cross-domain ajax requests 1430365 - [RFE] Host-group names command rename 1488732 - fake_mname in named.conf is no longer effective 1585020 - Enable compat tree to provide information about AD users and groups on trust agents 1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute 1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip 1651577 - [WebUI] IPA Error 3007: RequirmentError" while adding members in "User ID overrides" tab 1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute 1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property 1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute 1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute 1701233 - [RFE] support setting supported signature methods on the token 1701972 - CVE-2019-11358 jquery: Prototype pollution in object's prototype leading to denial of service, remote code execution, or property injection 1746830 - Memory leak during search of idview overrides 1750893 - Memory leak when slapi-nis return entries retrieved from nsswitch 1751295 - When sync-repl is enabled, slapi-nis can deadlock during retrochanglog trimming 1757045 - IDM Web GUI / IPA web UI: the ID override operation doesn't work in GUI (it works only from CLI) 1759888 - Rebase OpenDNSSEC to 2.1 1768156 - ERR - schemacompat - map rdlock: old way MAP_MONITOR_DISABLED 1777806 - When Service weight is set as 0 for server in IPA location "IPA Error 903: InternalError" is displayed 1793071 - CVE-2020-1722 ipa: No password length restriction leads to denial of service 1801698 - [RFE] Changing default hostgroup is too easy 1802471 - SELinux policy for ipa-custodia 1809835 - RFE: ipa group-add-member: number of failed should also be emphasized 1810154 - RFE: ipa-backup should compare locally and globally installed server roles 1810179 - ipa-client-install should name authselect backups and restore to that at uninstall time 1813330 - ipa-restore does not restart httpd 1816784 - KRA install fails if all KRA members are Hidden Replicas 1818765 - [Rebase] Rebase ipa to 4.8.6+ 1818877 - [Rebase] Rebase to softhsm 2.6.0+ 1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method 1831732 - AVC avc: denied { dac_override } for comm="ods-enforcerd 1831935 - AD authentication with IdM against SQL Server 1832331 - [abrt] [faf] 389-ds-base: unknown function(): /usr/sbin/ns-slapd killed by 11 1833266 - [dirsrv] set 'nsslapd-enable-upgrade-hash: off' as this raises warnings 1834264 - BIND rebase: rebuild against new so version 1834909 - softhsm use-after-free on process exit 1845211 - Rebase bind-dyndb-ldap to 11.3 1845537 - IPA bind configuration issue 1845596 - ipa trust-add fails with 'Fetching domains from trusted forest failed' 1846352 - cannot issue certs with multiple IP addresses corresponding to different hosts 1846434 - Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7 1847999 - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn 1849914 - FreeIPA - Utilize 256-bit AJP connector passwords 1851411 - ipa: typo issue in ipanthomedirectoryrive deffinition 1852244 - ipa-healthcheck inadvertently obsoleted in RHEL 8.2 1853263 - ipa-selinux package missing 1857157 - replica install failing with avc denial for custodia component 1858318 - AttributeError: module 'ssl' has no attribute 'SSLCertVerificationError' when upgrading ca-less ipa master 1859213 - AVC denial during ipa-adtrust-install --add-agents 1863079 - ipa-epn command displays 'exception: ConnectionRefusedError: [Errno 111] Connection refused' 1863616 - CA-less install does not set required permissions on KDC certificate 1866291 - EPN: enhance input validation 1866938 - ipa-epn fails to retrieve user data if some user attributes are not present 1868432 - Unhandled Python exception in '/usr/libexec/ipa/ipa-pki-retrieve-key' 1869311 - ipa trust-add fails with 'Fetching domains from trusted forest failed' 1870202 - File permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less 1874015 - ipa hbacrule-add-service --hbacsvcs=sshd is not applied successfully for subdomain 1875348 - Valgrind reports a memory leak in the Schema Compatibility plugin. 1879604 - pkispawn logs files are empty

1. Package List:

Red Hat Enterprise Linux AppStream (v. 8):

Source: bind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.src.rpm custodia-0.6.0-3.module+el8.1.0+4098+f286395e.src.rpm ipa-4.8.7-12.module+el8.3.0+8222+c1bff54a.src.rpm ipa-4.8.7-12.module+el8.3.0+8223+6212645f.src.rpm ipa-healthcheck-0.4-6.module+el8.3.0+7710+e2408ce4.src.rpm ipa-healthcheck-0.4-6.module+el8.3.0+7711+c4441980.src.rpm opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.src.rpm python-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.src.rpm python-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.src.rpm python-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.src.rpm python-qrcode-5.1-12.module+el8.1.0+4098+f286395e.src.rpm python-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.src.rpm python-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.src.rpm python-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.src.rpm pyusb-1.0.0-9.module+el8.1.0+4098+f286395e.src.rpm pyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.src.rpm slapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.src.rpm softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.src.rpm

aarch64: bind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.aarch64.rpm bind-dyndb-ldap-debuginfo-11.3-1.module+el8.3.0+6993+104f8db0.aarch64.rpm bind-dyndb-ldap-debugsource-11.3-1.module+el8.3.0+6993+104f8db0.aarch64.rpm ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-client-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-server-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-server-trust-ad-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm ipa-server-trust-ad-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.aarch64.rpm opendnssec-debuginfo-2.1.6-2.module+el8.3.0+6580+328a3362.aarch64.rpm opendnssec-debugsource-2.1.6-2.module+el8.3.0+6580+328a3362.aarch64.rpm slapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.aarch64.rpm slapi-nis-debuginfo-0.56.5-4.module+el8.3.0+8222+c1bff54a.aarch64.rpm slapi-nis-debugsource-0.56.5-4.module+el8.3.0+8222+c1bff54a.aarch64.rpm softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.aarch64.rpm softhsm-debuginfo-2.6.0-3.module+el8.3.0+6909+fb33717d.aarch64.rpm softhsm-debugsource-2.6.0-3.module+el8.3.0+6909+fb33717d.aarch64.rpm softhsm-devel-2.6.0-3.module+el8.3.0+6909+fb33717d.aarch64.rpm

noarch: custodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpm ipa-client-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm ipa-client-common-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm ipa-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm ipa-common-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm ipa-healthcheck-0.4-6.module+el8.3.0+7710+e2408ce4.noarch.rpm ipa-healthcheck-core-0.4-6.module+el8.3.0+7710+e2408ce4.noarch.rpm ipa-healthcheck-core-0.4-6.module+el8.3.0+7711+c4441980.noarch.rpm ipa-python-compat-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm ipa-python-compat-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm ipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm ipa-selinux-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm ipa-server-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm ipa-server-dns-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm python3-custodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpm python3-ipaclient-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm python3-ipaclient-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm python3-ipalib-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm python3-ipalib-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm python3-ipaserver-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm python3-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.noarch.rpm python3-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.noarch.rpm python3-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.noarch.rpm python3-pyusb-1.0.0-9.module+el8.1.0+4098+f286395e.noarch.rpm python3-pyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.noarch.rpm python3-qrcode-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpm python3-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpm python3-qrcode-core-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpm python3-qrcode-core-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpm python3-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.noarch.rpm python3-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.noarch.rpm

ppc64le: bind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.ppc64le.rpm bind-dyndb-ldap-debuginfo-11.3-1.module+el8.3.0+6993+104f8db0.ppc64le.rpm bind-dyndb-ldap-debugsource-11.3-1.module+el8.3.0+6993+104f8db0.ppc64le.rpm ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-client-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-server-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-server-trust-ad-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm ipa-server-trust-ad-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.ppc64le.rpm opendnssec-debuginfo-2.1.6-2.module+el8.3.0+6580+328a3362.ppc64le.rpm opendnssec-debugsource-2.1.6-2.module+el8.3.0+6580+328a3362.ppc64le.rpm slapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.ppc64le.rpm slapi-nis-debuginfo-0.56.5-4.module+el8.3.0+8222+c1bff54a.ppc64le.rpm slapi-nis-debugsource-0.56.5-4.module+el8.3.0+8222+c1bff54a.ppc64le.rpm softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.ppc64le.rpm softhsm-debuginfo-2.6.0-3.module+el8.3.0+6909+fb33717d.ppc64le.rpm softhsm-debugsource-2.6.0-3.module+el8.3.0+6909+fb33717d.ppc64le.rpm softhsm-devel-2.6.0-3.module+el8.3.0+6909+fb33717d.ppc64le.rpm

s390x: bind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.s390x.rpm bind-dyndb-ldap-debuginfo-11.3-1.module+el8.3.0+6993+104f8db0.s390x.rpm bind-dyndb-ldap-debugsource-11.3-1.module+el8.3.0+6993+104f8db0.s390x.rpm ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-client-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-server-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-server-trust-ad-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm ipa-server-trust-ad-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.s390x.rpm opendnssec-debuginfo-2.1.6-2.module+el8.3.0+6580+328a3362.s390x.rpm opendnssec-debugsource-2.1.6-2.module+el8.3.0+6580+328a3362.s390x.rpm slapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.s390x.rpm slapi-nis-debuginfo-0.56.5-4.module+el8.3.0+8222+c1bff54a.s390x.rpm slapi-nis-debugsource-0.56.5-4.module+el8.3.0+8222+c1bff54a.s390x.rpm softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.s390x.rpm softhsm-debuginfo-2.6.0-3.module+el8.3.0+6909+fb33717d.s390x.rpm softhsm-debugsource-2.6.0-3.module+el8.3.0+6909+fb33717d.s390x.rpm softhsm-devel-2.6.0-3.module+el8.3.0+6909+fb33717d.s390x.rpm

x86_64: bind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.x86_64.rpm bind-dyndb-ldap-debuginfo-11.3-1.module+el8.3.0+6993+104f8db0.x86_64.rpm bind-dyndb-ldap-debugsource-11.3-1.module+el8.3.0+6993+104f8db0.x86_64.rpm ipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-client-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-client-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-client-epn-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-client-samba-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-debugsource-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm ipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-server-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-server-trust-ad-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm ipa-server-trust-ad-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm opendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.x86_64.rpm opendnssec-debuginfo-2.1.6-2.module+el8.3.0+6580+328a3362.x86_64.rpm opendnssec-debugsource-2.1.6-2.module+el8.3.0+6580+328a3362.x86_64.rpm slapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.x86_64.rpm slapi-nis-debuginfo-0.56.5-4.module+el8.3.0+8222+c1bff54a.x86_64.rpm slapi-nis-debugsource-0.56.5-4.module+el8.3.0+8222+c1bff54a.x86_64.rpm softhsm-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64.rpm softhsm-debuginfo-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64.rpm softhsm-debugsource-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64.rpm softhsm-devel-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64.rpm

These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

1. References:

https://access.redhat.com/security/cve/CVE-2015-9251 https://access.redhat.com/security/cve/CVE-2016-10735 https://access.redhat.com/security/cve/CVE-2018-14040 https://access.redhat.com/security/cve/CVE-2018-14042 https://access.redhat.com/security/cve/CVE-2018-20676 https://access.redhat.com/security/cve/CVE-2018-20677 https://access.redhat.com/security/cve/CVE-2019-8331 https://access.redhat.com/security/cve/CVE-2019-11358 https://access.redhat.com/security/cve/CVE-2020-1722 https://access.redhat.com/security/cve/CVE-2020-11022 https://access.redhat.com/security/updates/classification/#moderate https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/

1. Contact:

The Red Hat security contact is secalert@redhat.com. More contact details at https://access.redhat.com/security/team/contact/

Copyright 2020 Red Hat, Inc. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1

iQIVAwUBX6I0xtzjgjWX9erEAQioFw/+IiVoE8tPMkiNgSNrk05OezzG/Cev8wXY mTJ+clSxujruzDZ1GyYz5Ua5v4+fwEHbTKVHiite3HKbYGgV9E5H9Y/JVR75rbPN mIfAOLmvYDp3JeHT3RBqRrtviz2UaWRTmE8E30EoC0C912w0NHpwS3fhuRmJov1X lflTtWlQCuPE/7yFQEZqYYjmKMqAVeDk4K6smM/aTzMyM+uFgaksiSTrLzU0mcHJ AAn9h59qlwUXNGRbyBCoLMJrKq5Sw1+xz518XIIjJOQDJbSqu8syzKgi/qSFuLRp 2c/OSKJ98CVoiCcyhsBW/c3B6eoDmSfeKqt6JwVH/Sva+d7Oj5vpWTB5GW4hDFFh t3cuhvyavPnyAzxRnYw5syn/RTyjaOK1U6+6SbEtJVnlx9+FW0lKs/Pcx2ocYmfO UCDXHgxmEP8DTKwJZyIZtybVkpqbXh6jf69NLROTTZMtEwJzE1NGG4ulcl6tutTq S0gchuiUuxItZlD3a9ISBXXxV0iqqd7I5p78maohzIwfyZR13S++rFt7JnoVb7SO DECfEs6VinGH0Z0YInceF6Y9N+SURBrcQpQK12/wtGSChFFU83FII2sxy6iG7pTF HPTzByu+aYgFpuEF4EKSrDlZCVJ8Es5lyp+cF401o3oGJuNo9WYScKjb51a0+SLJ zbmM3GoiGZI=QyyK -----END PGP SIGNATURE-----

-- RHSA-announce mailing list RHSA-announce@redhat.com https://www.redhat.com/mailman/listinfo/rhsa-announce . The purpose of this text-only errata is to inform you about the security issues fixed in this release.

Security Fix(es):

• HTTP/2: flood using PING frames results in unbounded memory growth (CVE-2019-9512)

• HTTP/2: flood using PRIORITY frames results in excessive resource consumption (CVE-2019-9513)

• HTTP/2: flood using HEADERS frames results in unbounded memory growth (CVE-2019-9514)

• HTTP/2: flood using SETTINGS frames results in unbounded memory growth (CVE-2019-9515)

• HTTP/2: 0-length headers lead to denial of service (CVE-2019-9516)

• HTTP/2: request for large response leads to denial of service (CVE-2019-9517)

• HTTP/2: flood using empty frames results in excessive resource consumption (CVE-2019-9518)

• infinispan: invokeAccessibly method from ReflectionUtil class allows to invoke private methods (CVE-2019-10174)

• spring-security-core: mishandling of user passwords allows logging in with a password of NULL (CVE-2019-11272)

• jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution (CVE-2019-12384)

• jackson-databind: default typing mishandling leading to remote code execution (CVE-2019-14379)

• xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response (CVE-2019-17570)

• js-jquery: Cross-site scripting via cross-domain ajax requests (CVE-2015-9251)

• logback: Serialization vulnerability in SocketServer and ServerSocketReceiver (CVE-2017-5929)

• js-jquery: XSS in responses from cross-origin ajax requests (CVE-2017-16012)

• apache-commons-compress: ZipArchiveInputStream.read() fails to identify correct EOF allowing for DoS via crafted zip (CVE-2018-11771)

• spring-data-api: potential information disclosure through maliciously crafted example value in ExampleMatcher (CVE-2019-3802)

• undertow: leak credentials to log files UndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888)

• shiro: Cookie padding oracle vulnerability with default configuration (CVE-2019-12422)

• jackson-databind: polymorphic typing issue allows attacker to read arbitrary local files on the server via crafted JSON message. 1725807 - CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution 1728993 - CVE-2019-11272 spring-security-core: mishandling of user passwords allows logging in with a password of NULL 1730316 - CVE-2019-3802 spring-data-api: potential information disclosure through maliciously crafted example value in ExampleMatcher 1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth 1735741 - CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resource consumption 1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth 1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth 1735749 - CVE-2019-9518 HTTP/2: flood using empty frames results in excessive resource consumption 1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution 1741864 - CVE-2019-9516 HTTP/2: 0-length headers lead to denial of service 1741868 - CVE-2019-9517 HTTP/2: request for large response leads to denial of service 1752962 - CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/JNDI 1774726 - CVE-2019-12422 shiro: Cookie padding oracle vulnerability with default configuration 1775193 - CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response

5

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-201801-0036",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "weblogic server",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "12.2.1.3"
      },
      {
        "model": "weblogic server",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "12.1.3.0"
      },
      {
        "model": "service bus",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "12.2.1.3.0"
      },
      {
        "model": "service bus",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "12.1.3.0.0"
      },
      {
        "model": "retail workforce management software",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "1.60.9"
      },
      {
        "model": "retail sales audit",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "15.0"
      },
      {
        "model": "retail invoice matching",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "15.0"
      },
      {
        "model": "retail customer insights",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "16.0"
      },
      {
        "model": "retail customer insights",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "15.0"
      },
      {
        "model": "retail allocation",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "15.0.2"
      },
      {
        "model": "primavera unifier",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "18.8"
      },
      {
        "model": "primavera unifier",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "16.2"
      },
      {
        "model": "primavera unifier",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "16.1"
      },
      {
        "model": "primavera gateway",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "17.12"
      },
      {
        "model": "primavera gateway",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "16.2"
      },
      {
        "model": "primavera gateway",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "15.2"
      },
      {
        "model": "peoplesoft enterprise peopletools",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "8.57"
      },
      {
        "model": "peoplesoft enterprise peopletools",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "8.56"
      },
      {
        "model": "peoplesoft enterprise peopletools",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "8.55"
      },
      {
        "model": "oss support tools",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "19.1"
      },
      {
        "model": "jdeveloper",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "12.2.1.3.0"
      },
      {
        "model": "jdeveloper",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "12.1.3.0.0"
      },
      {
        "model": "jdeveloper",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "11.1.1.9.0"
      },
      {
        "model": "jd edwards enterpriseone tools",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "insurance insbridge rating and underwriting",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "5.5"
      },
      {
        "model": "insurance insbridge rating and underwriting",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "5.4"
      },
      {
        "model": "insurance insbridge rating and underwriting",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "5.2"
      },
      {
        "model": "hospitality materials control",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "18.1"
      },
      {
        "model": "hospitality guest access",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "4.2.1"
      },
      {
        "model": "healthcare foundation",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "7.2"
      },
      {
        "model": "healthcare foundation",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "7.1"
      },
      {
        "model": "fusion middleware mapviewer",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "12.2.1.3.0"
      },
      {
        "model": "financial services reconciliation framework",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "8.0.6"
      },
      {
        "model": "financial services reconciliation framework",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "8.0.5"
      },
      {
        "model": "financial services market risk measurement and management",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "8.0.6"
      },
      {
        "model": "financial services market risk measurement and management",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "8.0.5"
      },
      {
        "model": "enterprise operations monitor",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "4.0"
      },
      {
        "model": "enterprise operations monitor",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "3.4"
      },
      {
        "model": "enterprise manager ops center",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "12.3.3"
      },
      {
        "model": "enterprise manager ops center",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "12.2.2"
      },
      {
        "model": "communications interactive session recorder",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "6.2"
      },
      {
        "model": "communications interactive session recorder",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "6.1"
      },
      {
        "model": "communications interactive session recorder",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "6.0"
      },
      {
        "model": "business process management suite",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "12.2.1.3.0"
      },
      {
        "model": "business process management suite",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "12.1.3.0.0"
      },
      {
        "model": "business process management suite",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "11.1.1.9.0"
      },
      {
        "model": "banking platform",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "2.6.2"
      },
      {
        "model": "banking platform",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "2.6.1"
      },
      {
        "model": "agile product lifecycle management for process",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "6.2.3.1"
      },
      {
        "model": "agile product lifecycle management for process",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "6.2.3.0"
      },
      {
        "model": "agile product lifecycle management for process",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "6.2.2.0"
      },
      {
        "model": "agile product lifecycle management for process",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "6.2.1.0"
      },
      {
        "model": "agile product lifecycle management for process",
        "scope": "eq",
        "trust": 1.3,
        "vendor": "oracle",
        "version": "6.2.0.0"
      },
      {
        "model": "endeca information discovery studio",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "3.2.0"
      },
      {
        "model": "financial services loan loss forecasting and provisioning",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.7"
      },
      {
        "model": "hospitality cruise fleet management",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "9.0.11"
      },
      {
        "model": "financial services asset liability management",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.7"
      },
      {
        "model": "financial services profitability management",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.6"
      },
      {
        "model": "financial services profitability management",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.4"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "7.3.5"
      },
      {
        "model": "utilities framework",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "4.3.0.4"
      },
      {
        "model": "financial services asset liability management",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.4"
      },
      {
        "model": "banking platform",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "2.6.0"
      },
      {
        "model": "financial services data integration hub",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.7"
      },
      {
        "model": "healthcare translational research",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "3.1.0"
      },
      {
        "model": "hospitality guest access",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "4.2.0"
      },
      {
        "model": "communications converged application server",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "7.0.0.1"
      },
      {
        "model": "endeca information discovery studio",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "3.1.0"
      },
      {
        "model": "siebel ui framework",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "18.10"
      },
      {
        "model": "utilities framework",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "4.3.0.1"
      },
      {
        "model": "financial services funds transfer pricing",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.7"
      },
      {
        "model": "hospitality reporting and analytics",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "9.1.0"
      },
      {
        "model": "primavera unifier",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "17.1"
      },
      {
        "model": "primavera unifier",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "17.12"
      },
      {
        "model": "jquery",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "jquery",
        "version": "3.0.0"
      },
      {
        "model": "utilities mobile workforce management",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "2.3.0"
      },
      {
        "model": "financial services loan loss forecasting and provisioning",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.2"
      },
      {
        "model": "communications webrtc session controller",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "7.2"
      },
      {
        "model": "financial services hedge management and ifrs valuations",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.7"
      },
      {
        "model": "webcenter sites",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "11.1.1.8.0"
      },
      {
        "model": "retail workforce management software",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "1.64.0"
      },
      {
        "model": "financial services data integration hub",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.5"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.7"
      },
      {
        "model": "financial services funds transfer pricing",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.4"
      },
      {
        "model": "financial services liquidity risk management",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.2"
      },
      {
        "model": "siebel ui framework",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "18.11"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "7.3.3"
      },
      {
        "model": "financial services liquidity risk management",
        "scope": "lte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.6"
      },
      {
        "model": "financial services hedge management and ifrs valuations",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.4"
      },
      {
        "model": "communications services gatekeeper",
        "scope": "lt",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "6.1.0.4.0"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "gte",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "8.0.0"
      },
      {
        "model": "real-time scheduler",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "2.3.0"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "jquery",
        "version": "1.6.3"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "jquery",
        "version": "1.6.2"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "jquery",
        "version": "1.6.1"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "jquery",
        "version": "1.4.2"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "jquery",
        "version": "1.8.1"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "jquery",
        "version": "1.8.0"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "jquery",
        "version": "1.7.2"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "jquery",
        "version": "1.7.1"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "jquery",
        "version": "1.6.4"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.9,
        "vendor": "jquery",
        "version": "1.6"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "jquery",
        "version": "3.0.0"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "jquery",
        "version": null
      },
      {
        "model": "webcenter sites",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.1.18.0"
      },
      {
        "model": "utilities mobile workforce management",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "2.3"
      },
      {
        "model": "utilities framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "4.3.0.4"
      },
      {
        "model": "utilities framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "4.3.0.3.0"
      },
      {
        "model": "utilities framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "4.3.0.2.0"
      },
      {
        "model": "utilities framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "4.3.0.1.0"
      },
      {
        "model": "utilities framework",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "4.3.0.1"
      },
      {
        "model": "retail workforce management software",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "1.64"
      },
      {
        "model": "real-time scheduler",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "2.3.0.0"
      },
      {
        "model": "primavera unifier",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "17.7"
      },
      {
        "model": "primavera unifier",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "17.12"
      },
      {
        "model": "hospitality reporting and analytics",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.1"
      },
      {
        "model": "hospitality guest access",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "4.2"
      },
      {
        "model": "healthcare translational research",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.1"
      },
      {
        "model": "financial services profitability management",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.6"
      },
      {
        "model": "financial services profitability management",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.5"
      },
      {
        "model": "financial services profitability management",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.4"
      },
      {
        "model": "financial services loan loss forecasting and provisioning",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.7"
      },
      {
        "model": "financial services loan loss forecasting and provisioning",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.5"
      },
      {
        "model": "financial services loan loss forecasting and provisioning",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.4"
      },
      {
        "model": "financial services loan loss forecasting and provisioning",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.3"
      },
      {
        "model": "financial services loan loss forecasting and provisioning",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.2"
      },
      {
        "model": "financial services liquidity risk management",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.6"
      },
      {
        "model": "financial services liquidity risk management",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.4"
      },
      {
        "model": "financial services liquidity risk management",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.2"
      },
      {
        "model": "financial services hedge management and ifrs valuations",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.7"
      },
      {
        "model": "financial services hedge management and ifrs valuations",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.5"
      },
      {
        "model": "financial services hedge management and ifrs valuations",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.4"
      },
      {
        "model": "financial services funds transfer pricing",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.7"
      },
      {
        "model": "financial services funds transfer pricing",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.5"
      },
      {
        "model": "financial services funds transfer pricing",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.4"
      },
      {
        "model": "financial services data integration hub",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.7"
      },
      {
        "model": "financial services data integration hub",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.5"
      },
      {
        "model": "financial services asset liability management",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.7"
      },
      {
        "model": "financial services asset liability management",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.5"
      },
      {
        "model": "financial services asset liability management",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.4"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.7"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.6"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.5"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.4"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.3"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.2"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0.1"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.0"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "7.3.5"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "7.3.4"
      },
      {
        "model": "financial services analytical applications infrastructure",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "7.3.3"
      },
      {
        "model": "endeca information discovery studio",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.2"
      },
      {
        "model": "endeca information discovery studio",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.1"
      },
      {
        "model": "diagnostic assistant",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "2.12"
      },
      {
        "model": "communications webrtc session controller",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "7.1"
      },
      {
        "model": "communications webrtc session controller",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "7.0"
      },
      {
        "model": "communications converged application server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "7.0"
      },
      {
        "model": "communications application session controller",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.8"
      },
      {
        "model": "communications application session controller",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.7.1"
      },
      {
        "model": "business intelligence enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "12.2.1.4.0"
      },
      {
        "model": "business intelligence enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.1.1.9.0"
      },
      {
        "model": "banking platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "2.6"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "jquery",
        "version": "1.9"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "jquery",
        "version": "1.2.6"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "jquery",
        "version": "2.2"
      },
      {
        "model": "jquery",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "jquery",
        "version": "2.1"
      },
      {
        "model": "intouch access anywhere update",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "aveva",
        "version": "20172"
      },
      {
        "model": "intouch access anywhere",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "aveva",
        "version": "2017"
      },
      {
        "model": "diagnostic assistant",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "2.12.36"
      },
      {
        "model": "communications webrtc session controller",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "7.2"
      },
      {
        "model": "communications converged application server",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "7.0.0.1"
      },
      {
        "model": "jquery",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "jquery",
        "version": "3.0"
      },
      {
        "model": "intouch access anywhere update 2b",
        "scope": "ne",
        "trust": 0.3,
        "vendor": "aveva",
        "version": "2017"
      }
    ],
    "sources": [
      {
        "db": "BID",
        "id": "105658"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-008097"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201801-798"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-9251"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "John Martinelli,Red Hat,Oleg Gaidarenko,SECURELI.com",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201801-798"
      }
    ],
    "trust": 0.6
  },
  "cve": "CVE-2015-9251",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "CVE-2015-9251",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 1.8,
            "vectorString": "AV:N/AC:M/Au:N/C:N/I:P/A:N",
            "version": "2.0"
          },
          {
            "accessComplexity": "MEDIUM",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "VULHUB",
            "availabilityImpact": "NONE",
            "baseScore": 4.3,
            "confidentialityImpact": "NONE",
            "exploitabilityScore": 8.6,
            "id": "VHN-87212",
            "impactScore": 2.9,
            "integrityImpact": "PARTIAL",
            "severity": "MEDIUM",
            "trust": 0.1,
            "vectorString": "AV:N/AC:M/AU:N/C:N/I:P/A:N",
            "version": "2.0"
          }
        ],
        "cvssV3": [
          {
            "attackComplexity": "LOW",
            "attackVector": "NETWORK",
            "author": "nvd@nist.gov",
            "availabilityImpact": "NONE",
            "baseScore": 6.1,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "LOW",
            "exploitabilityScore": 2.8,
            "id": "CVE-2015-9251",
            "impactScore": 2.7,
            "integrityImpact": "LOW",
            "privilegesRequired": "NONE",
            "scope": "CHANGED",
            "trust": 1.8,
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N",
            "version": "3.0"
          }
        ],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2015-9251",
            "trust": 1.0,
            "value": "MEDIUM"
          },
          {
            "author": "NVD",
            "id": "CVE-2015-9251",
            "trust": 0.8,
            "value": "Medium"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-201801-798",
            "trust": 0.6,
            "value": "MEDIUM"
          },
          {
            "author": "VULHUB",
            "id": "VHN-87212",
            "trust": 0.1,
            "value": "MEDIUM"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-87212"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-008097"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201801-798"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-9251"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed. jQuery Contains a cross-site scripting vulnerability.Information may be obtained and information may be tampered with. JQuery is prone to a cross-site-scripting vulnerability because it fails to sufficiently sanitize user-supplied input. \nAn attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks. \nVersions prior to JQuery 3.0.0 are vulnerable. jQuery is an open source, cross-browser JavaScript library developed by American John Resig programmers. The library simplifies the operation between HTML and JavaScript, and has the characteristics of modularization and plug-in extension. The vulnerability stems from the lack of correct validation of client data in WEB applications. An attacker could exploit this vulnerability to execute client code. Solution:\n\nBefore applying this update, make sure all previously released errata\nrelevant to your system have been applied. JIRA issues fixed (https://issues.jboss.org/):\n\nJBEAP-23864 - (7.4.z) Upgrade xmlsec from 2.1.7.redhat-00001 to 2.2.3.redhat-00001\nJBEAP-23865 - [GSS](7.4.z) Upgrade Apache CXF from 3.3.13.redhat-00001 to 3.4.10.redhat-00001\nJBEAP-23866 - (7.4.z) Upgrade wss4j from 2.2.7.redhat-00001 to 2.3.3.redhat-00001\nJBEAP-23928 - Tracker bug for the EAP 7.4.9 release for RHEL-9\nJBEAP-24055 - (7.4.z) Upgrade HAL from 3.3.15.Final-redhat-00001 to 3.3.16.Final-redhat-00001\nJBEAP-24081 - (7.4.z) Upgrade Elytron from 1.15.14.Final-redhat-00001 to 1.15.15.Final-redhat-00001\nJBEAP-24095 - (7.4.z) Upgrade elytron-web from 1.9.2.Final-redhat-00001 to 1.9.3.Final-redhat-00001\nJBEAP-24100 - [GSS](7.4.z) Upgrade Undertow from 2.2.20.SP1-redhat-00001 to 2.2.22.SP3-redhat-00001\nJBEAP-24127 - (7.4.z) UNDERTOW-2123 - Update AsyncContextImpl.dispatch to use proper value\nJBEAP-24128 - (7.4.z) Upgrade Hibernate Search from 5.10.7.Final-redhat-00001 to 5.10.13.Final-redhat-00001\nJBEAP-24132 - [GSS](7.4.z) Upgrade Ironjacamar from 1.5.3.SP2-redhat-00001 to 1.5.10.Final-redhat-00001\nJBEAP-24147 - (7.4.z) Upgrade jboss-ejb-client from 4.0.45.Final-redhat-00001 to 4.0.49.Final-redhat-00001\nJBEAP-24167 - (7.4.z) Upgrade WildFly Core from 15.0.19.Final-redhat-00001 to 15.0.21.Final-redhat-00002\nJBEAP-24191 - [GSS](7.4.z) Upgrade remoting from 5.0.26.SP1-redhat-00001 to 5.0.27.Final-redhat-00001\nJBEAP-24195 - [GSS](7.4.z) Upgrade JSF API from 3.0.0.SP06-redhat-00001 to 3.0.0.SP07-redhat-00001\nJBEAP-24207 - (7.4.z) Upgrade Soteria from 1.0.1.redhat-00002 to 1.0.1.redhat-00003\nJBEAP-24248 - (7.4.z) ELY-2492 - Upgrade sshd-common in Elytron from 2.7.0 to 2.9.2\nJBEAP-24426 - (7.4.z) Upgrade Elytron from 1.15.15.Final-redhat-00001 to 1.15.16.Final-redhat-00001\nJBEAP-24427 - (7.4.z) Upgrade WildFly Core from 15.0.21.Final-redhat-00002 to 15.0.22.Final-redhat-00001\n\n7. Description:\n\nRed Hat Fuse provides a small-footprint, flexible, open source enterprise\nservice bus and integration platform. Red Hat A-MQ is a standards compliant\nmessaging system that is tailored for use in mission critical applications. It\nincludes bug fixes, which are documented in the patch notes accompanying\nthe package on the download page. See the download link given in the\nreferences section below. Solution:\n\nBefore applying the update, back up your existing installation, including\nall applications, configuration files, databases and database settings, and\nso on. \n\nInstallation instructions are located in the download section of the\ncustomer portal. \n\nThe References section of this erratum contains a download link (you must\nlog in to download the update). -----BEGIN PGP SIGNED MESSAGE-----\nHash: SHA256\n\n====================================================================                   \nRed Hat Security Advisory\n\nSynopsis:          Moderate: idm:DL1 and idm:client security, bug fix, and enhancement update\nAdvisory ID:       RHSA-2020:4670-01\nProduct:           Red Hat Enterprise Linux\nAdvisory URL:      https://access.redhat.com/errata/RHSA-2020:4670\nIssue date:        2020-11-03\nCVE Names:         CVE-2015-9251 CVE-2016-10735 CVE-2018-14040\n                   CVE-2018-14042 CVE-2018-20676 CVE-2018-20677\n                   CVE-2019-8331 CVE-2019-11358 CVE-2020-1722\n                   CVE-2020-11022\n====================================================================\n1. Summary:\n\nAn update for the idm:DL1 and idm:client modules is now available for Red\nHat Enterprise Linux 8. \n\nRed Hat Product Security has rated this update as having a security impact\nof Moderate. A Common Vulnerability Scoring System (CVSS) base score, which\ngives a detailed severity rating, is available for each vulnerability from\nthe CVE link(s) in the References section. \n\n2. Relevant releases/architectures:\n\nRed Hat Enterprise Linux AppStream (v. 8) - aarch64, noarch, ppc64le, s390x, x86_64\n\n3. Description:\n\nRed Hat Identity Management (IdM) is a centralized authentication, identity\nmanagement, and authorization solution for both traditional and cloud-based\nenterprise environments. \n\nThe following packages have been upgraded to a later upstream version: ipa\n(4.8.7), softhsm (2.6.0), opendnssec (2.1.6). (BZ#1759888, BZ#1818765,\nBZ#1818877)\n\nSecurity Fix(es):\n\n* js-jquery: Cross-site scripting via cross-domain ajax requests\n(CVE-2015-9251)\n\n* bootstrap: XSS in the data-target attribute (CVE-2016-10735)\n\n* bootstrap: Cross-site Scripting (XSS) in the collapse data-parent\nattribute (CVE-2018-14040)\n\n* bootstrap: Cross-site Scripting (XSS) in the data-container property of\ntooltip (CVE-2018-14042)\n\n* bootstrap: XSS in the tooltip data-viewport attribute (CVE-2018-20676)\n\n* bootstrap: XSS in the affix configuration target property\n(CVE-2018-20677)\n\n* bootstrap: XSS in the tooltip or popover data-template attribute\n(CVE-2019-8331)\n\n* js-jquery: Prototype pollution in object\u0027s prototype leading to denial of\nservice, remote code execution, or property injection (CVE-2019-11358)\n\n* jquery: Cross-site scripting due to improper injQuery.htmlPrefilter\nmethod (CVE-2020-11022)\n\n* ipa: No password length restriction leads to denial of service\n(CVE-2020-1722)\n\nFor more details about the security issue(s), including the impact, a CVSS\nscore, acknowledgments, and other related information, refer to the CVE\npage(s) listed in the References section. \n\nAdditional Changes:\n\nFor detailed information on changes in this release, see the Red Hat\nEnterprise Linux 8.3 Release Notes linked from the References section. \n\n4. Solution:\n\nFor details on how to apply this update, which includes the changes\ndescribed in this advisory, refer to:\n\nhttps://access.redhat.com/articles/11258\n\n5. Bugs fixed (https://bugzilla.redhat.com/):\n\n1399546 - CVE-2015-9251 jquery: Cross-site scripting via cross-domain ajax requests\n1430365 - [RFE] Host-group names command rename\n1488732 - fake_mname in named.conf is no longer effective\n1585020 - Enable compat tree to provide information about AD users and groups on trust agents\n1601614 - CVE-2018-14040 bootstrap: Cross-site Scripting (XSS) in the collapse data-parent attribute\n1601617 - CVE-2018-14042 bootstrap: Cross-site Scripting (XSS) in the data-container property of tooltip\n1651577 - [WebUI] IPA Error 3007: RequirmentError\" while adding members in \"User ID overrides\" tab\n1668082 - CVE-2018-20676 bootstrap: XSS in the tooltip data-viewport attribute\n1668089 - CVE-2018-20677 bootstrap: XSS in the affix configuration target property\n1668097 - CVE-2016-10735 bootstrap: XSS in the data-target attribute\n1686454 - CVE-2019-8331 bootstrap: XSS in the tooltip or popover data-template attribute\n1701233 - [RFE] support setting supported signature methods on the token\n1701972 - CVE-2019-11358 jquery: Prototype pollution in object\u0027s prototype leading to denial of service, remote code execution, or property injection\n1746830 - Memory leak during search  of idview overrides\n1750893 - Memory leak when slapi-nis return entries retrieved from nsswitch\n1751295 - When sync-repl is enabled, slapi-nis can deadlock during retrochanglog trimming\n1757045 - IDM Web GUI / IPA web UI: the ID override operation doesn\u0027t work in GUI (it works only from CLI)\n1759888 - Rebase OpenDNSSEC to 2.1\n1768156 - ERR - schemacompat - map rdlock: old way MAP_MONITOR_DISABLED\n1777806 - When Service weight is set as 0 for server in IPA location \"IPA Error 903: InternalError\" is displayed\n1793071 - CVE-2020-1722 ipa: No password length restriction leads to denial of service\n1801698 - [RFE] Changing default hostgroup is too easy\n1802471 - SELinux policy for ipa-custodia\n1809835 - RFE: ipa group-add-member: number of failed should also be emphasized\n1810154 - RFE: ipa-backup should compare locally and globally installed server roles\n1810179 - ipa-client-install should name authselect backups and restore to that at uninstall time\n1813330 - ipa-restore does not restart httpd\n1816784 - KRA install fails if all KRA members are Hidden Replicas\n1818765 - [Rebase] Rebase ipa to 4.8.6+\n1818877 - [Rebase] Rebase to softhsm 2.6.0+\n1828406 - CVE-2020-11022 jquery: Cross-site scripting due to improper injQuery.htmlPrefilter method\n1831732 - AVC avc:  denied  { dac_override } for comm=\"ods-enforcerd\n1831935 - AD authentication with IdM against SQL Server\n1832331 - [abrt] [faf] 389-ds-base: unknown function(): /usr/sbin/ns-slapd killed by 11\n1833266 - [dirsrv] set \u0027nsslapd-enable-upgrade-hash: off\u0027 as this raises warnings\n1834264 - BIND rebase: rebuild against new so version\n1834909 - softhsm use-after-free on process exit\n1845211 - Rebase bind-dyndb-ldap to 11.3\n1845537 - IPA bind configuration issue\n1845596 - ipa trust-add fails with \u0027Fetching domains from trusted forest failed\u0027\n1846352 - cannot issue certs with multiple IP addresses corresponding to different hosts\n1846434 - Remove ipa-idoverride-memberof as superceded by ipa-server 4.8.7\n1847999 - EPN does not ship its default configuration ( /etc/ipa/epn.conf ) in freeipa-client-epn\n1849914 - FreeIPA - Utilize 256-bit AJP connector passwords\n1851411 - ipa: typo issue in ipanthomedirectoryrive deffinition\n1852244 - ipa-healthcheck inadvertently obsoleted in RHEL 8.2\n1853263 - ipa-selinux package missing\n1857157 - replica install failing with avc denial for custodia component\n1858318 - AttributeError: module \u0027ssl\u0027 has no attribute \u0027SSLCertVerificationError\u0027  when upgrading ca-less ipa master\n1859213 - AVC denial during ipa-adtrust-install --add-agents\n1863079 - ipa-epn command displays \u0027exception: ConnectionRefusedError: [Errno 111] Connection refused\u0027\n1863616 - CA-less install does not set required permissions on KDC certificate\n1866291 - EPN: enhance input validation\n1866938 - ipa-epn fails to retrieve user data if some user attributes are not present\n1868432 - Unhandled Python exception in \u0027/usr/libexec/ipa/ipa-pki-retrieve-key\u0027\n1869311 - ipa trust-add fails with \u0027Fetching domains from trusted forest failed\u0027\n1870202 - File permissions of /etc/ipa/ca.crt differ between CA-ful and CA-less\n1874015 - ipa hbacrule-add-service --hbacsvcs=sshd is not applied successfully for subdomain\n1875348 - Valgrind reports a memory leak in the Schema Compatibility plugin. \n1879604 - pkispawn logs files are empty\n\n6. Package List:\n\nRed Hat Enterprise Linux AppStream (v. 8):\n\nSource:\nbind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.src.rpm\ncustodia-0.6.0-3.module+el8.1.0+4098+f286395e.src.rpm\nipa-4.8.7-12.module+el8.3.0+8222+c1bff54a.src.rpm\nipa-4.8.7-12.module+el8.3.0+8223+6212645f.src.rpm\nipa-healthcheck-0.4-6.module+el8.3.0+7710+e2408ce4.src.rpm\nipa-healthcheck-0.4-6.module+el8.3.0+7711+c4441980.src.rpm\nopendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.src.rpm\npython-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.src.rpm\npython-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.src.rpm\npython-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.src.rpm\npython-qrcode-5.1-12.module+el8.1.0+4098+f286395e.src.rpm\npython-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.src.rpm\npython-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.src.rpm\npython-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.src.rpm\npyusb-1.0.0-9.module+el8.1.0+4098+f286395e.src.rpm\npyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.src.rpm\nslapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.src.rpm\nsofthsm-2.6.0-3.module+el8.3.0+6909+fb33717d.src.rpm\n\naarch64:\nbind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.aarch64.rpm\nbind-dyndb-ldap-debuginfo-11.3-1.module+el8.3.0+6993+104f8db0.aarch64.rpm\nbind-dyndb-ldap-debugsource-11.3-1.module+el8.3.0+6993+104f8db0.aarch64.rpm\nipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm\nipa-client-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm\nipa-client-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm\nipa-client-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm\nipa-client-epn-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm\nipa-client-epn-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm\nipa-client-samba-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm\nipa-client-samba-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm\nipa-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm\nipa-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm\nipa-debugsource-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm\nipa-debugsource-4.8.7-12.module+el8.3.0+8223+6212645f.aarch64.rpm\nipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm\nipa-server-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm\nipa-server-trust-ad-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm\nipa-server-trust-ad-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.aarch64.rpm\nopendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.aarch64.rpm\nopendnssec-debuginfo-2.1.6-2.module+el8.3.0+6580+328a3362.aarch64.rpm\nopendnssec-debugsource-2.1.6-2.module+el8.3.0+6580+328a3362.aarch64.rpm\nslapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.aarch64.rpm\nslapi-nis-debuginfo-0.56.5-4.module+el8.3.0+8222+c1bff54a.aarch64.rpm\nslapi-nis-debugsource-0.56.5-4.module+el8.3.0+8222+c1bff54a.aarch64.rpm\nsofthsm-2.6.0-3.module+el8.3.0+6909+fb33717d.aarch64.rpm\nsofthsm-debuginfo-2.6.0-3.module+el8.3.0+6909+fb33717d.aarch64.rpm\nsofthsm-debugsource-2.6.0-3.module+el8.3.0+6909+fb33717d.aarch64.rpm\nsofthsm-devel-2.6.0-3.module+el8.3.0+6909+fb33717d.aarch64.rpm\n\nnoarch:\ncustodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpm\nipa-client-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm\nipa-client-common-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm\nipa-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm\nipa-common-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm\nipa-healthcheck-0.4-6.module+el8.3.0+7710+e2408ce4.noarch.rpm\nipa-healthcheck-core-0.4-6.module+el8.3.0+7710+e2408ce4.noarch.rpm\nipa-healthcheck-core-0.4-6.module+el8.3.0+7711+c4441980.noarch.rpm\nipa-python-compat-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm\nipa-python-compat-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm\nipa-selinux-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm\nipa-selinux-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm\nipa-server-common-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm\nipa-server-dns-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm\npython3-custodia-0.6.0-3.module+el8.1.0+4098+f286395e.noarch.rpm\npython3-ipaclient-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm\npython3-ipaclient-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm\npython3-ipalib-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm\npython3-ipalib-4.8.7-12.module+el8.3.0+8223+6212645f.noarch.rpm\npython3-ipaserver-4.8.7-12.module+el8.3.0+8222+c1bff54a.noarch.rpm\npython3-jwcrypto-0.5.0-1.module+el8.1.0+4098+f286395e.noarch.rpm\npython3-jwcrypto-0.5.0-1.module+el8.1.0+4107+4a66eb87.noarch.rpm\npython3-kdcproxy-0.4-5.module+el8.2.0+4691+a05b2456.noarch.rpm\npython3-pyusb-1.0.0-9.module+el8.1.0+4098+f286395e.noarch.rpm\npython3-pyusb-1.0.0-9.module+el8.1.0+4107+4a66eb87.noarch.rpm\npython3-qrcode-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpm\npython3-qrcode-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpm\npython3-qrcode-core-5.1-12.module+el8.1.0+4098+f286395e.noarch.rpm\npython3-qrcode-core-5.1-12.module+el8.1.0+4107+4a66eb87.noarch.rpm\npython3-yubico-1.3.2-9.module+el8.1.0+4098+f286395e.noarch.rpm\npython3-yubico-1.3.2-9.module+el8.1.0+4107+4a66eb87.noarch.rpm\n\nppc64le:\nbind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.ppc64le.rpm\nbind-dyndb-ldap-debuginfo-11.3-1.module+el8.3.0+6993+104f8db0.ppc64le.rpm\nbind-dyndb-ldap-debugsource-11.3-1.module+el8.3.0+6993+104f8db0.ppc64le.rpm\nipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm\nipa-client-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm\nipa-client-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm\nipa-client-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm\nipa-client-epn-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm\nipa-client-epn-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm\nipa-client-samba-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm\nipa-client-samba-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm\nipa-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm\nipa-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm\nipa-debugsource-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm\nipa-debugsource-4.8.7-12.module+el8.3.0+8223+6212645f.ppc64le.rpm\nipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm\nipa-server-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm\nipa-server-trust-ad-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm\nipa-server-trust-ad-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.ppc64le.rpm\nopendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.ppc64le.rpm\nopendnssec-debuginfo-2.1.6-2.module+el8.3.0+6580+328a3362.ppc64le.rpm\nopendnssec-debugsource-2.1.6-2.module+el8.3.0+6580+328a3362.ppc64le.rpm\nslapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.ppc64le.rpm\nslapi-nis-debuginfo-0.56.5-4.module+el8.3.0+8222+c1bff54a.ppc64le.rpm\nslapi-nis-debugsource-0.56.5-4.module+el8.3.0+8222+c1bff54a.ppc64le.rpm\nsofthsm-2.6.0-3.module+el8.3.0+6909+fb33717d.ppc64le.rpm\nsofthsm-debuginfo-2.6.0-3.module+el8.3.0+6909+fb33717d.ppc64le.rpm\nsofthsm-debugsource-2.6.0-3.module+el8.3.0+6909+fb33717d.ppc64le.rpm\nsofthsm-devel-2.6.0-3.module+el8.3.0+6909+fb33717d.ppc64le.rpm\n\ns390x:\nbind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.s390x.rpm\nbind-dyndb-ldap-debuginfo-11.3-1.module+el8.3.0+6993+104f8db0.s390x.rpm\nbind-dyndb-ldap-debugsource-11.3-1.module+el8.3.0+6993+104f8db0.s390x.rpm\nipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm\nipa-client-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm\nipa-client-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm\nipa-client-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm\nipa-client-epn-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm\nipa-client-epn-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm\nipa-client-samba-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm\nipa-client-samba-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm\nipa-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm\nipa-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm\nipa-debugsource-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm\nipa-debugsource-4.8.7-12.module+el8.3.0+8223+6212645f.s390x.rpm\nipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm\nipa-server-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm\nipa-server-trust-ad-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm\nipa-server-trust-ad-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.s390x.rpm\nopendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.s390x.rpm\nopendnssec-debuginfo-2.1.6-2.module+el8.3.0+6580+328a3362.s390x.rpm\nopendnssec-debugsource-2.1.6-2.module+el8.3.0+6580+328a3362.s390x.rpm\nslapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.s390x.rpm\nslapi-nis-debuginfo-0.56.5-4.module+el8.3.0+8222+c1bff54a.s390x.rpm\nslapi-nis-debugsource-0.56.5-4.module+el8.3.0+8222+c1bff54a.s390x.rpm\nsofthsm-2.6.0-3.module+el8.3.0+6909+fb33717d.s390x.rpm\nsofthsm-debuginfo-2.6.0-3.module+el8.3.0+6909+fb33717d.s390x.rpm\nsofthsm-debugsource-2.6.0-3.module+el8.3.0+6909+fb33717d.s390x.rpm\nsofthsm-devel-2.6.0-3.module+el8.3.0+6909+fb33717d.s390x.rpm\n\nx86_64:\nbind-dyndb-ldap-11.3-1.module+el8.3.0+6993+104f8db0.x86_64.rpm\nbind-dyndb-ldap-debuginfo-11.3-1.module+el8.3.0+6993+104f8db0.x86_64.rpm\nbind-dyndb-ldap-debugsource-11.3-1.module+el8.3.0+6993+104f8db0.x86_64.rpm\nipa-client-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm\nipa-client-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm\nipa-client-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm\nipa-client-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm\nipa-client-epn-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm\nipa-client-epn-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm\nipa-client-samba-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm\nipa-client-samba-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm\nipa-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm\nipa-debuginfo-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm\nipa-debugsource-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm\nipa-debugsource-4.8.7-12.module+el8.3.0+8223+6212645f.x86_64.rpm\nipa-server-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm\nipa-server-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm\nipa-server-trust-ad-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm\nipa-server-trust-ad-debuginfo-4.8.7-12.module+el8.3.0+8222+c1bff54a.x86_64.rpm\nopendnssec-2.1.6-2.module+el8.3.0+6580+328a3362.x86_64.rpm\nopendnssec-debuginfo-2.1.6-2.module+el8.3.0+6580+328a3362.x86_64.rpm\nopendnssec-debugsource-2.1.6-2.module+el8.3.0+6580+328a3362.x86_64.rpm\nslapi-nis-0.56.5-4.module+el8.3.0+8222+c1bff54a.x86_64.rpm\nslapi-nis-debuginfo-0.56.5-4.module+el8.3.0+8222+c1bff54a.x86_64.rpm\nslapi-nis-debugsource-0.56.5-4.module+el8.3.0+8222+c1bff54a.x86_64.rpm\nsofthsm-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64.rpm\nsofthsm-debuginfo-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64.rpm\nsofthsm-debugsource-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64.rpm\nsofthsm-devel-2.6.0-3.module+el8.3.0+6909+fb33717d.x86_64.rpm\n\nThese packages are GPG signed by Red Hat for security.  Our key and\ndetails on how to verify the signature are available from\nhttps://access.redhat.com/security/team/key/\n\n7. References:\n\nhttps://access.redhat.com/security/cve/CVE-2015-9251\nhttps://access.redhat.com/security/cve/CVE-2016-10735\nhttps://access.redhat.com/security/cve/CVE-2018-14040\nhttps://access.redhat.com/security/cve/CVE-2018-14042\nhttps://access.redhat.com/security/cve/CVE-2018-20676\nhttps://access.redhat.com/security/cve/CVE-2018-20677\nhttps://access.redhat.com/security/cve/CVE-2019-8331\nhttps://access.redhat.com/security/cve/CVE-2019-11358\nhttps://access.redhat.com/security/cve/CVE-2020-1722\nhttps://access.redhat.com/security/cve/CVE-2020-11022\nhttps://access.redhat.com/security/updates/classification/#moderate\nhttps://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/\n\n8. Contact:\n\nThe Red Hat security contact is \u003csecalert@redhat.com\u003e. More contact\ndetails at https://access.redhat.com/security/team/contact/\n\nCopyright 2020 Red Hat, Inc. \n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1\n\niQIVAwUBX6I0xtzjgjWX9erEAQioFw/+IiVoE8tPMkiNgSNrk05OezzG/Cev8wXY\nmTJ+clSxujruzDZ1GyYz5Ua5v4+fwEHbTKVHiite3HKbYGgV9E5H9Y/JVR75rbPN\nmIfAOLmvYDp3JeHT3RBqRrtviz2UaWRTmE8E30EoC0C912w0NHpwS3fhuRmJov1X\nlflTtWlQCuPE/7yFQEZqYYjmKMqAVeDk4K6smM/aTzMyM+uFgaksiSTrLzU0mcHJ\nAAn9h59qlwUXNGRbyBCoLMJrKq5Sw1+xz518XIIjJOQDJbSqu8syzKgi/qSFuLRp\n2c/OSKJ98CVoiCcyhsBW/c3B6eoDmSfeKqt6JwVH/Sva+d7Oj5vpWTB5GW4hDFFh\nt3cuhvyavPnyAzxRnYw5syn/RTyjaOK1U6+6SbEtJVnlx9+FW0lKs/Pcx2ocYmfO\nUCDXHgxmEP8DTKwJZyIZtybVkpqbXh6jf69NLROTTZMtEwJzE1NGG4ulcl6tutTq\nS0gchuiUuxItZlD3a9ISBXXxV0iqqd7I5p78maohzIwfyZR13S++rFt7JnoVb7SO\nDECfEs6VinGH0Z0YInceF6Y9N+SURBrcQpQK12/wtGSChFFU83FII2sxy6iG7pTF\nHPTzByu+aYgFpuEF4EKSrDlZCVJ8Es5lyp+cF401o3oGJuNo9WYScKjb51a0+SLJ\nzbmM3GoiGZI=QyyK\n-----END PGP SIGNATURE-----\n\n--\nRHSA-announce mailing list\nRHSA-announce@redhat.com\nhttps://www.redhat.com/mailman/listinfo/rhsa-announce\n. \nThe purpose of this text-only errata is to inform you about the security\nissues fixed in this release. \n\nSecurity Fix(es):\n\n* HTTP/2: flood using PING frames results in unbounded memory growth\n(CVE-2019-9512)\n\n* HTTP/2: flood using PRIORITY frames results in excessive resource\nconsumption (CVE-2019-9513)\n\n* HTTP/2: flood using HEADERS frames results in unbounded memory growth\n(CVE-2019-9514)\n\n* HTTP/2: flood using SETTINGS frames results in unbounded memory growth\n(CVE-2019-9515)\n\n* HTTP/2: 0-length headers lead to denial of service (CVE-2019-9516)\n\n* HTTP/2: request for large response leads to denial of service\n(CVE-2019-9517)\n\n* HTTP/2: flood using empty frames results in excessive resource\nconsumption (CVE-2019-9518)\n\n* infinispan: invokeAccessibly method from ReflectionUtil class allows to\ninvoke private methods (CVE-2019-10174)\n\n* spring-security-core: mishandling of user passwords allows logging in\nwith a password of NULL (CVE-2019-11272)\n\n* jackson-databind: failure to block the logback-core class from\npolymorphic deserialization leading to remote code execution\n(CVE-2019-12384)\n\n* jackson-databind: default typing mishandling leading to remote code\nexecution (CVE-2019-14379)\n\n* xmlrpc: Deserialization of server-side exception from faultCause in\nXMLRPC error response (CVE-2019-17570)\n\n* js-jquery: Cross-site scripting via cross-domain ajax requests\n(CVE-2015-9251)\n\n* logback: Serialization vulnerability in SocketServer and\nServerSocketReceiver (CVE-2017-5929)\n\n* js-jquery: XSS in responses from cross-origin ajax requests\n(CVE-2017-16012)\n\n* apache-commons-compress: ZipArchiveInputStream.read() fails to identify\ncorrect EOF allowing for DoS via crafted zip (CVE-2018-11771)\n\n* spring-data-api: potential information disclosure through maliciously\ncrafted example value in ExampleMatcher (CVE-2019-3802)\n\n* undertow: leak credentials to log files\nUndertowLogger.REQUEST_LOGGER.undertowRequestFailed (CVE-2019-3888)\n\n* shiro: Cookie padding oracle vulnerability with default configuration\n(CVE-2019-12422)\n\n* jackson-databind: polymorphic typing issue allows attacker to read\narbitrary local files on the server via crafted JSON message. \n1725807 - CVE-2019-12384 jackson-databind: failure to block the logback-core class from polymorphic deserialization leading to remote code execution\n1728993 - CVE-2019-11272 spring-security-core: mishandling of user passwords allows logging in with a password of NULL\n1730316 - CVE-2019-3802 spring-data-api: potential information disclosure through maliciously crafted example value in ExampleMatcher\n1735645 - CVE-2019-9512 HTTP/2: flood using PING frames results in unbounded memory growth\n1735741 - CVE-2019-9513 HTTP/2: flood using PRIORITY frames results in excessive resource consumption\n1735744 - CVE-2019-9514 HTTP/2: flood using HEADERS frames results in unbounded memory growth\n1735745 - CVE-2019-9515 HTTP/2: flood using SETTINGS frames results in unbounded memory growth\n1735749 - CVE-2019-9518 HTTP/2: flood using empty frames results in excessive resource consumption\n1737517 - CVE-2019-14379 jackson-databind: default typing mishandling leading to remote code execution\n1741864 - CVE-2019-9516 HTTP/2: 0-length headers lead to denial of service\n1741868 - CVE-2019-9517 HTTP/2: request for large response leads to denial of service\n1752962 - CVE-2019-14439 jackson-databind: Polymorphic typing issue related to logback/JNDI\n1774726 - CVE-2019-12422 shiro: Cookie padding oracle vulnerability with default configuration\n1775193 - CVE-2019-17570 xmlrpc: Deserialization of server-side exception from faultCause in XMLRPC error response\n\n5",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2015-9251"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-008097"
      },
      {
        "db": "BID",
        "id": "105658"
      },
      {
        "db": "VULHUB",
        "id": "VHN-87212"
      },
      {
        "db": "PACKETSTORM",
        "id": "170819"
      },
      {
        "db": "PACKETSTORM",
        "id": "170823"
      },
      {
        "db": "PACKETSTORM",
        "id": "156315"
      },
      {
        "db": "PACKETSTORM",
        "id": "159876"
      },
      {
        "db": "PACKETSTORM",
        "id": "156941"
      }
    ],
    "trust": 2.43
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2015-9251",
        "trust": 3.3
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-18-212-04",
        "trust": 2.8
      },
      {
        "db": "BID",
        "id": "105658",
        "trust": 2.0
      },
      {
        "db": "PACKETSTORM",
        "id": "153237",
        "trust": 1.7
      },
      {
        "db": "PACKETSTORM",
        "id": "156743",
        "trust": 1.7
      },
      {
        "db": "PACKETSTORM",
        "id": "152787",
        "trust": 1.7
      },
      {
        "db": "TENABLE",
        "id": "TNS-2019-08",
        "trust": 1.7
      },
      {
        "db": "PULSESECURE",
        "id": "SA44601",
        "trust": 1.7
      },
      {
        "db": "PACKETSTORM",
        "id": "156315",
        "trust": 0.8
      },
      {
        "db": "PACKETSTORM",
        "id": "170823",
        "trust": 0.8
      },
      {
        "db": "PACKETSTORM",
        "id": "156941",
        "trust": 0.8
      },
      {
        "db": "JVN",
        "id": "JVNVU96012689",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-008097",
        "trust": 0.8
      },
      {
        "db": "PACKETSTORM",
        "id": "159353",
        "trust": 0.7
      },
      {
        "db": "PACKETSTORM",
        "id": "159852",
        "trust": 0.7
      },
      {
        "db": "PACKETSTORM",
        "id": "170821",
        "trust": 0.7
      },
      {
        "db": "PACKETSTORM",
        "id": "156630",
        "trust": 0.7
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201801-798",
        "trust": 0.7
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.1016",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.0832",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2023.0585",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2019.3165",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.3875",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2019.1238",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2023.0583",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.0494",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2022.1512",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.1519",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.3267",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2019.1299",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.1076",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.0465",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.3902",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2019.4294",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2020.3368",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2019.1225",
        "trust": 0.6
      },
      {
        "db": "AUSCERT",
        "id": "ESB-2021.2525",
        "trust": 0.6
      },
      {
        "db": "ICS CERT",
        "id": "ICSMA-21-187-01",
        "trust": 0.6
      },
      {
        "db": "ICS CERT",
        "id": "ICSA-22-097-01",
        "trust": 0.6
      },
      {
        "db": "PACKETSTORM",
        "id": "170819",
        "trust": 0.2
      },
      {
        "db": "PACKETSTORM",
        "id": "159876",
        "trust": 0.2
      },
      {
        "db": "PACKETSTORM",
        "id": "170817",
        "trust": 0.1
      },
      {
        "db": "SEEBUG",
        "id": "SSVID-98926",
        "trust": 0.1
      },
      {
        "db": "VULHUB",
        "id": "VHN-87212",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-87212"
      },
      {
        "db": "BID",
        "id": "105658"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-008097"
      },
      {
        "db": "PACKETSTORM",
        "id": "170819"
      },
      {
        "db": "PACKETSTORM",
        "id": "170823"
      },
      {
        "db": "PACKETSTORM",
        "id": "156315"
      },
      {
        "db": "PACKETSTORM",
        "id": "159876"
      },
      {
        "db": "PACKETSTORM",
        "id": "156941"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201801-798"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-9251"
      }
    ]
  },
  "id": "VAR-201801-0036",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-87212"
      }
    ],
    "trust": 0.01
  },
  "last_update_date": "2024-11-29T22:33:43.707000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "Mitigate\u00a0possible\u00a0XSS\u00a0vulnerability\u00a0#2588\u00a0(c254d30)",
        "trust": 0.8,
        "url": "https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc"
      },
      {
        "title": "jQuery Fixes for cross-site scripting vulnerabilities",
        "trust": 0.6,
        "url": "http://123.124.177.30/web/xxk/bdxqById.tag?id=77976"
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-008097"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201801-798"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "CWE-79",
        "trust": 1.1
      },
      {
        "problemtype": "Cross-site scripting (CWE-79) [NVD Evaluation ]",
        "trust": 0.8
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-87212"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-008097"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-9251"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.9,
        "url": "http://www.securityfocus.com/bid/105658"
      },
      {
        "trust": 2.9,
        "url": "http://packetstormsecurity.com/files/152787/dotcms-5.1.1-vulnerable-dependencies.html"
      },
      {
        "trust": 2.6,
        "url": "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html"
      },
      {
        "trust": 2.4,
        "url": "https://access.redhat.com/errata/rhsa-2020:0481"
      },
      {
        "trust": 2.3,
        "url": "http://packetstormsecurity.com/files/153237/retirejs-cors-issue-script-execution.html"
      },
      {
        "trust": 2.3,
        "url": "http://packetstormsecurity.com/files/156743/octobercms-insecure-dependencies.html"
      },
      {
        "trust": 2.3,
        "url": "https://www.oracle.com/security-alerts/cpujul2020.html"
      },
      {
        "trust": 2.0,
        "url": "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html"
      },
      {
        "trust": 2.0,
        "url": "https://github.com/jquery/jquery/commit/f60729f3903d17917dc351f3ac87794de379b0cc"
      },
      {
        "trust": 2.0,
        "url": "https://github.com/jquery/jquery/pull/2588"
      },
      {
        "trust": 2.0,
        "url": "https://ics-cert.us-cert.gov/advisories/icsa-18-212-04"
      },
      {
        "trust": 2.0,
        "url": "https://sw.aveva.com/hubfs/assets-2018/pdf/security-bulletin/securitybulletin_lfsec126.pdf"
      },
      {
        "trust": 2.0,
        "url": "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html"
      },
      {
        "trust": 2.0,
        "url": "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html"
      },
      {
        "trust": 1.7,
        "url": "https://seclists.org/bugtraq/2019/may/18"
      },
      {
        "trust": 1.7,
        "url": "https://kb.pulsesecure.net/articles/pulse_security_advisories/sa44601"
      },
      {
        "trust": 1.7,
        "url": "https://security.netapp.com/advisory/ntap-20210108-0004/"
      },
      {
        "trust": 1.7,
        "url": "https://www.tenable.com/security/tns-2019-08"
      },
      {
        "trust": 1.7,
        "url": "http://seclists.org/fulldisclosure/2019/may/13"
      },
      {
        "trust": 1.7,
        "url": "http://seclists.org/fulldisclosure/2019/may/11"
      },
      {
        "trust": 1.7,
        "url": "http://seclists.org/fulldisclosure/2019/may/10"
      },
      {
        "trust": 1.7,
        "url": "https://github.com/jquery/jquery/issues/2432"
      },
      {
        "trust": 1.7,
        "url": "https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1eac4d0b42837804cfffcba4bb2"
      },
      {
        "trust": 1.7,
        "url": "https://snyk.io/vuln/npm:jquery:20150627"
      },
      {
        "trust": 1.7,
        "url": "https://www.oracle.com/security-alerts/cpuapr2020.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.oracle.com/security-alerts/cpujan2020.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.oracle.com/security-alerts/cpuoct2020.html"
      },
      {
        "trust": 1.7,
        "url": "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html"
      },
      {
        "trust": 1.7,
        "url": "https://access.redhat.com/errata/rhsa-2020:0729"
      },
      {
        "trust": 1.7,
        "url": "http://lists.opensuse.org/opensuse-security-announce/2020-03/msg00041.html"
      },
      {
        "trust": 1.3,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2015-9251"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731%40%3cdev.flink.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3cissues.drill.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3cdev.drill.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2%40%3cuser.flink.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49%40%3cuser.flink.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6%40%3ccommits.roller.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3cdev.drill.apache.org%3e"
      },
      {
        "trust": 1.0,
        "url": "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854%40%3cuser.flink.apache.org%3e"
      },
      {
        "trust": 0.9,
        "url": "https://jquery.org/"
      },
      {
        "trust": 0.8,
        "url": "https://jvn.jp/vu/jvnvu96012689/"
      },
      {
        "trust": 0.8,
        "url": "https://www.us-cert.gov/ics/advisories/icsa-18-212-04"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3cdev.drill.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3cdev.drill.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3cissues.drill.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/10f0f3aefd51444d1198c65f44ffdf2d78ca3359423dbc1c168c9731@%3cdev.flink.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/54df3aeb4239b64b50b356f0ca6f986e3c4ca5b84c515dce077c7854@%3cuser.flink.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/17ff53f7999e74fbe3cc0ceb4e1c3b00b180b7c5afec8e978837bc49@%3cuser.flink.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/52bafac05ad174000ea465fe275fd3cc7bd5c25535a7631c0bc9bfb2@%3cuser.flink.apache.org%3e"
      },
      {
        "trust": 0.7,
        "url": "https://lists.apache.org/thread.html/ba79cf1658741e9f146e4c59b50aee56656ea95d841d358d006c18b6@%3ccommits.roller.apache.org%3e"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/support/pages/node/1105515"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/support/pages/node/1105509"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/support/pages/node/1105479"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/support/pages/node/1106577"
      },
      {
        "trust": 0.6,
        "url": "http://www.ibm.com/support/docview.wss?uid=ibm10874666"
      },
      {
        "trust": 0.6,
        "url": "https://fortiguard.com/psirt/fg-ir-18-013"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/support/docview.wss?uid=ibm10967469"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-a-cross-site-scripting-vulnerability-in-jquery-affects-ibm-infosphere-information-server/"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/159353/red-hat-security-advisory-2020-3936-01.html"
      },
      {
        "trust": 0.6,
        "url": "https://www-01.ibm.com/support/docview.wss?uid=ibm10878200"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-swagger-ui-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm/"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerabilites-affect-ibm-jazz-foundation-and-ibm-engineering-products-5/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2019.4294/"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-cross-site-scripting-and-vulnerable-library-jquery-v1-11-1-affects-ibm-engineering-workflow-management/"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-security-vulnerabilities-in-swagger-ui-affect-ibm-business-automation-workflow-and-ibm-business-process-manager-bpm-2/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.0465"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/156630/red-hat-security-advisory-2020-0729-01.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/78866"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/156941/red-hat-security-advisory-2020-0983-01.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/support/pages/node/1105497"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.3875/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.1016/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.1519"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.3902/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.0832/"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/170821/red-hat-security-advisory-2023-0552-01.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2023.0585"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/159852/red-hat-security-advisory-2020-4847-01.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2021.2525"
      },
      {
        "trust": 0.6,
        "url": "http://www-01.ibm.com/support/docview.wss?uid=ibm10874666"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities-10/"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities-8/"
      },
      {
        "trust": 0.6,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-187-01"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2023.0583"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-qradar-analyst-workflow-add-on-to-ibm-qradar-siem-is-vulnerable-to-using-components-with-known-vulnerabilities-2/"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-multiple-vulnerability-issues-affect-ibm-spectrum-symphony-7-3-1/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/79122"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.0494/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/78794"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/156315/red-hat-security-advisory-2020-0481-01.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.3267/"
      },
      {
        "trust": 0.6,
        "url": "https://us-cert.cisa.gov/ics/advisories/icsa-22-097-01"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.1076/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2020.3368/"
      },
      {
        "trust": 0.6,
        "url": "https://packetstormsecurity.com/files/170823/red-hat-security-advisory-2023-0553-01.html"
      },
      {
        "trust": 0.6,
        "url": "https://www.ibm.com/blogs/psirt/security-bulletin-ibm-security-guardium-is-affected-by-multiple-vulnerabilities-3/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2019.3165/"
      },
      {
        "trust": 0.6,
        "url": "https://www.auscert.org.au/bulletins/esb-2022.1512"
      },
      {
        "trust": 0.5,
        "url": "https://access.redhat.com/security/team/contact/"
      },
      {
        "trust": 0.5,
        "url": "https://access.redhat.com/security/cve/cve-2015-9251"
      },
      {
        "trust": 0.5,
        "url": "https://bugzilla.redhat.com/):"
      },
      {
        "trust": 0.4,
        "url": "https://access.redhat.com/security/updates/classification/#important"
      },
      {
        "trust": 0.3,
        "url": "https://access.redhat.com/security/team/key/"
      },
      {
        "trust": 0.3,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-14040"
      },
      {
        "trust": 0.3,
        "url": "https://access.redhat.com/security/cve/cve-2018-14040"
      },
      {
        "trust": 0.3,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-14042"
      },
      {
        "trust": 0.3,
        "url": "https://access.redhat.com/security/cve/cve-2020-11022"
      },
      {
        "trust": 0.3,
        "url": "https://access.redhat.com/security/cve/cve-2016-10735"
      },
      {
        "trust": 0.3,
        "url": "https://access.redhat.com/security/cve/cve-2019-11358"
      },
      {
        "trust": 0.3,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2016-10735"
      },
      {
        "trust": 0.3,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11022"
      },
      {
        "trust": 0.3,
        "url": "https://access.redhat.com/security/cve/cve-2019-8331"
      },
      {
        "trust": 0.3,
        "url": "https://access.redhat.com/security/cve/cve-2018-14042"
      },
      {
        "trust": 0.3,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-8331"
      },
      {
        "trust": 0.3,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-11358"
      },
      {
        "trust": 0.3,
        "url": "https://access.redhat.com/articles/11258"
      },
      {
        "trust": 0.3,
        "url": "https://www.redhat.com/mailman/listinfo/rhsa-announce"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-11023"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-40150"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-3143"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-42003"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_enterprise_application_platform/7.4/html-single/installation_guide/"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-42004"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-14041"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-40150"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-45047"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-18214"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-40152"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2022-40149"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-40149"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2020-11023"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-40152"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2018-14041"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2017-18214"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-45693"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-46364"
      },
      {
        "trust": 0.2,
        "url": "https://issues.jboss.org/):"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2022-3143"
      },
      {
        "trust": 0.2,
        "url": "https://listman.redhat.com/mailman/listinfo/rhsa-announce"
      },
      {
        "trust": 0.2,
        "url": "https://access.redhat.com/security/cve/cve-2019-10174"
      },
      {
        "trust": 0.2,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-10174"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2023:0554"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2023:0553"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=jboss.amq.broker\u0026downloadtype=securitypatches\u0026version=6.3.0"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?product=jboss.fuse\u0026downloadtype=securitypatches\u0026version=6.3"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/documentation/en-us/red_hat_jboss_fuse/6.3/html/release_notes/index"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/8.3_release_notes/"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2020-1722"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-20676"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2020-1722"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-20676"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/updates/classification/#moderate"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-20677"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2020:4670"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-20677"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9513"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9514"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9517"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-10184"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-14379"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9515"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-11771"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-5427"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-9512"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-9514"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-12422"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-3888"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-9517"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-9515"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-5929"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12422"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-14439"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-9516"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-9518"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-11272"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/documentation/en-us/red_hat_fuse/7.6/"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-17570"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-3888"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-9513"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-17570"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/jbossnetwork/restricted/listsoftware.html?downloadtype=distributions\u0026product=jboss.fuse\u0026version=7.6.0"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2017-5929"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-11771"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-14439"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-3802"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12814"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9512"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-10184"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-12384"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2018-15756"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-5427"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2018-15756"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2017-16012"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-12384"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-11272"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9516"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-3802"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-12814"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2019-9518"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov/vuln/detail/cve-2017-16012"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/errata/rhsa-2020:0983"
      },
      {
        "trust": 0.1,
        "url": "https://access.redhat.com/security/cve/cve-2019-14379"
      }
    ],
    "sources": [
      {
        "db": "VULHUB",
        "id": "VHN-87212"
      },
      {
        "db": "BID",
        "id": "105658"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-008097"
      },
      {
        "db": "PACKETSTORM",
        "id": "170819"
      },
      {
        "db": "PACKETSTORM",
        "id": "170823"
      },
      {
        "db": "PACKETSTORM",
        "id": "156315"
      },
      {
        "db": "PACKETSTORM",
        "id": "159876"
      },
      {
        "db": "PACKETSTORM",
        "id": "156941"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201801-798"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-9251"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "VULHUB",
        "id": "VHN-87212"
      },
      {
        "db": "BID",
        "id": "105658"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-008097"
      },
      {
        "db": "PACKETSTORM",
        "id": "170819"
      },
      {
        "db": "PACKETSTORM",
        "id": "170823"
      },
      {
        "db": "PACKETSTORM",
        "id": "156315"
      },
      {
        "db": "PACKETSTORM",
        "id": "159876"
      },
      {
        "db": "PACKETSTORM",
        "id": "156941"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201801-798"
      },
      {
        "db": "NVD",
        "id": "CVE-2015-9251"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2018-01-18T00:00:00",
        "db": "VULHUB",
        "id": "VHN-87212"
      },
      {
        "date": "2018-01-18T00:00:00",
        "db": "BID",
        "id": "105658"
      },
      {
        "date": "2018-02-16T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2015-008097"
      },
      {
        "date": "2023-01-31T17:19:24",
        "db": "PACKETSTORM",
        "id": "170819"
      },
      {
        "date": "2023-01-31T17:26:38",
        "db": "PACKETSTORM",
        "id": "170823"
      },
      {
        "date": "2020-02-12T18:53:35",
        "db": "PACKETSTORM",
        "id": "156315"
      },
      {
        "date": "2020-11-04T15:32:52",
        "db": "PACKETSTORM",
        "id": "159876"
      },
      {
        "date": "2020-03-27T13:16:40",
        "db": "PACKETSTORM",
        "id": "156941"
      },
      {
        "date": "2018-01-22T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201801-798"
      },
      {
        "date": "2018-01-18T23:29:00.307000",
        "db": "NVD",
        "id": "CVE-2015-9251"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2021-01-08T00:00:00",
        "db": "VULHUB",
        "id": "VHN-87212"
      },
      {
        "date": "2019-07-17T07:00:00",
        "db": "BID",
        "id": "105658"
      },
      {
        "date": "2021-07-08T08:40:00",
        "db": "JVNDB",
        "id": "JVNDB-2015-008097"
      },
      {
        "date": "2023-02-02T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-201801-798"
      },
      {
        "date": "2024-11-21T02:40:09.093000",
        "db": "NVD",
        "id": "CVE-2015-9251"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-201801-798"
      }
    ],
    "trust": 0.6
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "jQuery\u00a0 Cross-site Scripting Vulnerability",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2015-008097"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "xss",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "156315"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-201801-798"
      }
    ],
    "trust": 0.7
  }
}

var-202003-1776

Vulnerability from variot

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane. FasterXML jackson-databind Exists in an unreliable data deserialization vulnerability.Information is obtained, information is tampered with, and service operation is interrupted. (DoS) It may be put into a state. FasterXML Jackson is a data processing tool for Java developed by American FasterXML Company. jackson-databind is one of the components with data binding function. A code issue vulnerability exists in javax.swing.JEditorPane in versions 2.x prior to FasterXML jackson-databind 2.9.10.4. A remote attacker could exploit this vulnerability with specially crafted input to execute arbitrary code on the system. You must be logged in to download the update. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256

====================================================================
Red Hat Security Advisory

Synopsis: Important: Satellite 6.8 release Advisory ID: RHSA-2020:4366-01 Product: Red Hat Satellite 6 Advisory URL: https://access.redhat.com/errata/RHSA-2020:4366 Issue date: 2020-10-27 CVE Names: CVE-2018-3258 CVE-2018-11751 CVE-2019-12781 CVE-2019-16782 CVE-2020-5216 CVE-2020-5217 CVE-2020-5267 CVE-2020-7238 CVE-2020-7663 CVE-2020-7942 CVE-2020-7943 CVE-2020-8161 CVE-2020-8184 CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10693 CVE-2020-10968 CVE-2020-10969 CVE-2020-11619 CVE-2020-14061 CVE-2020-14062 CVE-2020-14195 CVE-2020-14334 CVE-2020-14380 ==================================================================== 1. Summary:

An update is now available for Red Hat Satellite 6.8 for RHEL 7.

Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

1. Relevant releases/architectures:

Red Hat Satellite 6.7 - noarch, x86_64 Red Hat Satellite Capsule 6.8 - noarch, x86_64

1. Description:

Red Hat Satellite is a systems management tool for Linux-based infrastructure. It allows for provisioning, remote management, and monitoring of multiple Linux deployments with a single centralized tool.

Security Fix(es):

• mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) (CVE-2018-3258)
• netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling (CVE-2020-7238)
• rubygem-websocket-extensions: ReDoS vulnerability in Sec-WebSocket-Extensions parser (CVE-2020-7663)
• puppet: puppet server and puppetDB may leak sensitive information via metrics API (CVE-2020-7943)
• jackson-databind: multiple serialization gadgets (CVE-2020-8840 CVE-2020-9546 CVE-2020-9547 CVE-2020-9548 CVE-2020-10968 CVE-2020-10969 CVE-2020-11619 CVE-2020-14061 CVE-2020-14062 CVE-2020-14195)
• foreman: unauthorized cache read on RPM-based installations through local user (CVE-2020-14334)
• Satellite: Local user impersonation by Single sign-on (SSO) user leads to account takeover (CVE-2020-14380)
• Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS (CVE-2019-12781)
• rubygem-rack: hijack sessions by using timing attacks targeting the session id (CVE-2019-16782)
• rubygem-secure_headers: limited header injection when using dynamic overrides with user input (CVE-2020-5216)
• rubygem-secure_headers: directive injection when using dynamic overrides with user input (CVE-2020-5217)
• rubygem-actionview: views that use the j or escape_javascript methods are susceptible to XSS attacks (CVE-2020-5267)
• puppet: Arbitrary catalog retrieval (CVE-2020-7942)
• rubygem-rack: directory traversal in Rack::Directory (CVE-2020-8161)
• rubygem-rack: percent-encoded cookies can be used to overwrite existing prefixed cookie names (CVE-2020-8184)
• hibernate-validator: Improper input validation in the interpolation of constraint error messages (CVE-2020-10693)
• puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL (CVE-2018-11751)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Additional Changes:

• Provides the Satellite Ansible Modules that allow for full automation of your Satellite configuration and deployment.

• Adds ability to install Satellite and Capsules and manage hosts in a IPv6 network environment

• Ansible based Capsule Upgrade automation: Ability to centrally upgrade all of your Capsule servers with a single job execution.

• Platform upgrades to Postgres 12, Ansible 2.9, Ruby on Rails and latest version of Puppet

• Support for HTTP UEFI provisioning

• Support for CAC card authentication with Keycloak integration

• Add ability to upgrade Red Hat Enterprise Linux 7 hosts to version 8 using the LEAPP based tooling.

• Support for Red Hat Enterprise Linux Traces integration

• satellite-maintain & foreman-maintain are now self updating

• Notifications in the UI to warn users when subscriptions are expiring.

The items above are not a complete list of changes. This update also fixes several bugs and adds various enhancements. Documentation for these changes is available from the Release Notes document linked to in the References section.

1. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/11258

1. Bugs fixed (https://bugzilla.redhat.com/):

1160344 - [RFE] Satellite support for cname as alternate cname for satellite server 1261802 - [RFE] Make the foreman bootdisk full-host image work on UEFI systems 1300211 - capsule-certs-generate failed to increment release number when generating certificate rpm for foreman-proxy 1332702 - smart-proxy-openscap-send with additional features - alert if file corrupt 1398317 - For the vms built by Satellite 6 using "Network Based" installation mode on VMWare, unable to change the boot sequence via BIOS 1410616 - [RFE] Prominent notification of expiring subscriptions. 1410916 - Should only be able to add repositories you have access to 1429033 - Host provisioned with RHEL Workstation OS, after provisioning displayed as generic RedHat 7.3 1461781 - [RFE]A button should be available in the GUI to clear the recurring logics. 1469267 - need updated rubygem-rake 1486446 - Content view versions list has slow query for package count 1486696 - 'hammer host update' removes existing host parameters 1494180 - Sorting by network address for subnet doesn't work properly 1501499 - tomcat listens to 0.0.0.0 for serving requests but just needs localhost 1503037 - [RFE] Cancelled future/recurring job invocations should not get the status "failed" but rather "cancelled" 1505842 - Remote Execution engine: Error initializing command: Net::SSH::HostKeyMismatch - fingerprint 20:a9:b7:45:1a:b7:d6:42:1e:03:d1:1f:06:20:4c:e2 does not match for "172.17.0.101" 1531674 - Operating System Templates are ordered inconsistently in UI. 1537320 - [RFE] Support for Capsules at 1 version lower than Satellite 1543316 - Satellite 6.2 Upgrade Fails with error "rake aborted! NoMethodError: undefined method first' for nil:NilClass" when there are custom bookmarks created 1563270 - Sync status information is lost after cleaning up old tasks related to sync. 1569324 - Webrick is unable to use 2 supported TLS v1.2 ciphers ('ECDHE-RSA-AES128-GCM-SHA256', 'ECDHE-RSA-AES256-GCM-SHA384') 1571907 - Passenger threads throwing tracebacks on API jobs after spawning 1576859 - [RFE] Implement automatic assigning subnets through data provided by facter 1584184 - [RFE] The locked template is getting overridden by default 1601101 - [RFE] Add autofill functionality to the Job invocation Search query box, copy from Hosts search box 1607706 - [RFE] Add support for --vlanid in Satellite Kickstart Default provisioning template 1608001 - Rearrange search/filter options on Red Hat Repositories page. 1613391 - race condition on removing multiple organizations simultaneously 1619274 - [RFE] Red Hat Satellite should now be able to discover and provision bare metal machines via UEFI HTTP boot 1619422 - User Agent for Downstream RSS feed still says Foreman and Foreman Version 1620214 - Page should auto-refresh after subscriptions have been modified on the Satellite webui 1624049 - Changing the organization in the Satellite WebUI does not change the sync plan page information from the previous organization 1625258 - Having empty "Allocation (GB)" when creating a new Host, nil:NilClass returned on creating the Host 1627066 - Unable to revert to the original version of the provisioning template 1630433 - [RFE] Include Ansible Satellite modules with Ansible Core modules 1630536 - yum repos password stored as cleartext 1632577 - Audit log show 'missing' for adding/removing repository to a CV 1640615 - CVE-2018-3258 mysql-connector-java: Connector/J unspecified vulnerability (CPU October 2018) 1645062 - host_collection controller responds with 200 instead of 201 to a POST request 1645749 - repositories controller responds with 200 instead of 201 to a POST request 1647216 - Lack of edit_smart_proxies permission causes error when setting host to Build 1647364 - [RFE] Extend the audits by the http request id 1647781 - Audits contain no data (Added foo to Missing(ID: x)) 1651297 - Very slow query when using facts on user roles as filters 1653217 - [RFE] More evocative name for Play Ansible Roles option? 1654347 - Satellite may create duplicate CreateRssNotifications tasks after restarting foreman tasks 1654375 - [RFE] Mention specifically uder the admin chexbox for AD LDAP user if its created with admin role, 1659418 - katello-tracer-upload failing with error "ImportError: No module named katello" 1665277 - subscription manager register activation key with special character failed 1665893 - candlepin refuses to start or hangs periodically when having too many messages in ActiveMQ journal 1666693 - Command "hammer subscription list" is not correctly showing the comment "Guests of " in the "Type" field in the output. 1677907 - Ansible API endpoints return 404 1680157 - [RFE] Puppet 'package' provider type does not support selecting modularity streams 1680458 - Locked Report Templates are getting removed. 1680567 - Reporting Engine API to list report template per organization/location returns 404 error 1681619 - [RFE] Disable the option to enter a MAC address after selecting a compute resource while creating new hosts through Satellite 1685949 - [RFE] Support passing of attribute name instead of Id's in RHV workflow 1687116 - kernel version checks should not use /lib/modules to determine running version 1688886 - subscription-manager not attaching the right quantity per the cpu core 1691416 - Delays when many clients upload tracer data simultaneously 1697476 - [RFE] To be able to see the name of the provisioning template being used to build a host from the host itself 1702434 - foreman-bootloaders-redhat-tftpboot expected file permissions in package don't match runtime permissions 1705097 - An empty report file doesn't show any headers 1709557 - [RFE] warn the user if they have done a select all and it includes the restart|reboot service 1709842 - Tracer shows the machines needs rebooting even after reboot if kernel-debug is installed 1710511 - Filter by os_minor includes unexpected values on the Satellite web UI. 1715999 - Use Infoblox API for DNS conflict check and not system resolver 1716423 - Nonexistent quota can be set 1717403 - Broken breadcrumbs link to compute resource VM list on VM detail page 1718012 - [RFE] Add a hard limit of 100 items to restrict any fact child-hash/array 1718954 - [RFE] When the contentAccessMode is set to org_environment for an owner, we should disable auto-attach globally 1719509 - [RFE] "hammer host list" including erratas information 1719516 - [RFE] "hammer host-collection hosts" including erratas information 1720725 - [RFE] Ability to override DHCP options and wait_after_restart option for race condition 1721419 - SSH key cannot be added when FIPS enabled 1722954 - Slow performance when running "hammer host list" with a high number of Content Hosts (15k+ for example) 1723313 - foreman_tasks:cleanup description contain inconsistent information 1724494 - [Capsule][smart_proxy_dynflow_core] "PID file /var/run/foreman-proxy/smart_proxy_dynflow_core.pid not readable (yet?) after start" 1724497 - CVE-2019-12781 Django: Incorrect HTTP detection with reverse-proxy connecting via HTTPS 1726768 - [RFE] Red Hat Satellite 6 GUI, Tasks should show Full name 1729968 - Editing disk size of a Compute Profile for a VMware Compute Resource makes the whole Storage section disappear 1730083 - [RFE] Add Jobs button to host detail page 1731155 - Cloud init template missing snippet compared to Kickstart default user data 1731229 - podman search against Red Hat Satellite 6 fails. 1731235 - [RFE] Create Report Template to list inactive hosts 1733241 - [RFE] hammer does not inherit parent location information 1733650 - Satellite receives RPM1004 pulp error and 403 Forbidden http error retrieving packages from CDN 1736809 - undefined methodsplit' for nil:NilClass when viewing the host info with hammer 1737135 - Content Hosts loses subscriptions after Vmotion and auto attach is unable to assigned the subscriptions if any other subscription is already attached to the host. 1737564 - [RFE] Support custom images on Azure 1738548 - Parameter --openscap-proxy-id is missing in hammer host create command. 1740943 - Increasing Ansible verbosity level does not increase the verbosity of output 1743056 - While creating a host for a particular location, all the domains are in the pull down list, even if only one domain is selected for that location. 1743776 - Error while deleting the content view version. 1745516 - Multiple duplicate index entries are present in candlepin database 1746936 - satellite6 is not using remote execution by default even after setting remote execution by default from satellite web-UI. 1749692 - Default Rhel8 scap content does not get populated on the Satellite 1749916 - [RFE] Satellite should support certificates with > 2048 Key size 1751981 - Parent object properties are not propagated to Child objects in Location and Host Group 1752880 - katello-host-tools-tracer stats paths abusively, leading to a hang or slowness of yum command 1753551 - Traces output from Satellite GUI has mismatches with client tracer output 1756991 - 2 inputs with same name -> uninitialized constant #::NonUniqueInputsError 1757317 - [RFE] Dynflow workers extraction 1757394 - [BUG] Non-admin users always get "Missing one of the required permissions" message while accessing their own table_preferences via Satellite 6 API 1759160 - Rake task for cleaning up DHCP records on proxy 1761872 - Disabled buttons are still working 1763178 - [RFE] Unnecessary call to userhelp and therefore log entries 1763816 - [RFE] Report which users access the API 1766613 - Fact search bar broken and resets to only searching hostname 1766906 - Associating more than 10 Ansible roles to a Host only sets based on the per-page setting 1767497 - Compute Resource filter does not correctly allow Refresh Cache 1767635 - [RFE] Enable Organization and Location to be entered not just selected 1770366 - [RFE] Improve upgrade efficiency by moving RPM post-installation scripts to the installer. 1770544 - Puppet run job notification do not populate "%{puppet_options}"' value 1770777 - Changing concurrency level while executing Ansible jobs fail with NoMethodError: undefined method []' for nil:NilClass 1771367 - undefined methodrequest_uri' when Openidc Provider Token Endpoint is none 1771428 - Openscap documentation link on Satellite 6 webui is broke 1771484 - Client side documentation links are not branded 1771693 - 'Deployed on' parameter is not listed in API output 1772381 - Incorrect example to use multiple attributes as a matcher key in the tooltip for Order 1772517 - login with the user name as same as existing user group gives 500 ISE and wont allow user to login again 1772544 - Use APIv4 is not the default when creating a new compute resource in ovirt 1773298 - GET /katello/api/srpms/compare always fails with error: Missing template katello/api/v2/common/compare 1774710 - UI: When selecting the server type in ldap authentication, "attribute mappings" fields could be populated automatically 1778396 - exporting/importing report template process is causing a different report during the visualization (blank lines) 1778503 - Prepended text on OS name creation 1778681 - Some pages are missing title in html head 1779638 - Unable to filter/search http-proxies using Organization/Location for Satellite UI. 1781671 - While using concurrency_level in remote execution, job progress in WebUI is not being updated properly 1782352 - [RHEL 8.1 client] All packages are not getting updated after click on "Update All Packages" 1782426 - Viewing errata from a repository returns incorrect unfiltered results 1783568 - [RFE] - Bulk Tracer Remediation 1783882 - Ldap refresh failed with "Validation failed: Adding would cause a cycle!" 1784012 - Default kickstart places log to /mnt/sysimage/root/install.post.log 1784341 - disable CertificateRevocationListTask job in candlepin.conf by default 1785117 - [RFE] Add functionality in foreman logging to hash-out or mark as [FILTERED] the password in /var/log/foreman-maintain/foreman-maintain.log and /var/log/foreman-installer/satellite.log file 1785231 - Ansible Variable override to false does not gets reflected on client machine on Red Hat Satellite 6. 1785624 - [UI] Importing templates with associate 'never' is not resulting as expected 1785683 - Does not load datacenter when multiple compute resources are created for same VCenter 1785902 - Ansible RunHostJob tasks failed with "Failed to initialize: NoMethodError - undefined method []' for nil:NilClass" 1785940 - [RFE] Reporting template should allow host filtering based on applicable errata issue date 1787329 - change filename in initrd live CPIO archive to fdi.iso 1788261 - CVE-2018-11751 puppet-agent: Puppet Agent does not properly verify SSL connection when downloading a CRL 1788958 - [RFE] add "elapsed time" column to export and hammer, make it filterable in WebUI 1789006 - Smart proxy dynflow core listens on 0.0.0.0 1789100 - CVE-2019-16782 rubygem-rack: hijack sessions by using timing attacks targeting the session id 1789434 - Template editor not always allows refreshing of the preview pane 1789522 - On unhealthy Satellite, dynflow_envelopes table might grow indefinitely 1789686 - Non-admin user with enough permissions can't generate report of applicable errata 1789815 - The "start" parameter should be mentioned inside "--compute-attributes:" in hammer_cli for Satellite 6 1789911 - "foreman-rake katello:publish_unpublished_repositories" is referring to column which no longer exists in katello_repositories table. 1789924 - [RFE] As user I want to see a "disabled" status for Simple Content Access (Golden Ticketed) Orgs 1791654 - drop config_templates api endpoints and parameters 1791656 - drop deprecated host status endpoint 1791658 - drop reports api endpoint 1791659 - Removeuse_puppet_defaultapi params 1791663 - remove deprecated permissions api parameters 1791665 - drop deprecated compute resource uuid parameter 1792131 - [UI] Could not specify organization/location for users that come from keycloak 1792135 - Not able to login again if session expired from keycloak 1792174 - [RFE] Subscription report template 1792304 - When generating custom report, leave output format field empty 1792378 - [RFE] Long role names are cut off in the roles UI 1793951 - [RFE] Display request UUID on audits page 1794015 - When using boot disk based provisioning, sometimes foreman tries to recreate folder foreman_isos in the datastore even when the folder already exists 1794346 - Change the label for the flashing eye icon during user impersonation 1794641 - Sync status page's content are not being displayed properly. 1795809 - HTML tags visible on paused task page 1796155 - [RFE] host_collections not available in reporting engine unless safe mode disabled 1796205 - iso upload: correctly check if upload directory exists 1796225 - CVE-2020-7238 netty: HTTP Request Smuggling due to Transfer-Encoding whitespace mishandling 1796259 - loading subscriptions page is very slow 1796697 - Unable to list/enable EUS repositories on the RHEL clients registered in the satellite server with org_environment contentAccessMode 1798489 - [RHSSO] - If Access Token Lifespan is set to 5 mins then the user is getting sign out instead after idle SSO timeout 1798668 - Configure default MongoDB WiredTiger cache to be 20% of RAM in the Satellite server 1799480 - CLI - hammer repository info shows blank sync status if the repository sync is in warning/error state. 1800503 - In Hammer, it is not possible to set default keyboard layout for a RHEV host 1801264 - CVE-2020-5217 rubygem-secure_headers: directive injection when using dynamic overrides with user input 1801286 - CVE-2020-5216 rubygem-secure_headers: limited header injection when using dynamic overrides with user input 1802529 - Repository sync in tasks page shows percentage in 17 decimal points 1802631 - Importing Ansible variables yields NoMethodError: undefined methodmap' for nil:NilClass (initialize_variables) [variables_importer.rb] 1803846 - Red Hat Insights Risk Summary shows systems at risk while there are none 1804496 - While performing bulk actions, unable to select all tasks under Monitor --> Tasks page. 1804651 - Missing information about "Create Capsule" via webUI 1805501 - CVE-2020-10693 hibernate-validator: Improper input validation in the interpolation of constraint error messages 1805727 - Default Custom Repository download policy setting refers to old name (Default Repository download policy) in satellite 6.7 1806713 - hypervisor checkin fails with cp_consumer_hypervisor_ukey error 1806842 - Disabling dynflow_enable_console from setting should hide "Dynflow console" in Tasks 1806897 - Red Hat Inventory Uploads fail with NoMethodError: undefined method mtu' 1807042 - [RFE] Support additional disks for VM on Azure Compute Resource 1807321 - A non-admin users with view recurring_logics permissions are unable to list recurring logics. 1807829 - Generated inventory file doesn't exist 1807946 - Multiple duplicate index entries are present in foreman database 1808843 - Satellite lists unrelated RHV storage domains using v4 API 1810250 - Unable to delete repository - Content with ID could not be found 1810549 - dropping packets to qdrouterd triggers a memory leak in qpid-proton 0.28.0-2 libraries used by goferd 1810774 - Applying errata via Host Collection the errata are trying to be applied to all hosts associated with the host collection 1811390 - Links to an errata list of a repository lack repositoryId in URI and points to generic "errata" page instead 1812031 - Improve regenerate applicability tasks performance by querying NEVRA only data from repo_content_units 1812858 - Satellite Inventory Plugin does not appear to make reports which match yupana's API specification 1812904 - 'Hypervisors' task fails with 'undefined method[]' for nil:NilClass' error 1813005 - Prevent --tuning option to be applied in Capsule servers 1813313 - [Tracker] Test HTTP UEFI on IPv6 (QA only tracker) 1814095 - Applicable errata not showing up for module stream errata 1815104 - Locked provisioning template should not be allowed to add audit comment 1815135 - hammer does not support description for custom repositories 1815146 - Backslash escapes when downloading a JSON-formatted report multiple times 1815608 - Content Hosts has Access to Content View from Different Organization 1816330 - CVE-2020-8840 jackson-databind: Lacks certain xbean-reflect/JNDI blocking 1816332 - CVE-2020-9546 jackson-databind: Serialization gadgets in shaded-hikari-config 1816337 - CVE-2020-9547 jackson-databind: Serialization gadgets in ibatis-sqlmap 1816340 - CVE-2020-9548 jackson-databind: Serialization gadgets in anteros-core 1816699 - Satellite Receptor Installer role can miss accounts under certain conditions 1816720 - CVE-2020-7942 puppet: Arbitrary catalog retrieval 1816853 - Report generated by Red Hat Inventory Uploads is empty. 1817215 - Admin must be able to provide all the client ids involved inside Satellite settings. 1817224 - Loading one org's content view when switching to a different org 1817481 - Plugin does not set page