cvelistv5 - cve-2009-0993

CVE-2009-0993 (GCVE-0-2009-0993)

Vulnerability from cvelistv5

Published

2009-04-15 10:00

Modified

2024-08-07 04:57

Severity ?

CWE

Summary

References

URL

	Vendor	Product	Version
	n/a	n/a	Version: n/a

ghsa-vqv6-r48r-39m7

Vulnerability from github

Published

2022-05-02 03:20

Modified

2022-05-02 03:20

Details

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2009-0993"
  ],
  "database_specific": {
    "cwe_ids": [],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2009-04-15T10:30:00Z",
    "severity": "HIGH"
  },
  "details": "Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.  NOTE: the previous information was obtained from the April 2009 CPU.  Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log.",
  "id": "GHSA-vqv6-r48r-39m7",
  "modified": "2022-05-02T03:20:39Z",
  "published": "2022-05-02T03:20:39Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2009-0993"
    },
    {
      "type": "WEB",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50030"
    },
    {
      "type": "WEB",
      "url": "http://secunia.com/advisories/34693"
    },
    {
      "type": "WEB",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/archive/1/502683/100/0/threaded"
    },
    {
      "type": "WEB",
      "url": "http://www.securityfocus.com/bid/34461"
    },
    {
      "type": "WEB",
      "url": "http://www.securitytracker.com/id?1022055"
    },
    {
      "type": "WEB",
      "url": "http://www.us-cert.gov/cas/techalerts/TA09-105A.html"
    },
    {
      "type": "WEB",
      "url": "http://www.zerodayinitiative.com/advisories/ZDI-09-017"
    }
  ],
  "schema_version": "1.4.0",
  "severity": []
}

fkie_cve-2009-0993

Vulnerability from fkie_nvd

Published

2009-04-15 10:30

Modified

2025-04-09 00:30

Severity ?

Summary

References

URL	Tags
secalert_us@oracle.com	http://secunia.com/advisories/34693
secalert_us@oracle.com	http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html
secalert_us@oracle.com	http://www.securityfocus.com/archive/1/502683/100/0/threaded
secalert_us@oracle.com	http://www.securityfocus.com/bid/34461
secalert_us@oracle.com	http://www.securitytracker.com/id?1022055
secalert_us@oracle.com	http://www.us-cert.gov/cas/techalerts/TA09-105A.html	US Government Resource
secalert_us@oracle.com	http://www.zerodayinitiative.com/advisories/ZDI-09-017
secalert_us@oracle.com	https://exchange.xforce.ibmcloud.com/vulnerabilities/50030
af854a3a-2127-422b-91ae-364da2661108	http://secunia.com/advisories/34693
af854a3a-2127-422b-91ae-364da2661108	http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/archive/1/502683/100/0/threaded
af854a3a-2127-422b-91ae-364da2661108	http://www.securityfocus.com/bid/34461
af854a3a-2127-422b-91ae-364da2661108	http://www.securitytracker.com/id?1022055
af854a3a-2127-422b-91ae-364da2661108	http://www.us-cert.gov/cas/techalerts/TA09-105A.html	US Government Resource
af854a3a-2127-422b-91ae-364da2661108	http://www.zerodayinitiative.com/advisories/ZDI-09-017
af854a3a-2127-422b-91ae-364da2661108	https://exchange.xforce.ibmcloud.com/vulnerabilities/50030

Impacted products

	Vendor	Product	Version
	oracle	application_server	10.1.2.3.0

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:oracle:application_server:10.1.2.3.0:*:*:*:*:*:*:*",
              "matchCriteriaId": "415018EB-2D62-49B5-BBBE-E8276400A1BB",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.  NOTE: the previous information was obtained from the April 2009 CPU.  Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log."
    },
    {
      "lang": "es",
      "value": "Vulnerabilidad sin especificar en el componente OPMN en Oracle Application Server v10.1.2.3 permite a atacantes remotos afectar a la confidencialidad, la disponibilidad, y la integridad a trav\u00e9s de vectores desconocidos."
    }
  ],
  "id": "CVE-2009-0993",
  "lastModified": "2025-04-09T00:30:58.490",
  "metrics": {
    "cvssMetricV2": [
      {
        "acInsufInfo": false,
        "baseSeverity": "HIGH",
        "cvssData": {
          "accessComplexity": "LOW",
          "accessVector": "NETWORK",
          "authentication": "NONE",
          "availabilityImpact": "PARTIAL",
          "baseScore": 7.5,
          "confidentialityImpact": "PARTIAL",
          "integrityImpact": "PARTIAL",
          "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
          "version": "2.0"
        },
        "exploitabilityScore": 10.0,
        "impactScore": 6.4,
        "obtainAllPrivilege": false,
        "obtainOtherPrivilege": false,
        "obtainUserPrivilege": false,
        "source": "nvd@nist.gov",
        "type": "Primary",
        "userInteractionRequired": false
      }
    ]
  },
  "published": "2009-04-15T10:30:00.687",
  "references": [
    {
      "source": "secalert_us@oracle.com",
      "url": "http://secunia.com/advisories/34693"
    },
    {
      "source": "secalert_us@oracle.com",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "url": "http://www.securityfocus.com/archive/1/502683/100/0/threaded"
    },
    {
      "source": "secalert_us@oracle.com",
      "url": "http://www.securityfocus.com/bid/34461"
    },
    {
      "source": "secalert_us@oracle.com",
      "url": "http://www.securitytracker.com/id?1022055"
    },
    {
      "source": "secalert_us@oracle.com",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.us-cert.gov/cas/techalerts/TA09-105A.html"
    },
    {
      "source": "secalert_us@oracle.com",
      "url": "http://www.zerodayinitiative.com/advisories/ZDI-09-017"
    },
    {
      "source": "secalert_us@oracle.com",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50030"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://secunia.com/advisories/34693"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/archive/1/502683/100/0/threaded"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securityfocus.com/bid/34461"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.securitytracker.com/id?1022055"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "tags": [
        "US Government Resource"
      ],
      "url": "http://www.us-cert.gov/cas/techalerts/TA09-105A.html"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.zerodayinitiative.com/advisories/ZDI-09-017"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50030"
    }
  ],
  "sourceIdentifier": "secalert_us@oracle.com",
  "vulnStatus": "Deferred",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "NVD-CWE-noinfo"
        }
      ],
      "source": "nvd@nist.gov",
      "type": "Primary"
    }
  ]
}

gsd-2009-0993

Vulnerability from gsd

Modified

2023-12-13 01:19

Details

Aliases

CVE-2009-0993

Aliases

CVE-2009-0993

JSON

To clipboard

{
  "GSD": {
    "alias": "CVE-2009-0993",
    "description": "Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.  NOTE: the previous information was obtained from the April 2009 CPU.  Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log.",
    "id": "GSD-2009-0993"
  },
  "gsd": {
    "metadata": {
      "exploitCode": "unknown",
      "remediation": "unknown",
      "reportConfidence": "confirmed",
      "type": "vulnerability"
    },
    "osvSchema": {
      "aliases": [
        "CVE-2009-0993"
      ],
      "details": "Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.  NOTE: the previous information was obtained from the April 2009 CPU.  Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log.",
      "id": "GSD-2009-0993",
      "modified": "2023-12-13T01:19:44.238522Z",
      "schema_version": "1.4.0"
    }
  },
  "namespaces": {
    "cve.org": {
      "CVE_data_meta": {
        "ASSIGNER": "secalert_us@oracle.com",
        "ID": "CVE-2009-0993",
        "STATE": "PUBLIC"
      },
      "affects": {
        "vendor": {
          "vendor_data": [
            {
              "product": {
                "product_data": [
                  {
                    "product_name": "n/a",
                    "version": {
                      "version_data": [
                        {
                          "version_value": "n/a"
                        }
                      ]
                    }
                  }
                ]
              },
              "vendor_name": "n/a"
            }
          ]
        }
      },
      "data_format": "MITRE",
      "data_type": "CVE",
      "data_version": "4.0",
      "description": {
        "description_data": [
          {
            "lang": "eng",
            "value": "Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.  NOTE: the previous information was obtained from the April 2009 CPU.  Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log."
          }
        ]
      },
      "problemtype": {
        "problemtype_data": [
          {
            "description": [
              {
                "lang": "eng",
                "value": "n/a"
              }
            ]
          }
        ]
      },
      "references": {
        "reference_data": [
          {
            "name": "1022055",
            "refsource": "SECTRACK",
            "url": "http://www.securitytracker.com/id?1022055"
          },
          {
            "name": "34461",
            "refsource": "BID",
            "url": "http://www.securityfocus.com/bid/34461"
          },
          {
            "name": "34693",
            "refsource": "SECUNIA",
            "url": "http://secunia.com/advisories/34693"
          },
          {
            "name": "TA09-105A",
            "refsource": "CERT",
            "url": "http://www.us-cert.gov/cas/techalerts/TA09-105A.html"
          },
          {
            "name": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html",
            "refsource": "CONFIRM",
            "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"
          },
          {
            "name": "http://www.zerodayinitiative.com/advisories/ZDI-09-017",
            "refsource": "MISC",
            "url": "http://www.zerodayinitiative.com/advisories/ZDI-09-017"
          },
          {
            "name": "oracle-appserver-opmn-unspecified(50030)",
            "refsource": "XF",
            "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50030"
          },
          {
            "name": "20090414 ZDI-09-017: Oracle Applications Server 10g Format String Vulnerability",
            "refsource": "BUGTRAQ",
            "url": "http://www.securityfocus.com/archive/1/502683/100/0/threaded"
          }
        ]
      }
    },
    "nvd.nist.gov": {
      "configurations": {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "children": [],
            "cpe_match": [
              {
                "cpe23Uri": "cpe:2.3:a:oracle:application_server:10.1.2.3.0:*:*:*:*:*:*:*",
                "cpe_name": [],
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      },
      "cve": {
        "CVE_data_meta": {
          "ASSIGNER": "secalert_us@oracle.com",
          "ID": "CVE-2009-0993"
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "en",
              "value": "Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.  NOTE: the previous information was obtained from the April 2009 CPU.  Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "en",
                  "value": "NVD-CWE-noinfo"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "1022055",
              "refsource": "SECTRACK",
              "tags": [],
              "url": "http://www.securitytracker.com/id?1022055"
            },
            {
              "name": "34693",
              "refsource": "SECUNIA",
              "tags": [],
              "url": "http://secunia.com/advisories/34693"
            },
            {
              "name": "TA09-105A",
              "refsource": "CERT",
              "tags": [
                "US Government Resource"
              ],
              "url": "http://www.us-cert.gov/cas/techalerts/TA09-105A.html"
            },
            {
              "name": "http://www.zerodayinitiative.com/advisories/ZDI-09-017",
              "refsource": "MISC",
              "tags": [],
              "url": "http://www.zerodayinitiative.com/advisories/ZDI-09-017"
            },
            {
              "name": "34461",
              "refsource": "BID",
              "tags": [],
              "url": "http://www.securityfocus.com/bid/34461"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html",
              "refsource": "CONFIRM",
              "tags": [],
              "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"
            },
            {
              "name": "oracle-appserver-opmn-unspecified(50030)",
              "refsource": "XF",
              "tags": [],
              "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50030"
            },
            {
              "name": "20090414 ZDI-09-017: Oracle Applications Server 10g Format String Vulnerability",
              "refsource": "BUGTRAQ",
              "tags": [],
              "url": "http://www.securityfocus.com/archive/1/502683/100/0/threaded"
            }
          ]
        }
      },
      "impact": {
        "baseMetricV2": {
          "cvssV2": {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "integrityImpact": "PARTIAL",
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          },
          "exploitabilityScore": 10.0,
          "impactScore": 6.4,
          "obtainAllPrivilege": false,
          "obtainOtherPrivilege": false,
          "obtainUserPrivilege": false,
          "severity": "HIGH",
          "userInteractionRequired": false
        }
      },
      "lastModifiedDate": "2021-07-13T17:54Z",
      "publishedDate": "2009-04-15T10:30Z"
    }
  }
}

Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the April 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log. Authentication is not required to exploit this vulnerability.The specific flaw exists within the Oracle Process Manager and Notification (opmn) daemon which is an HTTP daemon listening on a TCP port above 6000. Exploitation of this issue can result in arbitrary code execution. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. ----------------------------------------------------------------------

Are you missing:

SECUNIA ADVISORY ID:

Critical:

Impact:

Where:

within the advisory below?

This is now part of the Secunia commercial solutions.

For more information see vulnerability #6 through #9 in: SA34693

SOLUTION: The vendor recommends to delete the GdFileConv.exe file. See vendor's advisory for additional details.

Fixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. ZDI-09-017: Oracle Applications Server 10g Format String Vulnerability http://www.zerodayinitiative.com/advisories/ZDI-09-017 April 14, 2009

-- Affected Vendors: Oracle

-- Affected Products: Oracle Application Server

-- TippingPoint(TM) IPS Customer Protection: TippingPoint IPS customers have been protected against this vulnerability by Digital Vaccine protection filter ID 5729. Authentication is not required to exploit this vulnerability. More details can be found at:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpua pr2009.html

-- Disclosure Timeline: 2007-11-07 - Vulnerability reported to vendor 2009-04-14 - Coordinated public release of advisory

-- Credit: This vulnerability was discovered by: * Joxean Koret

-- About the Zero Day Initiative (ZDI): Established by TippingPoint, The Zero Day Initiative (ZDI) represents a best-of-breed model for rewarding security researchers for responsibly disclosing discovered vulnerabilities.

Researchers interested in getting paid for their security research through the ZDI can find more information and sign-up at:

http://www.zerodayinitiative.com

The ZDI is unique in how the acquired vulnerability information is used. TippingPoint does not re-sell the vulnerability details or any exploit code. Instead, upon notifying the affected product vendor, TippingPoint provides its customers with zero day protection through its intrusion prevention technology. Explicit details regarding the specifics of the vulnerability are not exposed to any parties until an official vendor patch is publicly available. Furthermore, with the altruistic aim of helping to secure a broader user base, TippingPoint provides this vulnerability information confidentially to security vendors (including competitors) who have a vulnerability protection or mitigation product.

Our vulnerability disclosure policy is available online at:

http://www.zerodayinitiative.com/advisories/disclosure_policy/

I. Description

The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components.

Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database.

II. Impact

The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information.

III. Solution

Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed.

IV. References

Oracle Critical Patch Update Advisory - April 2009 - http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
Critical Patch Updates and Security Alerts - http://www.oracle.com/technology/deploy/security/alerts.htm
Map of Public Vulnerability to Advisory/Alert - http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html

The most recent version of this document can be found at:

 <http://www.us-cert.gov/cas/techalerts/TA09-105A.html>

Feedback can be directed to US-CERT Technical Staff. Please send email to cert@cert.org with "TA09-105A Feedback VU#955892" in the subject.

For instructions on subscribing to or unsubscribing from this mailing list, visit http://www.us-cert.gov/cas/signup.html.

Produced 2009 by US-CERT, a government organization.

 <http://www.us-cert.gov/legal.html>

Revision History

April 15, 2009: Initial release

-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE----- . ----------------------------------------------------------------------

Secunia is pleased to announce the release of the annual Secunia report for 2008. Some have unknown impacts, others can be exploited by malicious users to conduct SQL injection attacks or disclose sensitive information, and by malicious people compromise a vulnerable system.

2) Input passed to the "DBMS_AQIN" package is not properly sanitised before being used. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

3) An error in the Application Express component included in Oracle Database can be exploited by unprivileged database users to disclose APEX password hashes in "LOWS_030000.WWV_FLOW_USER".

The remaining vulnerabilities are caused due to unspecified errors. No more information is currently available.

PROVIDED AND/OR DISCOVERED BY: 1) Joxean Koret of TippingPoint 2, 3) Alexander Kornbrust of Red Database Security

The vendor also credits: * Joshua J. Drake of iDefense * Gerhard Eschelbeck of Qualys, Inc. * Esteban Martinez Fayo of Application Security, Inc. * Franz Huell of Red Database Security; * Mike Janowski of Neohapsis, Inc. * Joxean Koret * David Litchfield of NGS Software * Tanel Poder * Sven Vetter of Trivadis * Dennis Yurichev

ORIGINAL ADVISORY: Oracle: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html

ZDI: http://www.zerodayinitiative.com/advisories/ZDI-09-017/

Red Database Security: http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html http://www.red-database-security.com/advisory/apex_password_hashes.html

About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities.

Subscribe: http://secunia.com/advisories/secunia_security_advisories/

Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/

Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor.

Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Show details on source website

JSON

To clipboard

{
  "@context": {
    "@vocab": "https://www.variotdbs.pl/ref/VARIoTentry#",
    "affected_products": {
      "@id": "https://www.variotdbs.pl/ref/affected_products"
    },
    "configurations": {
      "@id": "https://www.variotdbs.pl/ref/configurations"
    },
    "credits": {
      "@id": "https://www.variotdbs.pl/ref/credits"
    },
    "cvss": {
      "@id": "https://www.variotdbs.pl/ref/cvss/"
    },
    "description": {
      "@id": "https://www.variotdbs.pl/ref/description/"
    },
    "exploit_availability": {
      "@id": "https://www.variotdbs.pl/ref/exploit_availability/"
    },
    "external_ids": {
      "@id": "https://www.variotdbs.pl/ref/external_ids/"
    },
    "iot": {
      "@id": "https://www.variotdbs.pl/ref/iot/"
    },
    "iot_taxonomy": {
      "@id": "https://www.variotdbs.pl/ref/iot_taxonomy/"
    },
    "patch": {
      "@id": "https://www.variotdbs.pl/ref/patch/"
    },
    "problemtype_data": {
      "@id": "https://www.variotdbs.pl/ref/problemtype_data/"
    },
    "references": {
      "@id": "https://www.variotdbs.pl/ref/references/"
    },
    "sources": {
      "@id": "https://www.variotdbs.pl/ref/sources/"
    },
    "sources_release_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_release_date/"
    },
    "sources_update_date": {
      "@id": "https://www.variotdbs.pl/ref/sources_update_date/"
    },
    "threat_type": {
      "@id": "https://www.variotdbs.pl/ref/threat_type/"
    },
    "title": {
      "@id": "https://www.variotdbs.pl/ref/title/"
    },
    "type": {
      "@id": "https://www.variotdbs.pl/ref/type/"
    }
  },
  "@id": "https://www.variotdbs.pl/vuln/VAR-200904-0278",
  "affected_products": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/affected_products#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "model": "application server",
        "scope": "eq",
        "trust": 1.0,
        "vendor": "oracle",
        "version": "10.1.2.3.0"
      },
      {
        "model": "application server",
        "scope": "eq",
        "trust": 0.8,
        "vendor": "oracle",
        "version": "10.1.2.3"
      },
      {
        "model": "application server",
        "scope": null,
        "trust": 0.7,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "application server 10g",
        "scope": "eq",
        "trust": 0.6,
        "vendor": "oracle",
        "version": "10.1.2.3"
      },
      {
        "model": "jrockit r27.1.0",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "5.6.2"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.01"
      },
      {
        "model": "systems weblogic portal sp1",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle9i personal edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "peoplesoft enterprise peopletools",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.49"
      },
      {
        "model": "oracle11g standard edition one",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "data service integrator",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.3"
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.2.1"
      },
      {
        "model": "oracle10g application server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.2.3.0"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.0"
      },
      {
        "model": "oracle9i enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8.0"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.06"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.0.1"
      },
      {
        "model": "systems weblogic portal sp6",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "xml publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.2"
      },
      {
        "model": "oracle11g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.11"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.13"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.04"
      },
      {
        "model": "oracle11g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.1.0.7"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.1"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.0"
      },
      {
        "model": "jrockit r27.6.2",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.07"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "systems weblogic portal sp2",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "systems weblogic portal sp5",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "oracle10g application server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.2"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.3"
      },
      {
        "model": "systems weblogic portal sp3",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "systems weblogic portal",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.1"
      },
      {
        "model": "systems weblogic server maintenance pack",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.2"
      },
      {
        "model": "oracle9i standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.13"
      },
      {
        "model": "oracle9i standard edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "oracle10g enterprise edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "oracle9i enterprise edition .8dv",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2"
      },
      {
        "model": "oracle10g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.5"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.0"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.1"
      },
      {
        "model": "peoplesoft enterprise hrms",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.0"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.3.2"
      },
      {
        "model": "e-business suite 11i",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.5.10.2"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.12"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.15"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.05"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.16"
      },
      {
        "model": "systems weblogic server mp1",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "10.0"
      },
      {
        "model": "peoplesoft enterprise hrms",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.9"
      },
      {
        "model": "audit vault",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.3"
      },
      {
        "model": "jrockit r27.6.0",
        "scope": null,
        "trust": 0.3,
        "vendor": "oracle",
        "version": null
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.02"
      },
      {
        "model": "systems weblogic portal sp4",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.1"
      },
      {
        "model": "bi publisher",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.1.3.4"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.14"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "8.12"
      },
      {
        "model": "weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.3"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.11"
      },
      {
        "model": "e-business suite",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "12.0.6"
      },
      {
        "model": "outside in sdk html export",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.3"
      },
      {
        "model": "oracle10g personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "10.2.0.4"
      },
      {
        "model": "oracle9i personal edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "9.2.8"
      },
      {
        "model": "oracle11g standard edition",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "11.16"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0.0.14"
      },
      {
        "model": "systems weblogic server sp",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.03"
      },
      {
        "model": "systems weblogic server sp7",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "7.0"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.2"
      },
      {
        "model": "outside in sdk html export",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "8.2.2"
      },
      {
        "model": "aqualogic data services platform",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "oracle",
        "version": "3.2"
      },
      {
        "model": "systems weblogic server",
        "scope": "eq",
        "trust": 0.3,
        "vendor": "bea",
        "version": "9.0"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-09-017"
      },
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001235"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-311"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-0993"
      }
    ]
  },
  "configurations": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/configurations#",
      "children": {
        "@container": "@list"
      },
      "cpe_match": {
        "@container": "@list"
      },
      "data": {
        "@container": "@list"
      },
      "nodes": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "CVE_data_version": "4.0",
        "nodes": [
          {
            "cpe_match": [
              {
                "cpe22Uri": "cpe:/a:oracle:application_server",
                "vulnerable": true
              }
            ],
            "operator": "OR"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001235"
      }
    ]
  },
  "credits": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/credits#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Joxean Koret",
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-09-017"
      }
    ],
    "trust": 0.7
  },
  "cve": "CVE-2009-0993",
  "cvss": {
    "@context": {
      "cvssV2": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV2#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV2"
      },
      "cvssV3": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/cvss/cvssV3#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/cvssV3/"
      },
      "severity": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/cvss/severity#"
        },
        "@id": "https://www.variotdbs.pl/ref/cvss/severity"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        },
        "@id": "https://www.variotdbs.pl/ref/sources"
      }
    },
    "data": [
      {
        "cvssV2": [
          {
            "accessComplexity": "LOW",
            "accessVector": "NETWORK",
            "authentication": "NONE",
            "author": "nvd@nist.gov",
            "availabilityImpact": "PARTIAL",
            "baseScore": 7.5,
            "confidentialityImpact": "PARTIAL",
            "exploitabilityScore": 10.0,
            "id": "CVE-2009-0993",
            "impactScore": 6.4,
            "integrityImpact": "PARTIAL",
            "severity": "HIGH",
            "trust": 1.9,
            "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P",
            "version": "2.0"
          }
        ],
        "cvssV3": [],
        "severity": [
          {
            "author": "nvd@nist.gov",
            "id": "CVE-2009-0993",
            "trust": 1.0,
            "value": "HIGH"
          },
          {
            "author": "NVD",
            "id": "CVE-2009-0993",
            "trust": 0.8,
            "value": "High"
          },
          {
            "author": "CNNVD",
            "id": "CNNVD-200904-311",
            "trust": 0.6,
            "value": "HIGH"
          },
          {
            "author": "VULMON",
            "id": "CVE-2009-0993",
            "trust": 0.1,
            "value": "HIGH"
          }
        ]
      }
    ],
    "sources": [
      {
        "db": "VULMON",
        "id": "CVE-2009-0993"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001235"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-311"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-0993"
      }
    ]
  },
  "description": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/description#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors.  NOTE: the previous information was obtained from the April 2009 CPU.  Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log. Authentication is not required to exploit this vulnerability.The specific flaw exists within the Oracle Process Manager and Notification (opmn) daemon which is an HTTP daemon listening on a TCP port above 6000. Exploitation of this issue can result in arbitrary code execution. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software:\nOracle Database\nOracle Audit Vault\nOracle Application Server\nOracle Outside In SDK HTML Export\nOracle XML Publisher\nOracle BI Publisher\nOracle E-Business Suite\nPeopleSoft Enterprise PeopleTools\nPeopleSoft Enterprise HRMS\nOracle WebLogic Server (formerly BEA WebLogic Server)\nOracle Data Service Integrator\nOracle AquaLogic Data Services Platform\nOracle JRockit. ----------------------------------------------------------------------\n\nAre you missing:\n\nSECUNIA ADVISORY ID:\n\nCritical:\n\nImpact:\n\nWhere:\n\nwithin the advisory below?\n\nThis is now part of the Secunia commercial solutions. \n\nFor more information see vulnerability #6 through #9 in:\nSA34693\n\nSOLUTION:\nThe vendor recommends to delete the GdFileConv.exe file. See vendor\u0027s\nadvisory for additional details. \n\nFixed in Good Messaging Server for Exchange 5.0.4.53 and 6.0.0.125. ZDI-09-017: Oracle Applications Server 10g Format String Vulnerability\nhttp://www.zerodayinitiative.com/advisories/ZDI-09-017\nApril 14, 2009\n\n-- Affected Vendors:\nOracle\n\n-- Affected Products:\nOracle Application Server\n\n-- TippingPoint(TM) IPS Customer Protection:\nTippingPoint IPS customers have been protected against this\nvulnerability by Digital Vaccine protection filter ID 5729. Authentication\nis not required to exploit this vulnerability. More\ndetails can be found at:\n\nhttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpua\npr2009.html\n\n-- Disclosure Timeline:\n2007-11-07 - Vulnerability reported to vendor\n2009-04-14 - Coordinated public release of advisory\n\n-- Credit:\nThis vulnerability was discovered by:\n    * Joxean Koret\n\n-- About the Zero Day Initiative (ZDI):\nEstablished by TippingPoint, The Zero Day Initiative (ZDI) represents\na best-of-breed model for rewarding security researchers for responsibly\ndisclosing discovered vulnerabilities. \n\nResearchers interested in getting paid for their security research\nthrough the ZDI can find more information and sign-up at:\n\n    http://www.zerodayinitiative.com\n\nThe ZDI is unique in how the acquired vulnerability information is\nused. TippingPoint does not re-sell the vulnerability details or any\nexploit code. Instead, upon notifying the affected product vendor,\nTippingPoint provides its customers with zero day protection through\nits intrusion prevention technology. Explicit details regarding the\nspecifics of the vulnerability are not exposed to any parties until\nan official vendor patch is publicly available. Furthermore, with the\naltruistic aim of helping to secure a broader user base, TippingPoint\nprovides this vulnerability information confidentially to security\nvendors (including competitors) who have a vulnerability protection or\nmitigation product. \n\nOur vulnerability disclosure policy is available online at:\n\n    http://www.zerodayinitiative.com/advisories/disclosure_policy/\n. \n\n\nI. Description\n\n   The Oracle Critical Patch Update Advisory - April 2009 addresses 43\n   vulnerabilities in various Oracle products and components. \n   \n   Oracle has associated CVE identifiers with the vulnerabilities\n   addressed in this Critical Patch Update. If significant additional\n   details about vulnerabilities and remediation techniques become\n   available, we will update the Vulnerability Notes Database. \n\n\nII. Impact\n\n   The impact of these vulnerabilities varies depending on the\n   product, component, and configuration of the system. Vulnerable\n   components may be available to unauthenticated, remote attackers. \n   An attacker who compromises an Oracle database may be able to\n   access sensitive information. \n\n\nIII. Solution\n\n   Apply the appropriate patches or upgrade as specified in the Oracle\n   Critical Patch Update Advisory - April 2009. Note that this\n   document only lists newly corrected issues. Updates to patches for\n   previously known issues are not listed. \n\n\nIV. References\n\n * Oracle Critical Patch Update Advisory - April 2009 -\n   \u003chttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html\u003e\n\n * Critical Patch Updates and Security Alerts -\n   \u003chttp://www.oracle.com/technology/deploy/security/alerts.htm\u003e\n\n * Map of Public Vulnerability to Advisory/Alert -\n   \u003chttp://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html\u003e\n\n ____________________________________________________________________\n\n   The most recent version of this document can be found at:\n\n     \u003chttp://www.us-cert.gov/cas/techalerts/TA09-105A.html\u003e\n ____________________________________________________________________\n\n   Feedback can be directed to US-CERT Technical Staff. Please send\n   email to \u003ccert@cert.org\u003e with \"TA09-105A Feedback VU#955892\" in\n   the subject. \n ____________________________________________________________________\n\n   For instructions on subscribing to or unsubscribing from this\n   mailing list, visit \u003chttp://www.us-cert.gov/cas/signup.html\u003e. \n ____________________________________________________________________\n\n   Produced 2009 by US-CERT, a government organization. \n\n   Terms of use:\n\n     \u003chttp://www.us-cert.gov/legal.html\u003e\n ____________________________________________________________________\n\nRevision History\n  \n  April 15, 2009: Initial release\n\n\n-----BEGIN PGP SIGNATURE-----\nVersion: GnuPG v1.4.5 (GNU/Linux)\n\niQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4\n2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do\ndsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM\nh6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy\n11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU\nbsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw==\n=kziE\n-----END PGP SIGNATURE-----\n. ----------------------------------------------------------------------\n\nSecunia is pleased to announce the release of the annual Secunia\nreport for 2008. \nSome have unknown impacts, others can be exploited by malicious users\nto conduct SQL injection attacks or disclose sensitive information,\nand by malicious people  compromise a vulnerable system. \n\n2) Input passed to the \"DBMS_AQIN\" package is not properly sanitised\nbefore being used. This can be exploited to manipulate SQL queries by\ninjecting arbitrary SQL code. \n\n3) An error in the Application Express component included in Oracle\nDatabase can be exploited by unprivileged database users to disclose\nAPEX password hashes in \"LOWS_030000.WWV_FLOW_USER\". \n\nThe remaining vulnerabilities are caused due to unspecified errors. \nNo more information is currently available. \n\nPROVIDED AND/OR DISCOVERED BY:\n1) Joxean Koret of TippingPoint\n2, 3) Alexander Kornbrust of Red Database Security\n\nThe vendor also credits:\n* Joshua J. Drake of iDefense\n* Gerhard Eschelbeck of Qualys, Inc. \n* Esteban Martinez Fayo of Application Security, Inc. \n* Franz Huell of Red Database Security;\n* Mike Janowski of Neohapsis, Inc. \n* Joxean Koret\n* David Litchfield of NGS Software\n* Tanel Poder\n* Sven Vetter of Trivadis\n* Dennis Yurichev\n\nORIGINAL ADVISORY:\nOracle:\nhttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html\n\nZDI:\nhttp://www.zerodayinitiative.com/advisories/ZDI-09-017/\n\nRed Database Security:\nhttp://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html\nhttp://www.red-database-security.com/advisory/apex_password_hashes.html\n\n----------------------------------------------------------------------\n\nAbout:\nThis Advisory was delivered by Secunia as a free service to help\neverybody keeping their systems up to date against the latest\nvulnerabilities. \n\nSubscribe:\nhttp://secunia.com/advisories/secunia_security_advisories/\n\nDefinitions: (Criticality, Where etc.)\nhttp://secunia.com/advisories/about_secunia_advisories/\n\n\nPlease Note:\nSecunia recommends that you verify all advisories you receive by\nclicking the link. \nSecunia NEVER sends attached files with advisories. \nSecunia does not advise people to install third party patches, only\nuse those supplied by the vendor. \n\n----------------------------------------------------------------------\n\nUnsubscribe: Secunia Security Advisories\nhttp://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org\n\n----------------------------------------------------------------------\n\n\n",
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-0993"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001235"
      },
      {
        "db": "ZDI",
        "id": "ZDI-09-017"
      },
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "VULMON",
        "id": "CVE-2009-0993"
      },
      {
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "db": "PACKETSTORM",
        "id": "76656"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "PACKETSTORM",
        "id": "76704"
      }
    ],
    "trust": 2.97
  },
  "external_ids": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/external_ids#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "db": "NVD",
        "id": "CVE-2009-0993",
        "trust": 3.5
      },
      {
        "db": "ZDI",
        "id": "ZDI-09-017",
        "trust": 2.9
      },
      {
        "db": "SECUNIA",
        "id": "34693",
        "trust": 2.7
      },
      {
        "db": "USCERT",
        "id": "TA09-105A",
        "trust": 2.6
      },
      {
        "db": "SECTRACK",
        "id": "1022055",
        "trust": 2.4
      },
      {
        "db": "BID",
        "id": "34461",
        "trust": 2.0
      },
      {
        "db": "XF",
        "id": "50030",
        "trust": 0.8
      },
      {
        "db": "VUPEN",
        "id": "ADV-2009-1042",
        "trust": 0.8
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001235",
        "trust": 0.8
      },
      {
        "db": "ZDI_CAN",
        "id": "ZDI-CAN-248",
        "trust": 0.7
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-311",
        "trust": 0.6
      },
      {
        "db": "VULMON",
        "id": "CVE-2009-0993",
        "trust": 0.1
      },
      {
        "db": "SECUNIA",
        "id": "35135",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "77574",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "76656",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "76710",
        "trust": 0.1
      },
      {
        "db": "PACKETSTORM",
        "id": "76704",
        "trust": 0.1
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-09-017"
      },
      {
        "db": "VULMON",
        "id": "CVE-2009-0993"
      },
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001235"
      },
      {
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "db": "PACKETSTORM",
        "id": "76656"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "PACKETSTORM",
        "id": "76704"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-311"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-0993"
      }
    ]
  },
  "id": "VAR-200904-0278",
  "iot": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/iot#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": true,
    "sources": [
      {
        "db": "VARIoT devices database",
        "id": null
      }
    ],
    "trust": 0.065972224
  },
  "last_update_date": "2024-11-23T19:30:07.975000Z",
  "patch": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/patch#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "title": "cpuapr2009",
        "trust": 1.5,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html"
      },
      {
        "title": "090417_86",
        "trust": 0.8,
        "url": "http://www.oracle.com/technology/global/jp/security/090417_86/top.html"
      },
      {
        "title": "TA09-105A",
        "trust": 0.8,
        "url": "http://software.fujitsu.com/jp/security/vulnerabilities/ta09-105a.html"
      },
      {
        "title": "Oracle Application Server Security vulnerabilities",
        "trust": 0.6,
        "url": "http://www.cnnvd.org.cn/web/xxk/bdxqById.tag?id=156679"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-09-017"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001235"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-311"
      }
    ]
  },
  "problemtype_data": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/problemtype_data#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "problemtype": "NVD-CWE-noinfo",
        "trust": 1.0
      }
    ],
    "sources": [
      {
        "db": "NVD",
        "id": "CVE-2009-0993"
      }
    ]
  },
  "references": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/references#",
      "data": {
        "@container": "@list"
      },
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": [
      {
        "trust": 2.5,
        "url": "http://www.securitytracker.com/id?1022055"
      },
      {
        "trust": 2.5,
        "url": "http://secunia.com/advisories/34693"
      },
      {
        "trust": 2.5,
        "url": "http://www.us-cert.gov/cas/techalerts/ta09-105a.html"
      },
      {
        "trust": 1.8,
        "url": "http://www.zerodayinitiative.com/advisories/zdi-09-017"
      },
      {
        "trust": 1.8,
        "url": "http://www.securityfocus.com/bid/34461"
      },
      {
        "trust": 1.7,
        "url": "http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html"
      },
      {
        "trust": 1.7,
        "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/50030"
      },
      {
        "trust": 1.7,
        "url": "http://www.securityfocus.com/archive/1/502683/100/0/threaded"
      },
      {
        "trust": 1.4,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html"
      },
      {
        "trust": 0.8,
        "url": "http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-0993"
      },
      {
        "trust": 0.8,
        "url": "http://xforce.iss.net/xforce/xfdb/50030"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/cert/jvnta09-105a/index.html"
      },
      {
        "trust": 0.8,
        "url": "http://jvn.jp/tr/jvntr-2009-11/index.html"
      },
      {
        "trust": 0.8,
        "url": "http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-0993"
      },
      {
        "trust": 0.8,
        "url": "http://www.vupen.com/english/advisories/2009/1042"
      },
      {
        "trust": 0.4,
        "url": "http://www.zerodayinitiative.com/advisories/zdi-09-017/"
      },
      {
        "trust": 0.4,
        "url": "http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html"
      },
      {
        "trust": 0.4,
        "url": "http://www.red-database-security.com/advisory/apex_password_hashes.html"
      },
      {
        "trust": 0.3,
        "url": "http://secunia.com/secunia_research/2009-23/"
      },
      {
        "trust": 0.3,
        "url": "http://secunia.com/secunia_research/2009-22/"
      },
      {
        "trust": 0.3,
        "url": "http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502845"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502707"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502697"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502727"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502723"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/506160"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502724"
      },
      {
        "trust": 0.3,
        "url": "/archive/1/502683"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1001.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1002.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1003.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1004.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1005.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1006.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1012.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.oracle.com/technology/deploy/security/wls-security/1016.html"
      },
      {
        "trust": 0.3,
        "url": "http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html"
      },
      {
        "trust": 0.2,
        "url": "http://secunia.com/advisories/secunia_security_advisories/"
      },
      {
        "trust": 0.2,
        "url": "http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org"
      },
      {
        "trust": 0.2,
        "url": "http://secunia.com/advisories/34693/"
      },
      {
        "trust": 0.2,
        "url": "http://secunia.com/advisories/about_secunia_advisories/"
      },
      {
        "trust": 0.1,
        "url": "https://cwe.mitre.org/data/definitions/.html"
      },
      {
        "trust": 0.1,
        "url": "https://nvd.nist.gov"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/35135/"
      },
      {
        "trust": 0.1,
        "url": "http://www.good.com/faq/18431.html"
      },
      {
        "trust": 0.1,
        "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=799"
      },
      {
        "trust": 0.1,
        "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=800"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/business_solutions/"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/try_vi/"
      },
      {
        "trust": 0.1,
        "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=801"
      },
      {
        "trust": 0.1,
        "url": "http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=798"
      },
      {
        "trust": 0.1,
        "url": "http://www.zerodayinitiative.com/advisories/disclosure_policy/"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpua"
      },
      {
        "trust": 0.1,
        "url": "http://www.tippingpoint.com"
      },
      {
        "trust": 0.1,
        "url": "http://www.zerodayinitiative.com"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/cas/techalerts/ta09-105a.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/alerts.htm\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/cas/signup.html\u003e."
      },
      {
        "trust": 0.1,
        "url": "http://www.us-cert.gov/legal.html\u003e"
      },
      {
        "trust": 0.1,
        "url": "http://secunia.com/advisories/try_vi/request_2008_report/"
      }
    ],
    "sources": [
      {
        "db": "ZDI",
        "id": "ZDI-09-017"
      },
      {
        "db": "VULMON",
        "id": "CVE-2009-0993"
      },
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001235"
      },
      {
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "db": "PACKETSTORM",
        "id": "76656"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "PACKETSTORM",
        "id": "76704"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-311"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-0993"
      }
    ]
  },
  "sources": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "db": "ZDI",
        "id": "ZDI-09-017"
      },
      {
        "db": "VULMON",
        "id": "CVE-2009-0993"
      },
      {
        "db": "BID",
        "id": "34461"
      },
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001235"
      },
      {
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "db": "PACKETSTORM",
        "id": "76656"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "PACKETSTORM",
        "id": "76704"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-311"
      },
      {
        "db": "NVD",
        "id": "CVE-2009-0993"
      }
    ]
  },
  "sources_release_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_release_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-04-14T00:00:00",
        "db": "ZDI",
        "id": "ZDI-09-017"
      },
      {
        "date": "2009-04-15T00:00:00",
        "db": "VULMON",
        "id": "CVE-2009-0993"
      },
      {
        "date": "2009-04-09T00:00:00",
        "db": "BID",
        "id": "34461"
      },
      {
        "date": "2009-05-20T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-001235"
      },
      {
        "date": "2009-05-18T15:35:49",
        "db": "PACKETSTORM",
        "id": "77574"
      },
      {
        "date": "2009-04-15T00:10:45",
        "db": "PACKETSTORM",
        "id": "76656"
      },
      {
        "date": "2009-04-15T23:15:44",
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "date": "2009-04-15T15:08:54",
        "db": "PACKETSTORM",
        "id": "76704"
      },
      {
        "date": "2009-04-15T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200904-311"
      },
      {
        "date": "2009-04-15T10:30:00.687000",
        "db": "NVD",
        "id": "CVE-2009-0993"
      }
    ]
  },
  "sources_update_date": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/sources_update_date#",
      "data": {
        "@container": "@list"
      }
    },
    "data": [
      {
        "date": "2009-04-14T00:00:00",
        "db": "ZDI",
        "id": "ZDI-09-017"
      },
      {
        "date": "2018-10-10T00:00:00",
        "db": "VULMON",
        "id": "CVE-2009-0993"
      },
      {
        "date": "2009-09-01T16:22:00",
        "db": "BID",
        "id": "34461"
      },
      {
        "date": "2009-05-20T00:00:00",
        "db": "JVNDB",
        "id": "JVNDB-2009-001235"
      },
      {
        "date": "2021-07-14T00:00:00",
        "db": "CNNVD",
        "id": "CNNVD-200904-311"
      },
      {
        "date": "2024-11-21T01:01:24.867000",
        "db": "NVD",
        "id": "CVE-2009-0993"
      }
    ]
  },
  "threat_type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/threat_type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "remote",
    "sources": [
      {
        "db": "PACKETSTORM",
        "id": "76656"
      },
      {
        "db": "PACKETSTORM",
        "id": "76710"
      },
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-311"
      }
    ],
    "trust": 0.8
  },
  "title": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/title#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "Oracle Application Server of  OPMN Component vulnerabilities",
    "sources": [
      {
        "db": "JVNDB",
        "id": "JVNDB-2009-001235"
      }
    ],
    "trust": 0.8
  },
  "type": {
    "@context": {
      "@vocab": "https://www.variotdbs.pl/ref/type#",
      "sources": {
        "@container": "@list",
        "@context": {
          "@vocab": "https://www.variotdbs.pl/ref/sources#"
        }
      }
    },
    "data": "other",
    "sources": [
      {
        "db": "CNNVD",
        "id": "CNNVD-200904-311"
      }
    ],
    "trust": 0.6
  }
}

CERTA-2009-AVI-154

Vulnerability from certfr_avis

De multiples vulnérabilités ont été découvertes dans les produits Oracle. L'exploitation de ces vulnérabilités permet de réaliser diverses actions malveillantes, dont l'exécution de code arbitraire à distance.

Description

Un grand nombre de vulnérabilités a été découvert dans les produits Oracle :

Oracle Database ;
Oracle Application Server ;
Oracle Collaboration Suite ;
Beehive Collaboration Suite ;
Oracle Enterprise Manager ;
Oracle E-Business Suite et Application ;
Oracle PoepleSoft Enterprise ;
JD Edwards EnterpriseOne ;
Oracle Siebel Enterprise ;
Oracle Weblogic Server, Portal, Data Service ;
Oracle Data Service Integrator ;
AquaLogic Data Services Platform;
JRockit.

L'exploitation de ces vulnérabilités permet de réaliser diverses actions malveillantes, dont l'exécution de code arbitraire à distance pour certaines.

Solution

Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).

None

Impacted products

Vendor	Product	Description
Oracle	Weblogic	Oracle WebLogic Server version 10.3 ;
Oracle	N/A	Oracle E-Business Suite Release 12, version 12.0.6 ;
Oracle	N/A	Oracle Database 9i Release 2, versions 9.2.0.8 et 9.2.0.8DV ;
Oracle	N/A	Oracle JRockit (anciennement BEA JRockit) version R27.6.2 et versions antérieures.
Oracle	N/A	Oracle E-Business Suite Release 11i, version 11.5.10.2 ;
Oracle	N/A	Oracle Database 10g, version 10.1.0.5 ;
Oracle	PeopleSoft	PeopleSoft Enterprise HRMS versions 8.9 et 9.0 ;
Oracle	N/A	Oracle Database 10g Release 2, versions 10.2.0.3 et 10.2.0.4 ;
Oracle	Weblogic	Oracle WebLogic Portal versions 8.1 à 8.1 SP6 ;
Oracle	N/A	Oracle BI Publisher versions 10.1.3.3.0, 10.1.3.3.1, 10.1.3.3.2, 10.1.3.3.3 et 10.1.3.4 ;
Oracle	N/A	Oracle Database 11g, versions 11.1.0.6 et 11.1.0.7 ;
Oracle	N/A	Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0 ;
Oracle	Weblogic	Oracle WebLogic Server versions 9.0 GA, 9.1 GA et 9.2 jusqu'à la version 9.2 MP3 ;
Oracle	Weblogic	Oracle WebLogic Server versions 7.0 à 7.0 SP7 ;
Oracle	N/A	Oracle Data Service Integrator versions 10.3.0 ;
Oracle	N/A	Oracle AquaLogic Data Services Platform versions 3.2, 3.0.1 et 3.0 ;
Oracle	N/A	Oracle Outside In SDK HTML Export versions 8.2.2 et 8.3.0 ;
Oracle	PeopleSoft	PeopleSoft Enterprise PeopleTools version 8.49 ;
Oracle	N/A	Oracle XML Publisher version 5.6.2, 10.1.3.2 et 10.1.3.2.1 ;
Oracle	Weblogic	Oracle WebLogic Server versions 8.1 à 8.1 SP6 ;

References

Title

Publication Time

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted

CVE-2009-0993 (GCVE-0-2009-0993)

Vulnerability from cvelistv5

ghsa-vqv6-r48r-39m7

Vulnerability from github

fkie_cve-2009-0993

Vulnerability from fkie_nvd

gsd-2009-0993

Vulnerability from gsd

var-200904-0278

Vulnerability from variot

CERTA-2009-AVI-154

Vulnerability from certfr_avis

Description

Solution

Tags

Sightings

Nomenclature