SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com






Category:   Application (Generic)  >   Oracle Fusion Middleware Vendors:   Oracle
Oracle Fusion Middleware Flaws Let Remote Users Deny Service and Partially Access and Modify Data
SecurityTracker Alert ID:  1029190
SecurityTracker URL:  http://securitytracker.com/id/1029190
CVE Reference:   CVE-2011-3389, CVE-2013-0169, CVE-2013-3827, CVE-2013-3828, CVE-2013-3831, CVE-2013-3833, CVE-2013-3836, CVE-2013-5763, CVE-2013-5773, CVE-2013-5791, CVE-2013-5798, CVE-2013-5813, CVE-2013-5815   (Links to External Site)
Updated:  Dec 12 2013
Original Entry Date:  Oct 16 2013
Impact:   Denial of service via local system, Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Multiple vulnerabilities were reported in Oracle Fusion Middleware. A remote or local user can cause partial denial of service conditions. A remote user can partially access and modify data.

A remote user can exploit a flaw in Oracle Identity Analytics in the Security component to partially access and modify data and cause partial denial of service conditions [CVE-2013-5815].

A remote user can exploit a flaw in Oracle Portal in the Demos component to partially access and modify data [CVE-2013-3831].

A remote user can exploit a flaw in Oracle WebCenter Content in the Content Server component to partially access and modify data [CVE-2013-5813].

A remote user can exploit a flaw in Oracle JDeveloper in the Java Server Faces component to partially access data [CVE-2013-3827].

A remote user can exploit a flaw in Oracle Web Services in the Test Page component to partially access data [CVE-2013-3828].

A remote user can exploit a flaw in Oracle WebLogic Server in the Web Container component to partially access data [CVE-2013-3827].

A remote user can exploit a flaw in Oracle Access Manager in the Authentication Engine component to partially modify data [CVE-2013-3833].

A remote user can exploit a flaw in Oracle Containers for J2EE in the Servlet Runtime component to partially modify data [CVE-2013-5773].

A remote user can exploit a flaw in Oracle Identity Manager in the End User Self Service component to partially modify data [CVE-2013-5798].

A remote user with the ability to conduct a man-in-the-middle attack can decrypt SSL/TLS sessions [CVE-2011-3389]. Oracle Security Service is affected.

A remote authenticated user can exploit a flaw in Oracle Web Cache in the ESI/Partial Page Caching component to partially access data [CVE-2013-3836].

A remote user with the ability to conduct a man-in-the-middle attack against TLS or DTLS protected connections can recover the original plaintext when CBC-mode encryption is used [CVE-2013-0169]. Oracle Security Service is affected.

A local user can exploit a flaw in Oracle Outside In Technology in the Outside In Filters component to partially deny service [CVE-2013-5791].

A local user can exploit a flaw in Oracle Outside In Technology in the Outside In Maintenance component to partially deny service [CVE-2013-5763].

The following researchers reported these and other Oracle vulnerabilities:

Adam Gowdiak of Security Explorations; Adam Willard of Foreground Security; Adi Ludmer of McAfee Labs; Ajinkya Patil of AVsecurity.in; Alex Kouzemtchenko of Security Research Lab via CERT/CC; Alex Rajan of Network Intelligence; Alexander Polyakov of
ERPScan; Alexander Tlyapov of Positive Technologies; Alexey Osipov of Positive Technologies; Alexey Tyurin of ERPScan (Digital Security Research Group); Anagha Devale-Vartak of AVsecurity.in; Andrea Micalizzi aka rgod, working with HP's Zero Day
Initiative; Andrew Davies formerly of NCC Group; Ben Murphy via HP's Zero Day Initiative; CERT/CC; Chris Ries via the Exodus Intelligence Program; Dave Bryant of Orion Health; Dmitry Sklyarov of Positive Technologies; Esteban Martinez Fayo formerly
of Application Security Inc.; HUAWEI PSIRT; James Forshaw of Context Information Security; Jeroen Frijters; Jon Passki of Security Research Lab via CERT/CC; Juraj Somorovsky of Ruhr-University Bochum; Manuel Garcia Cardenas of Internet Security
Auditors; Positive Research Center (Positive Technologies Company); Qinglin Jiang formerly of Application Security Inc; Rohan Stelling of BAE Systems Detica; Sam Thomas of Pentest Limited; Timur Yunusov of Positive Technologies; Tom Parker of Orion
Health; Travis Emmert via iDefense; Vinesh N. Redkar; Will Dormann of CERT/CC; and Yuki Chen of Trend Micro.

Impact:   A remote or local user can cause partial denial of service conditions.

A remote user can partially access and modify data.

Solution:   The vendor has issued a fix as part of Oracle Critical Patch Update Advisory - October 2013.

The vendor's advisory is available at:

http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html

Vendor URL:  www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html (Links to External Site)
Cause:   Not specified
Underlying OS:   Linux (Any), UNIX (Any), Windows (Any)

Message History:   None.


 Source Message Contents

Date:  Tue, 15 Oct 2013 23:14:33 +0000
Subject:  Oracle Fusion Middleware


http://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html

CVE-2011-3389 
CVE-2013-0169 
CVE-2013-3624 
CVE-2013-3827
CVE-2013-3828 
CVE-2013-3831 
CVE-2013-3833 
CVE-2013-3836 
CVE-2013-5773 
CVE-2013-5791 
CVE-2013-5798 
CVE-2013-5813
CVE-2013-5815


 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

Copyright 2014, SecurityGlobal.net LLC