Sign-up

ID

VAR-200904-0422


CVE

CVE-2009-1001


TITLE

Oracle BEA WebLogic Portal Vulnerability gained in

Trust: 0.8

sources: JVNDB: JVNDB-2009-004533

DESCRIPTION

Unspecified vulnerability in Oracle BEA WebLogic Portal 8.1 Gold through SP6 allows remote authenticated users to gain privileges via unknown vectors. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components. The document provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability. Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information. III. Solution Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed. IV. References * Oracle Critical Patch Update Advisory - April 2009 - <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html> * Critical Patch Updates and Security Alerts - <http://www.oracle.com/technology/deploy/security/alerts.htm> * Map of Public Vulnerability to Advisory/Alert - <http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-105A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History April 15, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE-----

Trust: 1.98

sources: NVD: CVE-2009-1001 // JVNDB: JVNDB-2009-004533 // BID: 34461 // PACKETSTORM: 76710

AFFECTED PRODUCTS

vendor:oraclemodel:bea product suitescope:eqversion:8.1

Trust: 1.6

vendor:oraclemodel:bea product suitescope:eqversion:8.1 gold to sp6

Trust: 0.8

vendor:oraclemodel:jrockit r27.1.0scope: - version: -

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:5.6.2

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.01

Trust: 0.3

vendor:beamodel:systems weblogic portal sp1scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle9i personal edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.49

Trust: 0.3

vendor:oraclemodel:oracle11g standard edition onescope:eqversion:11.16

Trust: 0.3

vendor:oraclemodel:data service integratorscope:eqversion:10.3

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.3

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:10.1.3.2.1

Trust: 0.3

vendor:oraclemodel:oracle10g application serverscope:eqversion:10.1.2.3.0

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.0

Trust: 0.3

vendor:oraclemodel:oracle9i enterprise editionscope:eqversion:9.2.8.0

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.06

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.0.1

Trust: 0.3

vendor:beamodel:systems weblogic portal sp6scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:10.1.3.2

Trust: 0.3

vendor:oraclemodel:oracle11g enterprise editionscope:eqversion:11.16

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.1.5

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.11

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.13

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.04

Trust: 0.3

vendor:oraclemodel:oracle11g enterprise editionscope:eqversion:11.1.0.7

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:7.0.0.1

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:10.0

Trust: 0.3

vendor:oraclemodel:jrockit r27.6.2scope: - version: -

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.07

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:beamodel:systems weblogic portal sp2scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:beamodel:systems weblogic portal sp5scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:oracle10g application serverscope:eqversion:10.1.2

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:10.3

Trust: 0.3

vendor:beamodel:systems weblogic portal sp3scope:eqversion:8.1

Trust: 0.3

vendor:beamodel:systems weblogic portalscope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.1

Trust: 0.3

vendor:beamodel:systems weblogic server maintenance packscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle9i standard editionscope:eqversion:9.2.8

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.13

Trust: 0.3

vendor:oraclemodel:oracle9i standard edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.2.3

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:oracle9i enterprise edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.0

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.1

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise hrmsscope:eqversion:9.0

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.2

Trust: 0.3

vendor:oraclemodel:e-business suite 11iscope:eqversion:11.5.10.2

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.12

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.15

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.05

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.16

Trust: 0.3

vendor:beamodel:systems weblogic server mp1scope:eqversion:10.0

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise hrmsscope:eqversion:8.9

Trust: 0.3

vendor:oraclemodel:audit vaultscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:jrockit r27.6.0scope: - version: -

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:7.0

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.02

Trust: 0.3

vendor:beamodel:systems weblogic portal sp4scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.4

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.14

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.12

Trust: 0.3

vendor:oraclemodel:weblogic serverscope:eqversion:10.3

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.11

Trust: 0.3

vendor:oraclemodel:e-business suitescope:eqversion:12.0.6

Trust: 0.3

vendor:oraclemodel:outside in sdk html exportscope:eqversion:8.3

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:oraclemodel:oracle9i personal editionscope:eqversion:9.2.8

Trust: 0.3

vendor:oraclemodel:oracle11g standard editionscope:eqversion:11.16

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.14

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.03

Trust: 0.3

vendor:beamodel:systems weblogic server sp7scope:eqversion:7.0

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:outside in sdk html exportscope:eqversion:8.2.2

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.2

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.0

Trust: 0.3

sources: BID: 34461 // JVNDB: JVNDB-2009-004533 // CNNVD: CNNVD-200904-319 // NVD: CVE-2009-1001

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-1001
value: MEDIUM

Trust: 1.0

NVD: CVE-2009-1001
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200904-319
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2009-1001
severity: MEDIUM
baseScore: 5.5
vectorString: AV:N/AC:L/AU:S/C:P/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: SINGLE
confidentialityImpact: PARTIAL
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 8.0
impactScore: 4.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2009-004533 // CNNVD: CNNVD-200904-319 // NVD: CVE-2009-1001

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2009-1001

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 76710 // CNNVD: CNNVD-200904-319

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-200904-319

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-004533

PATCH
title:Oracle Critical Patch Update Advisory - April 2009url:http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-004533

EXTERNAL IDS
db:NVDid:CVE-2009-1001
Trust: 2.7
db:USCERTid:TA09-105A
Trust: 2.5
db:SECTRACKid:1022059
Trust: 1.6
db:OSVDBid:53767
Trust: 1.6
db:BIDid:34461
Trust: 1.3
db:JVNDBid:JVNDB-2009-004533
Trust: 0.8
db:CERT/CCid:TA09-105A
Trust: 0.6
db:XFid:50053
Trust: 0.6
db:CNNVDid:CNNVD-200904-319
Trust: 0.6
db:ZDIid:ZDI-09-017
Trust: 0.3
db:PACKETSTORMid:76710
Trust: 0.1
sources:
            
            
            BID: 34461 // 
            
            
            
            JVNDB: JVNDB-2009-004533 // 
            
            
            
            PACKETSTORM: 76710 // 
            
            
            
            CNNVD: CNNVD-200904-319 // 
            
            
            
            NVD: CVE-2009-1001

REFERENCES
url:http://www.us-cert.gov/cas/techalerts/ta09-105a.html
Trust: 2.4
url:http://www.oracle.com/technology/deploy/security/wls-security/1001.html
Trust: 1.9
url:http://www.securitytracker.com/id?1022059
Trust: 1.6
url:http://osvdb.org/53767
Trust: 1.6
url:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
Trust: 1.2
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/50053
Trust: 1.0
url:http://www.securityfocus.com/bid/34461
Trust: 1.0
url:http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1001
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1001
Trust: 0.8
url:http://xforce.iss.net/xforce/xfdb/50053
Trust: 0.6
url:http://secunia.com/secunia_research/2009-23/
Trust: 0.3
url:http://secunia.com/secunia_research/2009-22/
Trust: 0.3
url:http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml
Trust: 0.3
url:http://www.oracle.com
Trust: 0.3
url:/archive/1/502845
Trust: 0.3
url:/archive/1/502707
Trust: 0.3
url:/archive/1/502697
Trust: 0.3
url:/archive/1/502727
Trust: 0.3
url:/archive/1/502723
Trust: 0.3
url:/archive/1/506160
Trust: 0.3
url:/archive/1/502724
Trust: 0.3
url:/archive/1/502683
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/zdi-09-017/
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1002.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1003.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1004.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1005.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1006.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1012.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1016.html
Trust: 0.3
url:http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html
Trust: 0.3
url:http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
Trust: 0.3
url:http://www.red-database-security.com/advisory/apex_password_hashes.html
Trust: 0.3
url:http://www.us-cert.gov/cas/techalerts/ta09-105a.html>
Trust: 0.1
url:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
Trust: 0.1
url:http://www.oracle.com/technology/deploy/security/alerts.htm>
Trust: 0.1
url:http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
Trust: 0.1
url:http://www.us-cert.gov/cas/signup.html>.
Trust: 0.1
url:http://www.us-cert.gov/legal.html>
Trust: 0.1
sources:
            
            
            BID: 34461 // 
            
            
            
            JVNDB: JVNDB-2009-004533 // 
            
            
            
            PACKETSTORM: 76710 // 
            
            
            
            CNNVD: CNNVD-200904-319 // 
            
            
            
            NVD: CVE-2009-1001

CREDITS
Esteban Martinez Fayo Joxean Koret   joxeankoret@yahoo.es
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200904-319

SOURCES
db:BIDid:34461
db:JVNDBid:JVNDB-2009-004533
db:PACKETSTORMid:76710
db:CNNVDid:CNNVD-200904-319
db:NVDid:CVE-2009-1001

LAST UPDATE DATE
2024-11-23T20:50:11.493000+00:00

SOURCES UPDATE DATE
db:BIDid:34461date:2009-09-01T16:22:00
db:JVNDBid:JVNDB-2009-004533date:2012-09-25T00:00:00
db:CNNVDid:CNNVD-200904-319date:2009-05-06T00:00:00
db:NVDid:CVE-2009-1001date:2024-11-21T01:01:26.337

SOURCES RELEASE DATE
db:BIDid:34461date:2009-04-09T00:00:00
db:JVNDBid:JVNDB-2009-004533date:2012-09-25T00:00:00
db:PACKETSTORMid:76710date:2009-04-15T23:15:44
db:CNNVDid:CNNVD-200904-319date:2009-04-15T00:00:00
db:NVDid:CVE-2009-1001date:2009-04-15T10:30:00.827