Sign-up

ID

VAR-200904-0424


CVE

CVE-2009-1003


TITLE

BEA Product Suite of WebLogic Server Component vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2009-001249

DESCRIPTION

Unspecified vulnerability in the WebLogic Server component in BEA Product Suite 10.3, 10.0 MP1, 9.2 MP3, 9.1, and 9.0 allows remote attackers to affect integrity via unknown vectors related to "access to source code of web pages.". Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components. The document provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability. Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information. III. Solution Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed. IV. References * Oracle Critical Patch Update Advisory - April 2009 - <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html> * Critical Patch Updates and Security Alerts - <http://www.oracle.com/technology/deploy/security/alerts.htm> * Map of Public Vulnerability to Advisory/Alert - <http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-105A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History April 15, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE-----

Trust: 1.98

sources: NVD: CVE-2009-1003 // JVNDB: JVNDB-2009-001249 // BID: 34461 // PACKETSTORM: 76710

AFFECTED PRODUCTS

vendor:oraclemodel:bea product suitescope:eqversion:10.3

Trust: 2.4

vendor:oraclemodel:bea product suitescope:eqversion:9.0

Trust: 2.4

vendor:oraclemodel:bea product suitescope:eqversion:9.1

Trust: 2.4

vendor:oraclemodel:bea product suitescope:eqversion:10.0

Trust: 1.6

vendor:oraclemodel:bea product suitescope:eqversion:9.2

Trust: 1.6

vendor:oraclemodel:bea product suitescope:eqversion:10.0 mp1

Trust: 0.8

vendor:oraclemodel:bea product suitescope:eqversion:9.2 mp3

Trust: 0.8

vendor:oraclemodel:jrockit r27.1.0scope: - version: -

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:5.6.2

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.01

Trust: 0.3

vendor:beamodel:systems weblogic portal sp1scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle9i personal edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.49

Trust: 0.3

vendor:oraclemodel:oracle11g standard edition onescope:eqversion:11.16

Trust: 0.3

vendor:oraclemodel:data service integratorscope:eqversion:10.3

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.3

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:10.1.3.2.1

Trust: 0.3

vendor:oraclemodel:oracle10g application serverscope:eqversion:10.1.2.3.0

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.0

Trust: 0.3

vendor:oraclemodel:oracle9i enterprise editionscope:eqversion:9.2.8.0

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.06

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.0.1

Trust: 0.3

vendor:beamodel:systems weblogic portal sp6scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:10.1.3.2

Trust: 0.3

vendor:oraclemodel:oracle11g enterprise editionscope:eqversion:11.16

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.1.5

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.11

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.13

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.04

Trust: 0.3

vendor:oraclemodel:oracle11g enterprise editionscope:eqversion:11.1.0.7

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:7.0.0.1

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:10.0

Trust: 0.3

vendor:oraclemodel:jrockit r27.6.2scope: - version: -

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.07

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:beamodel:systems weblogic portal sp2scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:beamodel:systems weblogic portal sp5scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:oracle10g application serverscope:eqversion:10.1.2

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:10.3

Trust: 0.3

vendor:beamodel:systems weblogic portal sp3scope:eqversion:8.1

Trust: 0.3

vendor:beamodel:systems weblogic portalscope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.1

Trust: 0.3

vendor:beamodel:systems weblogic server maintenance packscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle9i standard editionscope:eqversion:9.2.8

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.13

Trust: 0.3

vendor:oraclemodel:oracle9i standard edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.2.3

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:oracle9i enterprise edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.0

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.1

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise hrmsscope:eqversion:9.0

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.2

Trust: 0.3

vendor:oraclemodel:e-business suite 11iscope:eqversion:11.5.10.2

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.12

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.15

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.05

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.16

Trust: 0.3

vendor:beamodel:systems weblogic server mp1scope:eqversion:10.0

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise hrmsscope:eqversion:8.9

Trust: 0.3

vendor:oraclemodel:audit vaultscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:jrockit r27.6.0scope: - version: -

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:7.0

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.02

Trust: 0.3

vendor:beamodel:systems weblogic portal sp4scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.4

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.14

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.12

Trust: 0.3

vendor:oraclemodel:weblogic serverscope:eqversion:10.3

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.11

Trust: 0.3

vendor:oraclemodel:e-business suitescope:eqversion:12.0.6

Trust: 0.3

vendor:oraclemodel:outside in sdk html exportscope:eqversion:8.3

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:oraclemodel:oracle9i personal editionscope:eqversion:9.2.8

Trust: 0.3

vendor:oraclemodel:oracle11g standard editionscope:eqversion:11.16

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.14

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.03

Trust: 0.3

vendor:beamodel:systems weblogic server sp7scope:eqversion:7.0

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:outside in sdk html exportscope:eqversion:8.2.2

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.2

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.0

Trust: 0.3

sources: BID: 34461 // JVNDB: JVNDB-2009-001249 // CNNVD: CNNVD-200904-321 // NVD: CVE-2009-1003

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-1003
value: MEDIUM

Trust: 1.0

NVD: CVE-2009-1003
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200904-321
value: MEDIUM

Trust: 0.6

nvd@nist.gov: CVE-2009-1003
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:P/A:N
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: PARTIAL
availabilityImpact: NONE
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2009-001249 // CNNVD: CNNVD-200904-321 // NVD: CVE-2009-1003

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2009-1003

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 76710 // CNNVD: CNNVD-200904-321

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-200904-321

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-001249

PATCH
title:cpuapr2009url:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
Trust: 0.8
title:1003url:http://www.oracle.com/technology/deploy/security/wls-security/1003.html
Trust: 0.8
title:090417_86url:http://www.oracle.com/technology/global/jp/security/090417_86/top.html
Trust: 0.8
title:TA09-105Aurl:http://software.fujitsu.com/jp/security/vulnerabilities/ta09-105a.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-001249

EXTERNAL IDS
db:NVDid:CVE-2009-1003
Trust: 2.7
db:USCERTid:TA09-105A
Trust: 2.5
db:SECTRACKid:1022059
Trust: 2.4
db:OSVDBid:53762
Trust: 2.4
db:XFid:50054
Trust: 1.4
db:BIDid:34461
Trust: 1.3
db:VUPENid:ADV-2009-1042
Trust: 0.8
db:JVNDBid:JVNDB-2009-001249
Trust: 0.8
db:CERT/CCid:TA09-105A
Trust: 0.6
db:CNNVDid:CNNVD-200904-321
Trust: 0.6
db:ZDIid:ZDI-09-017
Trust: 0.3
db:PACKETSTORMid:76710
Trust: 0.1
sources:
            
            
            BID: 34461 // 
            
            
            
            JVNDB: JVNDB-2009-001249 // 
            
            
            
            PACKETSTORM: 76710 // 
            
            
            
            CNNVD: CNNVD-200904-321 // 
            
            
            
            NVD: CVE-2009-1003

REFERENCES
url:http://osvdb.org/53762
Trust: 2.4
url:http://www.securitytracker.com/id?1022059
Trust: 2.4
url:http://www.us-cert.gov/cas/techalerts/ta09-105a.html
Trust: 2.4
url:http://www.oracle.com/technology/deploy/security/wls-security/1003.html
Trust: 1.9
url:http://xforce.iss.net/xforce/xfdb/50054
Trust: 1.4
url:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
Trust: 1.2
url:http://www.securityfocus.com/bid/34461
Trust: 1.0
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/50054
Trust: 1.0
url:http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1003
Trust: 0.8
url:http://jvn.jp/cert/jvnta09-105a/index.html
Trust: 0.8
url:http://jvn.jp/tr/jvntr-2009-11/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1003
Trust: 0.8
url:http://www.vupen.com/english/advisories/2009/1042
Trust: 0.8
url:http://secunia.com/secunia_research/2009-23/
Trust: 0.3
url:http://secunia.com/secunia_research/2009-22/
Trust: 0.3
url:http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml
Trust: 0.3
url:http://www.oracle.com
Trust: 0.3
url:/archive/1/502845
Trust: 0.3
url:/archive/1/502707
Trust: 0.3
url:/archive/1/502697
Trust: 0.3
url:/archive/1/502727
Trust: 0.3
url:/archive/1/502723
Trust: 0.3
url:/archive/1/506160
Trust: 0.3
url:/archive/1/502724
Trust: 0.3
url:/archive/1/502683
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/zdi-09-017/
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1001.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1002.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1004.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1005.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1006.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1012.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1016.html
Trust: 0.3
url:http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html
Trust: 0.3
url:http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
Trust: 0.3
url:http://www.red-database-security.com/advisory/apex_password_hashes.html
Trust: 0.3
url:http://www.us-cert.gov/cas/techalerts/ta09-105a.html>
Trust: 0.1
url:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
Trust: 0.1
url:http://www.oracle.com/technology/deploy/security/alerts.htm>
Trust: 0.1
url:http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
Trust: 0.1
url:http://www.us-cert.gov/cas/signup.html>.
Trust: 0.1
url:http://www.us-cert.gov/legal.html>
Trust: 0.1
sources:
            
            
            BID: 34461 // 
            
            
            
            JVNDB: JVNDB-2009-001249 // 
            
            
            
            PACKETSTORM: 76710 // 
            
            
            
            CNNVD: CNNVD-200904-321 // 
            
            
            
            NVD: CVE-2009-1003

CREDITS
Esteban Martinez Fayo Joxean Koret   joxeankoret@yahoo.es
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200904-321

SOURCES
db:BIDid:34461
db:JVNDBid:JVNDB-2009-001249
db:PACKETSTORMid:76710
db:CNNVDid:CNNVD-200904-321
db:NVDid:CVE-2009-1003

LAST UPDATE DATE
2024-11-23T21:11:49.041000+00:00

SOURCES UPDATE DATE
db:BIDid:34461date:2009-09-01T16:22:00
db:JVNDBid:JVNDB-2009-001249date:2009-05-22T00:00:00
db:CNNVDid:CNNVD-200904-321date:2009-05-06T00:00:00
db:NVDid:CVE-2009-1003date:2024-11-21T01:01:26.557

SOURCES RELEASE DATE
db:BIDid:34461date:2009-04-09T00:00:00
db:JVNDBid:JVNDB-2009-001249date:2009-05-22T00:00:00
db:PACKETSTORMid:76710date:2009-04-15T23:15:44
db:CNNVDid:CNNVD-200904-321date:2009-04-15T00:00:00
db:NVDid:CVE-2009-1003date:2009-04-15T10:30:00.877