Sign-up

ID

VAR-200904-0427


CVE

CVE-2009-1006


TITLE

BEA Product Suite of Jrockit Component vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2009-004535

DESCRIPTION

Unspecified vulnerability in the JRockit component in BEA Product Suite R27.6.2 and earlier, with SDK/JRE 1.4.2, JRE/JDK 5, and JRE/JDK 6, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. (DoS) An attack may be carried out. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components. Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information. III. Solution Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed. IV. References * Oracle Critical Patch Update Advisory - April 2009 - <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html> * Critical Patch Updates and Security Alerts - <http://www.oracle.com/technology/deploy/security/alerts.htm> * Map of Public Vulnerability to Advisory/Alert - <http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-105A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History April 15, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE-----

Trust: 1.98

sources: NVD: CVE-2009-1006 // JVNDB: JVNDB-2009-004535 // BID: 34461 // PACKETSTORM: 76710

AFFECTED PRODUCTS

vendor:oraclemodel:jrockitscope:lteversion:r27.6.2

Trust: 1.8

vendor:oraclemodel:jrockitscope:eqversion:r27.2

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r26.3

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r27.6.1

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r27.1

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r26.4

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r26.0

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r27.6.0

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r26.1

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r26.2

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r27.3.1

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r27.3

Trust: 1.0

vendor:oraclemodel:jrockitscope:eqversion:r27.6

Trust: 1.0

vendor:oraclemodel:jrockitscope:eqversion:r27.4

Trust: 1.0

vendor:oraclemodel:jrockitscope:eqversion:r27.5

Trust: 1.0

vendor:oraclemodel:jrockit r27.1.0scope: - version: -

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:5.6.2

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.01

Trust: 0.3

vendor:beamodel:systems weblogic portal sp1scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle9i personal edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.49

Trust: 0.3

vendor:oraclemodel:oracle11g standard edition onescope:eqversion:11.16

Trust: 0.3

vendor:oraclemodel:data service integratorscope:eqversion:10.3

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.3

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:10.1.3.2.1

Trust: 0.3

vendor:oraclemodel:oracle10g application serverscope:eqversion:10.1.2.3.0

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.0

Trust: 0.3

vendor:oraclemodel:oracle9i enterprise editionscope:eqversion:9.2.8.0

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.06

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.0.1

Trust: 0.3

vendor:beamodel:systems weblogic portal sp6scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:10.1.3.2

Trust: 0.3

vendor:oraclemodel:oracle11g enterprise editionscope:eqversion:11.16

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.1.5

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.11

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.13

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.04

Trust: 0.3

vendor:oraclemodel:oracle11g enterprise editionscope:eqversion:11.1.0.7

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:7.0.0.1

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:10.0

Trust: 0.3

vendor:oraclemodel:jrockit r27.6.2scope: - version: -

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.07

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:beamodel:systems weblogic portal sp2scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:beamodel:systems weblogic portal sp5scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:oracle10g application serverscope:eqversion:10.1.2

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:10.3

Trust: 0.3

vendor:beamodel:systems weblogic portal sp3scope:eqversion:8.1

Trust: 0.3

vendor:beamodel:systems weblogic portalscope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.1

Trust: 0.3

vendor:beamodel:systems weblogic server maintenance packscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle9i standard editionscope:eqversion:9.2.8

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.13

Trust: 0.3

vendor:oraclemodel:oracle9i standard edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.2.3

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:oracle9i enterprise edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.0

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.1

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise hrmsscope:eqversion:9.0

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.2

Trust: 0.3

vendor:oraclemodel:e-business suite 11iscope:eqversion:11.5.10.2

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.12

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.15

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.05

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.16

Trust: 0.3

vendor:beamodel:systems weblogic server mp1scope:eqversion:10.0

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise hrmsscope:eqversion:8.9

Trust: 0.3

vendor:oraclemodel:audit vaultscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:jrockit r27.6.0scope: - version: -

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:7.0

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.02

Trust: 0.3

vendor:beamodel:systems weblogic portal sp4scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.4

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.14

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.12

Trust: 0.3

vendor:oraclemodel:weblogic serverscope:eqversion:10.3

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.11

Trust: 0.3

vendor:oraclemodel:e-business suitescope:eqversion:12.0.6

Trust: 0.3

vendor:oraclemodel:outside in sdk html exportscope:eqversion:8.3

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:oraclemodel:oracle9i personal editionscope:eqversion:9.2.8

Trust: 0.3

vendor:oraclemodel:oracle11g standard editionscope:eqversion:11.16

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.14

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.03

Trust: 0.3

vendor:beamodel:systems weblogic server sp7scope:eqversion:7.0

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:outside in sdk html exportscope:eqversion:8.2.2

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.2

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.0

Trust: 0.3

sources: BID: 34461 // JVNDB: JVNDB-2009-004535 // CNNVD: CNNVD-200904-324 // NVD: CVE-2009-1006

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-1006
value: HIGH

Trust: 1.0

NVD: CVE-2009-1006
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200904-324
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2009-1006
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2009-004535 // CNNVD: CNNVD-200904-324 // NVD: CVE-2009-1006

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2009-1006

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 76710 // CNNVD: CNNVD-200904-324

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-200904-324

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-004535

PATCH
title:Oracle Critical Patch Update Advisory - April 2009url:http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-004535

EXTERNAL IDS
db:NVDid:CVE-2009-1006
Trust: 2.7
db:USCERTid:TA09-105A
Trust: 2.5
db:SECTRACKid:1022059
Trust: 1.6
db:BIDid:34461
Trust: 1.3
db:JVNDBid:JVNDB-2009-004535
Trust: 0.8
db:CERT/CCid:TA09-105A
Trust: 0.6
db:CNNVDid:CNNVD-200904-324
Trust: 0.6
db:ZDIid:ZDI-09-017
Trust: 0.3
db:PACKETSTORMid:76710
Trust: 0.1
sources:
            
            
            BID: 34461 // 
            
            
            
            JVNDB: JVNDB-2009-004535 // 
            
            
            
            PACKETSTORM: 76710 // 
            
            
            
            CNNVD: CNNVD-200904-324 // 
            
            
            
            NVD: CVE-2009-1006

REFERENCES
url:http://www.us-cert.gov/cas/techalerts/ta09-105a.html
Trust: 2.4
url:http://www.securitytracker.com/id?1022059
Trust: 1.6
url:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
Trust: 1.2
url:http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html
Trust: 1.0
url:http://www.securityfocus.com/bid/34461
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1006
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1006
Trust: 0.8
url:http://secunia.com/secunia_research/2009-23/
Trust: 0.3
url:http://secunia.com/secunia_research/2009-22/
Trust: 0.3
url:http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml
Trust: 0.3
url:http://www.oracle.com
Trust: 0.3
url:/archive/1/502845
Trust: 0.3
url:/archive/1/502707
Trust: 0.3
url:/archive/1/502697
Trust: 0.3
url:/archive/1/502727
Trust: 0.3
url:/archive/1/502723
Trust: 0.3
url:/archive/1/506160
Trust: 0.3
url:/archive/1/502724
Trust: 0.3
url:/archive/1/502683
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/zdi-09-017/
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1001.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1002.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1003.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1004.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1005.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1006.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1012.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1016.html
Trust: 0.3
url:http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html
Trust: 0.3
url:http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
Trust: 0.3
url:http://www.red-database-security.com/advisory/apex_password_hashes.html
Trust: 0.3
url:http://www.us-cert.gov/cas/techalerts/ta09-105a.html>
Trust: 0.1
url:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
Trust: 0.1
url:http://www.oracle.com/technology/deploy/security/alerts.htm>
Trust: 0.1
url:http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
Trust: 0.1
url:http://www.us-cert.gov/cas/signup.html>.
Trust: 0.1
url:http://www.us-cert.gov/legal.html>
Trust: 0.1
sources:
            
            
            BID: 34461 // 
            
            
            
            JVNDB: JVNDB-2009-004535 // 
            
            
            
            PACKETSTORM: 76710 // 
            
            
            
            CNNVD: CNNVD-200904-324 // 
            
            
            
            NVD: CVE-2009-1006

CREDITS
Esteban Martinez Fayo Joxean Koret   joxeankoret@yahoo.es
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200904-324

SOURCES
db:BIDid:34461
db:JVNDBid:JVNDB-2009-004535
db:PACKETSTORMid:76710
db:CNNVDid:CNNVD-200904-324
db:NVDid:CVE-2009-1006

LAST UPDATE DATE
2024-08-14T12:40:32.097000+00:00

SOURCES UPDATE DATE
db:BIDid:34461date:2009-09-01T16:22:00
db:JVNDBid:JVNDB-2009-004535date:2012-09-25T00:00:00
db:CNNVDid:CNNVD-200904-324date:2009-04-18T00:00:00
db:NVDid:CVE-2009-1006date:2012-10-23T03:04:31.100

SOURCES RELEASE DATE
db:BIDid:34461date:2009-04-09T00:00:00
db:JVNDBid:JVNDB-2009-004535date:2012-09-25T00:00:00
db:PACKETSTORMid:76710date:2009-04-15T23:15:44
db:CNNVDid:CNNVD-200904-324date:2009-04-15T00:00:00
db:NVDid:CVE-2009-1006date:2009-04-15T10:30:00.920