ID

VAR-200904-0427


CVE

CVE-2009-1006


TITLE

BEA Product Suite of Jrockit Component vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2009-004535

DESCRIPTION

Unspecified vulnerability in the JRockit component in BEA Product Suite R27.6.2 and earlier, with SDK/JRE 1.4.2, JRE/JDK 5, and JRE/JDK 6, allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. (DoS) An attack may be carried out. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components. Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information. III. Solution Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed. IV. References * Oracle Critical Patch Update Advisory - April 2009 - <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html> * Critical Patch Updates and Security Alerts - <http://www.oracle.com/technology/deploy/security/alerts.htm> * Map of Public Vulnerability to Advisory/Alert - <http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-105A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History April 15, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE-----

Trust: 1.98

sources: NVD: CVE-2009-1006 // JVNDB: JVNDB-2009-004535 // BID: 34461 // PACKETSTORM: 76710

AFFECTED PRODUCTS

vendor:oraclemodel:jrockitscope:lteversion:r27.6.2

Trust: 1.8

vendor:oraclemodel:jrockitscope:eqversion:r27.2

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r26.3

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r27.6.1

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r27.1

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r26.4

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r26.0

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r27.6.0

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r26.1

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r26.2

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r27.3.1

Trust: 1.6

vendor:oraclemodel:jrockitscope:eqversion:r27.3

Trust: 1.0

vendor:oraclemodel:jrockitscope:eqversion:r27.6

Trust: 1.0

vendor:oraclemodel:jrockitscope:eqversion:r27.4

Trust: 1.0

vendor:oraclemodel:jrockitscope:eqversion:r27.5

Trust: 1.0

vendor:oraclemodel:jrockit r27.1.0scope: - version: -

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:5.6.2

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.01

Trust: 0.3

vendor:beamodel:systems weblogic portal sp1scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle9i personal edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.49

Trust: 0.3

vendor:oraclemodel:oracle11g standard edition onescope:eqversion:11.16

Trust: 0.3

vendor:oraclemodel:data service integratorscope:eqversion:10.3

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.3

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:10.1.3.2.1

Trust: 0.3

vendor:oraclemodel:oracle10g application serverscope:eqversion:10.1.2.3.0

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.0

Trust: 0.3

vendor:oraclemodel:oracle9i enterprise editionscope:eqversion:9.2.8.0

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.06

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.0.1

Trust: 0.3

vendor:beamodel:systems weblogic portal sp6scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:10.1.3.2

Trust: 0.3

vendor:oraclemodel:oracle11g enterprise editionscope:eqversion:11.16

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.1.5

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.11

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.13

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.04

Trust: 0.3

vendor:oraclemodel:oracle11g enterprise editionscope:eqversion:11.1.0.7

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:7.0.0.1

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:10.0

Trust: 0.3

vendor:oraclemodel:jrockit r27.6.2scope: - version: -

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.07

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:beamodel:systems weblogic portal sp2scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:beamodel:systems weblogic portal sp5scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:oracle10g application serverscope:eqversion:10.1.2

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:10.3

Trust: 0.3

vendor:beamodel:systems weblogic portal sp3scope:eqversion:8.1

Trust: 0.3

vendor:beamodel:systems weblogic portalscope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.1

Trust: 0.3

vendor:beamodel:systems weblogic server maintenance packscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle9i standard editionscope:eqversion:9.2.8

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.13

Trust: 0.3

vendor:oraclemodel:oracle9i standard edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.2.3

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:oracle9i enterprise edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.0

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.1

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise hrmsscope:eqversion:9.0

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.2

Trust: 0.3

vendor:oraclemodel:e-business suite 11iscope:eqversion:11.5.10.2

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.12

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.15

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.05

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.16

Trust: 0.3

vendor:beamodel:systems weblogic server mp1scope:eqversion:10.0

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise hrmsscope:eqversion:8.9

Trust: 0.3

vendor:oraclemodel:audit vaultscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:jrockit r27.6.0scope: - version: -

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:7.0

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.02

Trust: 0.3

vendor:beamodel:systems weblogic portal sp4scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.4

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.14

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.12

Trust: 0.3

vendor:oraclemodel:weblogic serverscope:eqversion:10.3

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.11

Trust: 0.3

vendor:oraclemodel:e-business suitescope:eqversion:12.0.6

Trust: 0.3

vendor:oraclemodel:outside in sdk html exportscope:eqversion:8.3

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:oraclemodel:oracle9i personal editionscope:eqversion:9.2.8

Trust: 0.3

vendor:oraclemodel:oracle11g standard editionscope:eqversion:11.16

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.14

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.03

Trust: 0.3

vendor:beamodel:systems weblogic server sp7scope:eqversion:7.0

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:outside in sdk html exportscope:eqversion:8.2.2

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.2

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.0

Trust: 0.3

sources: BID: 34461 // JVNDB: JVNDB-2009-004535 // CNNVD: CNNVD-200904-324 // NVD: CVE-2009-1006

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-1006
value: HIGH

Trust: 1.0

NVD: CVE-2009-1006
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200904-324
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2009-1006
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2009-004535 // CNNVD: CNNVD-200904-324 // NVD: CVE-2009-1006

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2009-1006

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 76710 // CNNVD: CNNVD-200904-324

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-200904-324

CONFIGURATIONS

sources: JVNDB: JVNDB-2009-004535

PATCH

title:Oracle Critical Patch Update Advisory - April 2009url:http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html

Trust: 0.8

sources: JVNDB: JVNDB-2009-004535

EXTERNAL IDS

db:NVDid:CVE-2009-1006

Trust: 2.7

db:USCERTid:TA09-105A

Trust: 2.5

db:SECTRACKid:1022059

Trust: 1.6

db:BIDid:34461

Trust: 1.3

db:JVNDBid:JVNDB-2009-004535

Trust: 0.8

db:CERT/CCid:TA09-105A

Trust: 0.6

db:CNNVDid:CNNVD-200904-324

Trust: 0.6

db:ZDIid:ZDI-09-017

Trust: 0.3

db:PACKETSTORMid:76710

Trust: 0.1

sources: BID: 34461 // JVNDB: JVNDB-2009-004535 // PACKETSTORM: 76710 // CNNVD: CNNVD-200904-324 // NVD: CVE-2009-1006

REFERENCES

url:http://www.us-cert.gov/cas/techalerts/ta09-105a.html

Trust: 2.4

url:http://www.securitytracker.com/id?1022059

Trust: 1.6

url:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html

Trust: 1.2

url:http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html

Trust: 1.0

url:http://www.securityfocus.com/bid/34461

Trust: 1.0

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1006

Trust: 0.8

url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1006

Trust: 0.8

url:http://secunia.com/secunia_research/2009-23/

Trust: 0.3

url:http://secunia.com/secunia_research/2009-22/

Trust: 0.3

url:http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml

Trust: 0.3

url:http://www.oracle.com

Trust: 0.3

url:/archive/1/502845

Trust: 0.3

url:/archive/1/502707

Trust: 0.3

url:/archive/1/502697

Trust: 0.3

url:/archive/1/502727

Trust: 0.3

url:/archive/1/502723

Trust: 0.3

url:/archive/1/506160

Trust: 0.3

url:/archive/1/502724

Trust: 0.3

url:/archive/1/502683

Trust: 0.3

url:http://www.zerodayinitiative.com/advisories/zdi-09-017/

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1001.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1002.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1003.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1004.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1005.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1006.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1012.html

Trust: 0.3

url:http://www.oracle.com/technology/deploy/security/wls-security/1016.html

Trust: 0.3

url:http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html

Trust: 0.3

url:http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html

Trust: 0.3

url:http://www.red-database-security.com/advisory/apex_password_hashes.html

Trust: 0.3

url:http://www.us-cert.gov/cas/techalerts/ta09-105a.html>

Trust: 0.1

url:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>

Trust: 0.1

url:http://www.oracle.com/technology/deploy/security/alerts.htm>

Trust: 0.1

url:http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>

Trust: 0.1

url:http://www.us-cert.gov/cas/signup.html>.

Trust: 0.1

url:http://www.us-cert.gov/legal.html>

Trust: 0.1

sources: BID: 34461 // JVNDB: JVNDB-2009-004535 // PACKETSTORM: 76710 // CNNVD: CNNVD-200904-324 // NVD: CVE-2009-1006

CREDITS

Esteban Martinez Fayo Joxean Koret joxeankoret@yahoo.es

Trust: 0.6

sources: CNNVD: CNNVD-200904-324

SOURCES

db:BIDid:34461
db:JVNDBid:JVNDB-2009-004535
db:PACKETSTORMid:76710
db:CNNVDid:CNNVD-200904-324
db:NVDid:CVE-2009-1006

LAST UPDATE DATE

2024-08-14T12:40:32.097000+00:00


SOURCES UPDATE DATE

db:BIDid:34461date:2009-09-01T16:22:00
db:JVNDBid:JVNDB-2009-004535date:2012-09-25T00:00:00
db:CNNVDid:CNNVD-200904-324date:2009-04-18T00:00:00
db:NVDid:CVE-2009-1006date:2012-10-23T03:04:31.100

SOURCES RELEASE DATE

db:BIDid:34461date:2009-04-09T00:00:00
db:JVNDBid:JVNDB-2009-004535date:2012-09-25T00:00:00
db:PACKETSTORMid:76710date:2009-04-15T23:15:44
db:CNNVDid:CNNVD-200904-324date:2009-04-15T00:00:00
db:NVDid:CVE-2009-1006date:2009-04-15T10:30:00.920