Sign-up

ID

VAR-200904-0432


CVE

CVE-2009-1012


TITLE

BEA Product Suite of Apache Plug-ins and IIS Web server vulnerability

Trust: 0.8

sources: JVNDB: JVNDB-2009-001247

DESCRIPTION

Unspecified vulnerability in the plug-ins for Apache and IIS web servers in Oracle BEA WebLogic Server 7.0 Gold through SP7, 8.1 Gold through SP6, 9.0, 9.1, 9.2 Gold through MP3, 10.0 Gold through MP1, and 10.3 allows remote attackers to affect confidentiality, integrity, and availability. NOTE: the previous information was obtained from the April 2009 CPU. Oracle has not commented on claims from a reliable researcher that this is an integer overflow in an unspecified plug-in that parses HTTP requests, which leads to a heap-based buffer overflow. Oracle has released the April 2009 critical patch update that addresses 43 vulnerabilities affecting the following software: Oracle Database Oracle Audit Vault Oracle Application Server Oracle Outside In SDK HTML Export Oracle XML Publisher Oracle BI Publisher Oracle E-Business Suite PeopleSoft Enterprise PeopleTools PeopleSoft Enterprise HRMS Oracle WebLogic Server (formerly BEA WebLogic Server) Oracle Data Service Integrator Oracle AquaLogic Data Services Platform Oracle JRockit. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description The Oracle Critical Patch Update Advisory - April 2009 addresses 43 vulnerabilities in various Oracle products and components. The document provides information about affected components, access and authorization required for successful exploitation, and the impact from the vulnerabilities on data confidentiality, integrity, and availability. Oracle has associated CVE identifiers with the vulnerabilities addressed in this Critical Patch Update. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to access sensitive information. III. Solution Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update Advisory - April 2009. Note that this document only lists newly corrected issues. Updates to patches for previously known issues are not listed. IV. References * Oracle Critical Patch Update Advisory - April 2009 - <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html> * Critical Patch Updates and Security Alerts - <http://www.oracle.com/technology/deploy/security/alerts.htm> * Map of Public Vulnerability to Advisory/Alert - <http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA09-105A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA09-105A Feedback VU#955892" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2009 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History April 15, 2009: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iQEVAwUBSeY3bnIHljM+H4irAQIWvAf/dUpbNet17XLIfzFwu5wwA5wNm0foqBk4 2PYNO2+ENjlLwT2Rn0dx3xu/C1aPGVxw53EI7doWJubO/W9K2WgOrTs8k7iF65Do dsTWGPi36XzIh4KShJ8NVssNUUqSyyD1QvCXxtOOuKFXfGRRAZlYTGYgYl92QjXM h6j8KKFHqvUdCg4+F+qB3TryswLk0/b2Si2+HW1cWGWpSryKfzIAZv5s2HfvW1Iy 11fssZkyR0lvalVs/YSmiO3fsZZ2yigVL5WOwTUGreWnjKH+k13ooror0x5sIcwU bsfgxHssykStG+UbhxPW8Me6hrEyWkYJoziykWWo+5pCqbwGeqgSYw== =kziE -----END PGP SIGNATURE-----

Trust: 1.98

sources: NVD: CVE-2009-1012 // JVNDB: JVNDB-2009-001247 // BID: 34461 // PACKETSTORM: 76710

AFFECTED PRODUCTS

vendor:oraclemodel:bea product suitescope:eqversion:10.3

Trust: 2.4

vendor:oraclemodel:bea product suitescope:eqversion:9.0

Trust: 2.4

vendor:oraclemodel:bea product suitescope:eqversion:9.1

Trust: 2.4

vendor:oraclemodel:bea product suitescope:eqversion:10.0

Trust: 1.6

vendor:oraclemodel:bea product suitescope:eqversion:7.0

Trust: 1.6

vendor:oraclemodel:bea product suitescope:eqversion:9.2

Trust: 1.6

vendor:oraclemodel:bea product suitescope:eqversion:8.1

Trust: 1.6

vendor:oraclemodel:bea product suitescope:eqversion:10.0 mp1

Trust: 0.8

vendor:oraclemodel:bea product suitescope:eqversion:7.0 sp7

Trust: 0.8

vendor:oraclemodel:bea product suitescope:eqversion:8.1 sp6

Trust: 0.8

vendor:oraclemodel:bea product suitescope:eqversion:9.2 mp3

Trust: 0.8

vendor:oraclemodel:jrockit r27.1.0scope: - version: -

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:5.6.2

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.01

Trust: 0.3

vendor:beamodel:systems weblogic portal sp1scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle9i personal edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise peopletoolsscope:eqversion:8.49

Trust: 0.3

vendor:oraclemodel:oracle11g standard edition onescope:eqversion:11.16

Trust: 0.3

vendor:oraclemodel:data service integratorscope:eqversion:10.3

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.3

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:10.1.3.2.1

Trust: 0.3

vendor:oraclemodel:oracle10g application serverscope:eqversion:10.1.2.3.0

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.0

Trust: 0.3

vendor:oraclemodel:oracle9i enterprise editionscope:eqversion:9.2.8.0

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.06

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.0.1

Trust: 0.3

vendor:beamodel:systems weblogic portal sp6scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:xml publisherscope:eqversion:10.1.3.2

Trust: 0.3

vendor:oraclemodel:oracle11g enterprise editionscope:eqversion:11.16

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.1.5

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.11

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.13

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.04

Trust: 0.3

vendor:oraclemodel:oracle11g enterprise editionscope:eqversion:11.1.0.7

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:7.0.0.1

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:10.0

Trust: 0.3

vendor:oraclemodel:jrockit r27.6.2scope: - version: -

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.07

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:beamodel:systems weblogic portal sp2scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:beamodel:systems weblogic portal sp5scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:oracle10g application serverscope:eqversion:10.1.2

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:10.3

Trust: 0.3

vendor:beamodel:systems weblogic portal sp3scope:eqversion:8.1

Trust: 0.3

vendor:beamodel:systems weblogic portalscope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.1

Trust: 0.3

vendor:beamodel:systems weblogic server maintenance packscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle9i standard editionscope:eqversion:9.2.8

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.13

Trust: 0.3

vendor:oraclemodel:oracle9i standard edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.2.3

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:oracle10g enterprise editionscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:oracle9i enterprise edition .8dvscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:oracle10g standard editionscope:eqversion:10.1.5

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.0

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.1

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise hrmsscope:eqversion:9.0

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.3.2

Trust: 0.3

vendor:oraclemodel:e-business suite 11iscope:eqversion:11.5.10.2

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.12

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.15

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.05

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.16

Trust: 0.3

vendor:beamodel:systems weblogic server mp1scope:eqversion:10.0

Trust: 0.3

vendor:oraclemodel:peoplesoft enterprise hrmsscope:eqversion:8.9

Trust: 0.3

vendor:oraclemodel:audit vaultscope:eqversion:10.2.3

Trust: 0.3

vendor:oraclemodel:jrockit r27.6.0scope: - version: -

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:7.0

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.02

Trust: 0.3

vendor:beamodel:systems weblogic portal sp4scope:eqversion:8.1

Trust: 0.3

vendor:oraclemodel:bi publisherscope:eqversion:10.1.3.4

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.14

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:8.12

Trust: 0.3

vendor:oraclemodel:weblogic serverscope:eqversion:10.3

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.11

Trust: 0.3

vendor:oraclemodel:e-business suitescope:eqversion:12.0.6

Trust: 0.3

vendor:oraclemodel:outside in sdk html exportscope:eqversion:8.3

Trust: 0.3

vendor:oraclemodel:oracle10g personal editionscope:eqversion:10.2.0.4

Trust: 0.3

vendor:oraclemodel:oracle9i personal editionscope:eqversion:9.2.8

Trust: 0.3

vendor:oraclemodel:oracle11g standard editionscope:eqversion:11.16

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.0.0.14

Trust: 0.3

vendor:beamodel:systems weblogic server spscope:eqversion:7.03

Trust: 0.3

vendor:beamodel:systems weblogic server sp7scope:eqversion:7.0

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.2

Trust: 0.3

vendor:oraclemodel:outside in sdk html exportscope:eqversion:8.2.2

Trust: 0.3

vendor:oraclemodel:aqualogic data services platformscope:eqversion:3.2

Trust: 0.3

vendor:beamodel:systems weblogic serverscope:eqversion:9.0

Trust: 0.3

sources: BID: 34461 // JVNDB: JVNDB-2009-001247 // CNNVD: CNNVD-200904-329 // NVD: CVE-2009-1012

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2009-1012
value: HIGH

Trust: 1.0

NVD: CVE-2009-1012
value: HIGH

Trust: 0.8

CNNVD: CNNVD-200904-329
value: CRITICAL

Trust: 0.6

nvd@nist.gov: CVE-2009-1012
severity: HIGH
baseScore: 10.0
vectorString: AV:N/AC:L/AU:N/C:C/I:C/A:C
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: COMPLETE
integrityImpact: COMPLETE
availabilityImpact: COMPLETE
exploitabilityScore: 10.0
impactScore: 10.0
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.8

sources: JVNDB: JVNDB-2009-001247 // CNNVD: CNNVD-200904-329 // NVD: CVE-2009-1012

PROBLEMTYPE DATA

problemtype:NVD-CWE-noinfo

Trust: 1.0

sources: NVD: CVE-2009-1012

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 76710 // CNNVD: CNNVD-200904-329

TYPE

lack of information

Trust: 0.6

sources: CNNVD: CNNVD-200904-329

CONFIGURATIONS

sources:
            
            
            JVNDB: JVNDB-2009-001247

PATCH
title:cpuapr2009url:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
Trust: 0.8
title:1012url:http://www.oracle.com/technology/deploy/security/wls-security/1012.html
Trust: 0.8
title:090417_86url:http://www.oracle.com/technology/global/jp/security/090417_86/top.html
Trust: 0.8
title:TA09-105Aurl:http://software.fujitsu.com/jp/security/vulnerabilities/ta09-105a.html
Trust: 0.8
sources:
            
            
            JVNDB: JVNDB-2009-001247

EXTERNAL IDS
db:NVDid:CVE-2009-1012
Trust: 2.7
db:USCERTid:TA09-105A
Trust: 2.5
db:OSVDBid:53765
Trust: 2.4
db:SECTRACKid:1022059
Trust: 2.4
db:BIDid:34461
Trust: 1.3
db:VUPENid:ADV-2009-1042
Trust: 0.8
db:JVNDBid:JVNDB-2009-001247
Trust: 0.8
db:CERT/CCid:TA09-105A
Trust: 0.6
db:CNNVDid:CNNVD-200904-329
Trust: 0.6
db:ZDIid:ZDI-09-017
Trust: 0.3
db:PACKETSTORMid:76710
Trust: 0.1
sources:
            
            
            BID: 34461 // 
            
            
            
            JVNDB: JVNDB-2009-001247 // 
            
            
            
            PACKETSTORM: 76710 // 
            
            
            
            CNNVD: CNNVD-200904-329 // 
            
            
            
            NVD: CVE-2009-1012

REFERENCES
url:http://osvdb.org/53765
Trust: 2.4
url:http://www.securitytracker.com/id?1022059
Trust: 2.4
url:http://www.us-cert.gov/cas/techalerts/ta09-105a.html
Trust: 2.4
url:http://www.oracle.com/technology/deploy/security/wls-security/1012.html
Trust: 1.9
url:http://secunia.com/secunia_research/2009-22/
Trust: 1.3
url:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html
Trust: 1.2
url:https://exchange.xforce.ibmcloud.com/vulnerabilities/64935
Trust: 1.0
url:http://www.securityfocus.com/bid/34461
Trust: 1.0
url:http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html
Trust: 1.0
url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2009-1012
Trust: 0.8
url:http://jvn.jp/cert/jvnta09-105a/index.html
Trust: 0.8
url:http://jvn.jp/tr/jvntr-2009-11/index.html
Trust: 0.8
url:http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2009-1012
Trust: 0.8
url:http://www.vupen.com/english/advisories/2009/1042
Trust: 0.8
url:http://secunia.com/secunia_research/2009-23/
Trust: 0.3
url:http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml
Trust: 0.3
url:http://www.oracle.com
Trust: 0.3
url:/archive/1/502845
Trust: 0.3
url:/archive/1/502707
Trust: 0.3
url:/archive/1/502697
Trust: 0.3
url:/archive/1/502727
Trust: 0.3
url:/archive/1/502723
Trust: 0.3
url:/archive/1/506160
Trust: 0.3
url:/archive/1/502724
Trust: 0.3
url:/archive/1/502683
Trust: 0.3
url:http://www.zerodayinitiative.com/advisories/zdi-09-017/
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1001.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1002.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1003.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1004.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1005.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1006.html
Trust: 0.3
url:http://www.oracle.com/technology/deploy/security/wls-security/1016.html
Trust: 0.3
url:http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html
Trust: 0.3
url:http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
Trust: 0.3
url:http://www.red-database-security.com/advisory/apex_password_hashes.html
Trust: 0.3
url:http://www.us-cert.gov/cas/techalerts/ta09-105a.html>
Trust: 0.1
url:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html>
Trust: 0.1
url:http://www.oracle.com/technology/deploy/security/alerts.htm>
Trust: 0.1
url:http://www.oracle.com/technology/deploy/security/pdf/public_vuln_to_advisory_mapping.html>
Trust: 0.1
url:http://www.us-cert.gov/cas/signup.html>.
Trust: 0.1
url:http://www.us-cert.gov/legal.html>
Trust: 0.1
sources:
            
            
            BID: 34461 // 
            
            
            
            JVNDB: JVNDB-2009-001247 // 
            
            
            
            PACKETSTORM: 76710 // 
            
            
            
            CNNVD: CNNVD-200904-329 // 
            
            
            
            NVD: CVE-2009-1012

CREDITS
Esteban Martinez Fayo Joxean Koret   joxeankoret@yahoo.es
Trust: 0.6
sources:
            
            
            CNNVD: CNNVD-200904-329

SOURCES
db:BIDid:34461
db:JVNDBid:JVNDB-2009-001247
db:PACKETSTORMid:76710
db:CNNVDid:CNNVD-200904-329
db:NVDid:CVE-2009-1012

LAST UPDATE DATE
2024-11-23T19:52:25.675000+00:00

SOURCES UPDATE DATE
db:BIDid:34461date:2009-09-01T16:22:00
db:JVNDBid:JVNDB-2009-001247date:2009-05-22T00:00:00
db:CNNVDid:CNNVD-200904-329date:2011-07-15T00:00:00
db:NVDid:CVE-2009-1012date:2024-11-21T01:01:27.550

SOURCES RELEASE DATE
db:BIDid:34461date:2009-04-09T00:00:00
db:JVNDBid:JVNDB-2009-001247date:2009-05-22T00:00:00
db:PACKETSTORMid:76710date:2009-04-15T23:15:44
db:CNNVDid:CNNVD-200904-329date:2009-04-15T00:00:00
db:NVDid:CVE-2009-1012date:2009-04-15T10:30:01.017