Archive for October, 2009
Philly Spy Shop
by IDF Agent on Oct.29, 2009, under Uncategorized
Just about anyone has seen James Bond movies and most little boys wanted to be him after seeing action packed spy movie. If you are not a kid anymore and are still interested in spy gadgets, techniques, gear etc., you should check out Philly Spy Shop. Located in the center of notheast part of Philadelphia, this shop has attracted a lot of attention. There you can buy mobile lie detectors, GPS tracking devices, hidden cameras (they can hide a camera almost anywhere – in a hat, pan, clock, soda can, fire alarm etc.), spy and law enforcement clothes, you can unblock “unknown” called ID numbers, change your phone number to any other number, get complete surveillance system, listening devices (like the ones you see in the movies), and much much more.
Whenever I go to Philly Spy Shop, I feel like a kid again, playing with gadgets and asking millions of questions. So whenever you get that inner spy calling, stop by and check out different products that they have (explosions not included) and don’t forget to mention that IDF sent you.
Mozilla Releases Firefox 3.0.15 and Firefox 3.5.4
by IDF Agent on Oct.28, 2009, under Uncategorized
October 28, 2009
Mozilla has released Firefox 3.0.15 and Firefox 3.5.4 to address
multiple vulnerabilities. Exploitation of these vulnerabilities may
allow an attacker to execute arbitrary code, execute arbitrary
JavaScript with chrome privileges, or cause a denial-of-service
condition. As described in the Mozilla Foundation Security Advisories,
some of these vulnerabilities may also affect SeaMonkey.
We encourage users to review the Mozilla Foundation security
advisories for Firefox 3.0 and Firefox 3.5 and apply any necessary
updates or workarounds to help mitigate the risks.
Relevant Url(s):
<http://www.mozilla.org/security/known-vulnerabilities/firefox35.html>
<http://www.mozilla.org/security/known-vulnerabilities/firefox30.html>
Federal Deposit Insurance Corporation Warns Public of Fraudulent Email
by IDF Agent on Oct.27, 2009, under Uncategorized
October 27, 2009
The Federal Deposit Insurance Corporation (FDIC) has released
information warning the public about fraudulent email messages
purporting to come from the FDIC. These email messages provides a link
to a fraudulent FDIC website. Users are then instructed to download
their “personal FDIC Insurance File.”
More information regarding these messages can be found in the Federal
Deposit Insurance Corporation’s Consumer Alerts website.
Users are encouraged to take the following measures to protect
themselves from this type of phishing scam:
* Do not follow unsolicited web links received in email messages.
* Verify the website by manually typing the URL when attempting to
connect to web sites recommended in an email.
* Refer to the Avoiding Social Engineering and Phishing Attacks
document for more information on social engineering attacks.
President Barack Obama and BlackBerry
by IDF Agent on Oct.26, 2009, under Uncategorized
You have probably heard by now that Barack Obama kept his BlackBerry after taking office of the president of the United States. As you might expect, there are many security questions that must be answered. Main question is “is Barack Obama transmitting any sensitive information over his BlackBerry that would compromise national security?” and if so “how well is it protected?”
White House Deputy Chief Of Staff Joseph Hagin said, while answering a question on what type of information can be transmitted over president’s phone: “There are very few laws and regulations, actually. With a couple notable exceptions, he has complete discretion as to how he’s going to communicate. One area where there’s really not much discretion is the laws related to the security of classified information. And by classified information I mean technically classified information — documents or subject matters that are classified under the government system as either confidential, secret, top secret, or what they call sensitive compartmentalized information, SCI. That information may not be discussed on an open line, be it wireless or phone. That information can only be discussed or transmitted over devices that are approved for the transmission of classified information.”
Secret service is facing a real challenge here. They are not only responsible for physical safety of the president, but they are also responsible for electronic intrusions. Another issue is the Presidential Records Act. Law states that any official communication by the president or his staff must be retained for inclusion in the archives. That information is retained for 12 years after the last day of the administration. Hagin went on to expand further: “Then the White House lawyers and the Justice Department have a concern because of the Records Act and making sure all of that is captured. But they also have a concern which is really more of a political concern… The ease with which people can hack into these devices and intercept information and plant spyware on them and all those sorts of things. If someone did get hold of his messages, even though they’re not classified… Imagine if a friend of his or a relative of his sent him something that was controversial, and that somehow got into the public domain. You can imagine, given the game of “gotcha” that’s played in Washington, the questions that would come: Did the president repudiate his friend? Did the president cut off contact with his friend? Does the president agree with his friend? All of a sudden, you have the president having to defend information that he had no control over receiving. It just appeared on his BlackBerry one day, it was leaked somehow or intercepted somehow, and suddenly became a permanent presidential record. One of the things that I’m hoping happens is that business and industry looks at this… and realizes how vulnerable they are. Because if you have sensitive proprietary information — Look at the banking industry. The decisions that they’re making are billion-dollar decisions. I’d bet that there are people out there trying as hard as they can to mine that information… Unlike in the late 90s when people wanted to announce that they’d hacked into half a million computers, today people want to do it covertly. They want to leave no fingerprints and no footprints because they want to be able to access this information on a continuing basis in order to benefit financially. That’s really the crux of the matter.”
Working in the mobile security industry, I get uneasy feeling when I start to think of who might get their hands on the information transmitted by president’s BlackBerry. Unintentionally Barack might open a whole new security whole in this nation’s infrastructure and I would easily bet a million dollars on the fact that there are nations and organizations out there today that are trying to intercept president’s communication through his cell phone.
High Risk Vulnerability Summary for third week of October
by IDF Agent on Oct.26, 2009, under Uncategorized
| Vendor — Product | Description | Published | CVSS Score | |
|---|---|---|---|---|
| adobe — acrobat adobe — acrobat_reader |
Integer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allows attackers to cause a denial of service or possibly execute arbitrary code via unspecified vectors. | 2009-10-19 | 9.3 | |
| adobe — acrobat adobe — acrobat_reader |
Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to bypass intended Trust Manager restrictions via unspecified vectors. | 2009-10-19 | 9.3 | |
| adobe — acrobat adobe — acrobat_reader |
An unspecified certificate in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow remote attackers to conduct a “social engineering attack” via unknown vectors. | 2009-10-19 | 9.3 | |
| adobe — acrobat adobe — acrobat_reader |
Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. | 2009-10-19 | 9.3 | |
| adobe — acrobat | Unspecified vulnerability in the image decoder in Adobe Acrobat 9.x before 9.2, and possibly 7.x through 7.1.4 and 8.x through 8.1.7, allows attackers to cause a denial of service or possibly execute arbitrary code via unknown vectors. | 2009-10-19 | 9.3 | |
| adobe — acrobat adobe — acrobat_reader |
Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2996. | 2009-10-19 | 9.3 | |
| adobe — acrobat adobe — acrobat_reader |
Multiple heap-based buffer overflows in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors. | 2009-10-19 | 9.3 | |
| adobe — acrobat | Integer overflow in Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors. | 2009-10-19 | 9.3 | |
| adobe — acrobat adobe — acrobat_reader |
Array index error in Adobe Reader and Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 might allow attackers to execute arbitrary code via unspecified vectors. | 2009-10-19 | 9.3 | |
| adobe — acrobat adobe — acrobat_reader |
Unspecified vulnerability in the Mozilla plug-in in Adobe Reader and Acrobat 8.x before 8.1.7, and possibly 7.x before 7.1.4 and 9.x before 9.2, might allow remote attackers to execute arbitrary code via unknown vectors. | 2009-10-19 | 9.3 | |
| adobe — acrobat adobe — acrobat_reader |
The JavaScript for Acrobat API in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 does not properly implement the (1) Privileged Context and (2) Safe Path restrictions for unspecified JavaScript methods, which allows remote attackers to create arbitrary files, and possibly execute arbitrary code, via the cPath parameter in a crafted PDF file. NOTE: some of these details are obtained from third party information. | 2009-10-19 | 9.3 | |
| adobe — acrobat adobe — acrobat_reader |
Buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors. | 2009-10-19 | 9.3 | |
| adobe — acrobat adobe — acrobat_reader |
Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 allow attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2985. | 2009-10-19 | 9.3 | |
| adobe — acrobat adobe — acrobat_reader |
Heap-based buffer overflow in Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 might allow attackers to execute arbitrary code via unspecified vectors. | 2009-10-19 | 9.3 | |
| adobe — acrobat adobe — acrobat_reader |
Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-3458. | 2009-10-19 | 9.3 | |
| adobe — acrobat adobe — acrobat_reader |
Adobe Reader and Acrobat 7.x before 7.1.4, 8.x before 8.1.7, and 9.x before 9.2 do not properly validate input, which might allow attackers to execute arbitrary code via unspecified vectors, a different vulnerability than CVE-2009-2998. | 2009-10-19 | 9.3 | |
| adobe — acrobat | Adobe Acrobat 9.x before 9.2, 8.x before 8.1.7, and possibly 7.x through 7.1.4 allows attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via unspecified vectors. | 2009-10-19 | 9.3 | |
| adobe — acrobat | Unspecified vulnerability in Adobe Acrobat 9.x before 9.2 allows attackers to bypass intended file-extension restrictions via unknown vectors. | 2009-10-19 | 9.3 | |
| baidu — baidux uitv — uiplayer |
Stack-based buffer overflow in the GetUiDllVersion function in an ActiveX control in UiCheck.dll before 1.0.0.7 in UiTV UiPlayer, as used in BaiduX and other products, allows remote attackers to execute arbitrary code via the filename parameter. | 2009-10-19 | 9.3 | |
| boxalino — boxalino | Directory traversal vulnerability in client/desktop/default.htm in Boxalino before 09.05.25-0421 allows remote attackers to read arbitrary files via a .. (dot dot) in the url parameter. | 2009-10-22 | 7.5 | |
| citrix — xencenterweb | SQL injection vulnerability in login.php in sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attackers to execute arbitrary SQL commands via the username parameter. NOTE: some of these details are obtained from third party information. | 2009-10-22 | 7.5 | |
| citrix — xencenterweb | Static code injection vulnerability in config/writeconfig.php in the sample code in the XenServer Resource Kit in Citrix XenCenterWeb allows remote attackers to inject arbitrary PHP code into include/config.ini.php via the pool1 parameter. NOTE: some of these details are obtained from third party information. | 2009-10-22 | 7.5 | |
| emc — documentum_applicationxtender_workflow_manager | Heap-based buffer overflow in aws_tmxn.exe in the Admin Agent service in the server in EMC Documentum ApplicationXtender Workflow, possibly 5.40 SP1 and earlier, allows remote attackers to execute arbitrary code via crafted packet data to TCP port 2606. | 2009-10-22 | 10.0 | |
| emc — documentum_applicationxtender_workflow_manager | Directory traversal vulnerability in aws_tmxn.exe in the Admin Agent service in the server in EMC Documentum ApplicationXtender Workflow, possibly 5.40 SP1 and earlier, allows remote attackers to upload arbitrary files, and execute arbitrary code, via directory traversal sequences in requests to TCP port 2606. | 2009-10-22 | 10.0 | |
| foolabs — xpdf poppler — poppler |
Integer overflow in the SplashBitmap::SplashBitmap function in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1 might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information. NOTE: this issue reportedly exists because of an incomplete fix for CVE-2009-1188. | 2009-10-21 | 9.3 | |
| foolabs — xpdf poppler — poppler |
The Splash::drawImage function in Splash.cc in Xpdf 2.x and 3.x before 3.02pl4, and Poppler 0.x, as used in GPdf and kdegraphics KPDF, does not properly allocate memory, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted PDF document that triggers a NULL pointer dereference or a heap-based buffer overflow. | 2009-10-21 | 9.3 | |
| foolabs — xpdf poppler — poppler |
Integer overflow in the PSOutputDev::doImageL1Sep function in Xpdf before 3.02pl4, and Poppler 0.x, as used in kdegraphics KPDF, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. | 2009-10-21 | 9.3 | |
| foolabs — xpdf poppler — poppler |
Integer overflow in the ObjectStream::ObjectStream function in XRef.cc in Xpdf 3.x before 3.02pl4 and Poppler before 0.12.1, as used in GPdf, kdegraphics KPDF, CUPS pdftops, and teTeX, might allow remote attackers to execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. | 2009-10-21 | 9.3 | |
| gallium.inria — camimages | Multiple integer overflows in tiffread.c in CamlImages 2.2 might allow remote attackers to execute arbitrary code via TIFF images containing large width and height values that trigger heap-based buffer overflows. | 2009-10-20 | 7.5 | |
| kreotek — phpbms | Multiple SQL injection vulnerabilities in phpBMS 0.96 allow remote attackers to execute arbitrary SQL commands via the (1) id parameter to modules/bms/invoices_discount_ajax.php, (2) f parameter to dbgraphic.php, and (3) tid parameter in a show action to advancedsearch.php. | 2009-10-22 | 7.5 | |
| libgd — gd_graphics_library php — php |
The _gdGetColors function in gd_gd.c in PHP 5.2.11 and 5.3.0, and the GD Graphics Library 2.x, does not properly verify a certain colorsTotal structure member, which might allow remote attackers to conduct buffer overflow or buffer over-read attacks via a crafted GD file, a different vulnerability than CVE-2009-3293. NOTE: some of these details are obtained from third party information. | 2009-10-19 | 7.5 | |
| linux — kernel | The swiotlb functionality in the r8169 driver in drivers/net/r8169.c in the Linux kernel before 2.6.27.22 allows remote attackers to cause a denial of service (IOMMU space exhaustion and system crash) by using jumbo frames for a large amount of network traffic, as demonstrated by a flood ping. | 2009-10-19 | 7.8 | |
| lucvil — patplayer | Heap-based buffer overflow in LucVil PatPlayer 3.9 allows remote attackers to cause a denial of service (crash) or execute arbitrary code via a long URI in a playlist (.m3u) file. | 2009-10-16 | 9.3 | |
| mysql-ocaml — mysql-ocaml | The mysql-ocaml bindings 1.0.4 for MySQL do not properly support the mysql_real_escape_string function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings. | 2009-10-22 | 7.5 | |
| opial — opial | SQL injection vulnerability in home.php in Opial 1.0 allows remote attackers to execute arbitrary SQL commands via the genres_parent parameter. | 2009-10-22 | 7.5 | |
| opial — opial | Unrestricted file upload vulnerability in Opial 1.0 allows remote attackers to execute arbitrary code by uploading a file with an executable extension as a User Image, then accessing it via a request to the file in userimages, related to register.php. | 2009-10-22 | 7.5 | |
| oracle — database_server | Unspecified vulnerability in the Network Authentication component in Oracle Database 10.1.0.5 and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 2009-10-22 | 10.0 | |
| oracle — database_server | Unspecified vulnerability in the Network Authentication component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 2009-10-22 | 10.0 | |
| oracle — database_server | Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. | 2009-10-22 | 10.0 | |
| oracle — bea_product_suite | Unspecified vulnerability in the JRockit component in BEA Product Suite R27.6.4: JRE/JDK, 1.4.2, 5, and, and 6 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: this issue subsumes CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2674, CVE-2009-2675, and CVE-2009-2676. | 2009-10-22 | 10.0 | |
| poppler — poppler | Integer overflow in the create_surface_from_thumbnail_data function in glib/poppler-page.cc in Poppler 0.x allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a crafted PDF document that triggers a heap-based buffer overflow. NOTE: some of these details are obtained from third party information. | 2009-10-21 | 9.3 | |
| postgresql-ocaml — postgresql-ocaml | The postgresql-ocaml bindings 1.5.4, 1.7.0, and 1.12.1 for PostgreSQL libpq do not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings. | 2009-10-22 | 7.5 | |
| pygresql — pygresql | The pygresql module 3.8.1 and 4.0 for Python does not properly support the PQescapeStringConn function, which might allow remote attackers to leverage escaping issues involving multibyte character encodings. | 2009-10-22 | 7.5 | |
| santostefano_giovanni — toylog | SQL injection vulnerability in read.php in ToyLog 0.1 allows remote attackers to execute arbitrary SQL commands via the idm parameter. | 2009-10-22 | 7.5 | |
| tatsuhiro_tsujikawa — aria2 | Format string vulnerability in the AbstractCommand::onAbort function in src/AbstractCommand.cc in aria2 before 1.6.2, when logging is enabled, allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via format string specifiers in a download URI. NOTE: some of these details are obtained from third party information. | 2009-10-20 | 7.6 | |
| vmware — fusion | Integer overflow in the vmx86 kernel extension in VMware Fusion before 2.0.6 build 196839 allows host OS users to cause a denial of service to the host OS via unspecified vectors. | 2009-10-16 | 7.8 |
Avoiding Social Engineering and Phishing Attacks
by IDF Agent on Oct.22, 2009, under Uncategorized
Do not give sensitive information to anyone unless you are sure that they
are indeed who they claim to be and that they should have access to the
information.
What is a social engineering attack?
In a social engineering attack, an attacker uses human interaction (social
skills) to obtain or compromise information about an organization or its
computer systems. An attacker may seem unassuming and respectable, possibly
claiming to be a new employee, repair person, or researcher and even
offering credentials to support that identity. However, by asking questions,
he or she may be able to piece together enough information to infiltrate an
organization’s network. If an attacker is not able to gather enough
information from one source, he or she may contact another source within the
same organization and rely on the information from the first source to add
to his or her credibility.
What is a phishing attack?
Phishing is a form of social engineering. Phishing attacks use email or
malicious websites to solicit personal information by posing as a
trustworthy organization. For example, an attacker may send email seemingly
from a reputable credit card company or financial institution that requests
account information, often suggesting that there is a problem. When users
respond with the requested information, attackers can use it to gain access
to the accounts.
Phishing attacks may also appear to come from other types of organizations,
such as charities. Attackers often take advantage of current events and
certain times of the year, such as
* natural disasters (e.g., Hurricane Katrina, Indonesian tsunami)
* epidemics and health scares (e.g., H1N1)
* economic concerns (e.g., IRS scams)
* major political elections
* holidays
How do you avoid being a victim?
* Be suspicious of unsolicited phone calls, visits, or email messages from
individuals asking about employees or other internal information. If an
unknown individual claims to be from a legitimate organization, try to
verify his or her identity directly with the company.
* Do not provide personal information or information about your
organization, including its structure or networks, unless you are
certain of a person’s authority to have the information.
* Do not reveal personal or financial information in email, and do not
respond to email solicitations for this information. This includes
following links sent in email.
* Don’t send sensitive information over the Internet before checking a
website’s security (see Protecting Your Privacy for more information).
* Pay attention to the URL of a website. Malicious websites may look
identical to a legitimate site, but the URL may use a variation in
spelling or a different domain (e.g., .com vs. .net).
* If you are unsure whether an email request is legitimate, try to verify
it by contacting the company directly. Do not use contact information
provided on a website connected to the request; instead, check previous
statements for contact information. Information about known phishing
attacks is also available online from groups such as the Anti-Phishing
Working Group (http://www.antiphishing.org).
* Install and maintain anti-virus software, firewalls, and email filters
to reduce some of this traffic (see Understanding Firewalls,
Understanding Anti-Virus Software, and Reducing Spam for more
information).
* Take advantage of any anti-phishing features offered by your email
client and web browser.
What do you do if you think you are a victim?
* If you believe you might have revealed sensitive information about your
organization, report it to the appropriate people within the
organization, including network administrators. They can be alert for
any suspicious or unusual activity.
* If you believe your financial accounts may be compromised, contact your
financial institution immediately and close any accounts that may have
been compromised. Watch for any unexplainable charges to your account.
* Immediately change any passwords you might have revealed. If you used
the same password for multiple resources, make sure to change it for
each account, and do not use that password in the future.
* Watch for other signs of identity theft (see Preventing and Responding
to Identity Theft for more information).
* Consider reporting the attack to the police, and file a report with the
Federal Trade Commission (http://www.ftc.gov/).
_________________________________________________________________
Author: Mindi McDowell
Oracle Critical Patch Update Advisory – October 2009
by IDF Agent on Oct.21, 2009, under Uncategorized
Description
A Critical Patch Update is a collection of patches for multiple security vulnerabilities. It also includes non-security fixes that are required (because of interdependencies) by those security patches. Critical Patch Updates are cumulative, except as noted below, but each advisory describes only the security fixes added since the previous Critical Patch Update. Thus, prior Critical Patch Update Advisories should be reviewed for information regarding earlier accumulated security fixes. Please refer to:
Critical Patch Updates and Security Alerts for information about Oracle Security Advisories.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible. This Critical Patch Update contains 38 new security fixes across all products.
Notice of Upcoming Upgrade For My Oracle Support
My Oracle Support, Oracle’s next-generation support platform, will soon be upgraded, and Classic MetaLink will be retired. A number of additional features will be available through My Oracle Support, including ones that improve the patch management experience. As a result, after the upgrade, customers attempting to download CPU fixes will see a new Patches & Updates interface. In addition, customers will be required to have an Oracle Single Sign-On (SSO) account to access the My Oracle Support portal, and authorization rules for downloads will be more strictly enforced. Oracle recommends that customers verify or create their SSO account and review their support contracts to ensure they have the proper licenses in place to download the patches needed for the vulnerabilities described in this Critical Patch Update. To verify or create your SSO account, simply log in to My Oracle Support/Classic MetaLink prior to the upgrade and you will automatically be prompted to verify your SSO login or create a new SSO login using your email address. For more information about the My Oracle Support systems upgrade, see the My Oracle Support Transition Information Page and FAQs.
Supported Products and Components Affected
Security vulnerabilities addressed by this Critical Patch Update affect the products listed in the categories below. The product area of the patches for the listed versions is shown in [square brackets] following the product versions. Please click on the link in [square brackets] or in the Patch Availability Table to access the documentation for those patches.
Affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy:
| • Oracle Database 11g, version 11.1.0.7 | [ Database ] |
| • Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4 | [ Database ] |
| • Oracle Database 10g, version 10.1.0.5 | [ Database ] |
| • Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV | [ Database ] |
| • Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.4.0, 10.1.3.5.0 | [ Application Server ] |
| • Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0 | [ Application Server ] |
| • Oracle Business Intelligence Enterprise Edition, versions 10.1.3.4.0, 10.1.3.4.1 | [ Application Server ] |
| • Oracle E-Business Suite Release 12, versions 12.0.6, 12.1 | [ E-Business Suite ] |
| • Oracle E-Business Suite Release 11i, version 11.5.10.2 | [ E-Business Suite ] |
| • AutoVue, version 19.3 | [ E-Business Suite ] |
| • Agile Engineering Data Management (EDM), version 6.1 | [ E-Business Suite ] |
| • PeopleSoft PeopleTools & Enterprise Portal, version 8.49 | [ PeopleSoft/JDE ] |
| • PeopleSoft Enterprise HCM (TAM), versions 8.9 and 9.0 | [ PeopleSoft/JDE ] |
| • JDEdward Tools, version 8.98 | [ PeopleSoft/JDE ] |
| • Oracle WebLogic Server 10.0 through MP1 and 10.3 | [ BEA ] |
| • Oracle WebLogic Server 9.0 GA, 9.1 GA and 9.2 through 9.2 MP3 | [ BEA ] |
| • Oracle WebLogic Server 8.1 through 8.1 SP5 | [ BEA ] |
| • Oracle WebLogic Server 7.0 through 7.0 SP6 | [ BEA ] |
| • Oracle WebLogic Portal, versions 8.1 through 8.1 SP6, 9.2 through 9.2 MP3, 10.0 through 10.0MP1, 10.2 through 10.2MP1 and 10.3 through 10.3.1 | [ BEA ] |
| • Oracle JRockit R27.6.4 and earlier (JDK/JRE 6, 5, 1.4.2) | [ BEA ] |
| • Oracle Communications Order and Service Management, versions 2.8.0, 6.2.0, 6.3.0 and 6.3.1 | [ Industry Suite ] |
Patch Availability Table and Risk Matrices
Products with Cumulative Patches
The Oracle Database, Oracle Application Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications (Releases 12.0 and 12.1), JD Edwards EnterpriseOne, JD Edwards OneWorld Tools, PeopleSoft Enterprise Portal Applications, PeopleSoft Enterprise PeopleTools and Siebel Enterprise, Oracle Industry Applications and BEA patches in the Updates are cumulative; patches for any of these products included in a Critical Patch Update will include all fixes for that product from the previous Critical Patch Updates.
Products with Non-Cumulative Patches
Oracle E-Business Suite Applications Release 11i patches are not cumulative, so Oracle E-Business Suite Applications customers should refer to previous Critical Patch Updates to identify previous security fixes they want to apply. Oracle Collaboration Suite patches were cumulative up to and including the fixes provided in the July 2007 Critical Patch Update. From the July 2007 Critical Patch Update on, Oracle Collaboration Suite security fixes are delivered using the one-off patch infrastructure normally used by Oracle to deliver single bug fixes to customers.
For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the following table. For an overview of the Oracle product documentation related to this Critical Patch Update, please refer to the Oracle Critical Patch Update October 2009 Documentation Map, My Oracle Support Note 946854.1.
| Product Group | Risk Matrix | Patch Availability and Installation Information |
|---|---|---|
| Oracle Database | Appendix – Oracle Database Risk Matrix | Critical Patch Update October 2009 Patch Availability Document for Oracle Products, My Oracle Support Note 881382.1 |
| Oracle Application Server | Appendix – Oracle Application Server Risk Matrix | Critical Patch Update October 2009 Patch Availability Document for Oracle Products, My Oracle Support Note 881382.1 |
| Oracle Collaboration Suite Beehive Collaboration Software |
No security fixes for this CPU. See Appendix – Product Dependencies to apply patches for dependent products. |
Critical Patch Update October 2009 Patch Availability Document for Oracle Products, My Oracle Support Note 881382.1 |
| Oracle E-Business Suite and Applications | Appendix – Oracle E-Business Suite and Applications Risk Matrix | Oracle E-Business Suite Critical Patch Update Note for October 2009, My Oracle Support Note 880170.1 |
| Oracle Enterprise Manager | No security fixes for this CPU. See Appendix – Product Dependencies to apply patches for dependent products. |
Critical Patch Update October 2009 Patch Availability Document for Oracle Products, My Oracle Support Note 881382.1 |
| Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne | Appendix – Oracle PeopleSoft and JD Edwards Applications Risk Matrix | Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Advisories |
| Oracle Siebel Enterprise | No security fixes for this CPU. | Oracle Siebel Enterprise Support |
| BEA Product Suite | Appendix – BEA Product Suite Risk Matrix | Critical Patch Update October 2009 Patch Availability Document for Oracle Products, My Oracle Support Note 881382.1 |
| Oracle Industry Applications | Appendix – Oracle Industry Applications Risk Matrix | Critical Patch Update October 2009 Patch Availability Document for Oracle Communications Products, My Oracle Support Note 946852.1 |
Risk Matrix Content
Risk matrices list only security vulnerabilities that are newly fixed by the patches associated with this advisory. Risk matrices for previous security fixes can be found in previous Critical Patch Update advisories.
Several vulnerabilities addressed in this Critical Patch Update affect multiple products. A vulnerability that affects multiple products will appear with the same CVE# in all risk matrices. Italics indicate vulnerabilities in code included from other product areas.
Security vulnerabilities are scored using CVSS version 2.0 (see Oracle CVSS Scoring for an explanation of how Oracle applies CVSS 2.0). Oracle conducts an analysis of each security vulnerability addressed by a Critical Patch Update (CPU). Oracle does not disclose information about the security analysis, but the resulting Risk Matrix and associated documentation provide information about the type of vulnerability, the conditions required to exploit it, and the potential result of a successful exploit. Oracle provides this information, in part, so that customers may conduct their own risk analysis based on the particulars of their product usage. As a matter of policy, Oracle does not disclose detailed information about an exploit condition or results that can be used to conduct a successful exploit. Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the CPU or Security Alert notification, the Patch Availability Matrix, the readme files, and FAQs. Oracle does not provide advance notification on CPUs or Security Alerts to individual customers. Finally, Oracle does not distribute exploit code or “proof-of-concept” code for product vulnerabilities.
Workarounds
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply fixes as soon as possible. Until you apply the CPU fixes, it may be possible to reduce the risk of successful attack by restricting network protocols required by an attack. For attacks that require certain privileges or access to certain packages, removing the privileges or the ability to access the packages from unprivileged users may help reduce the risk of successful attack. Both approaches may break application functionality, so Oracle strongly recommends that customers test changes on non-production systems. Neither approach should be considered a long-term solution as neither corrects the underlying problem.
Skipped Critical Patch Updates
As mentioned in the previous section, Oracle strongly recommends that customers apply fixes as soon as possible. For customers that have skipped one or more Critical Patch Updates and are concerned about products that do not have fixes announced in this CPU, please review the notes below to determine appropriate actions.
There are no new security fixes for the following products that had security fixes in prior Critical Patch Update Advisories:
- Oracle Collaboration Suite: please see Critical Patch Update Advisory January 2009 for the announcement of the most recent security fixes for Oracle Collaboration Suite. Please see My Oracle Support Note 881382.1 to download the most recent security fixes for Oracle Collaboration Suite.
- TimesTen In-Memory Database: please see Critical Patch Update Advisory January 2009 for the announcement of the most recent security fixes for TimesTen In-Memory Database. See My Oracle Support Note 881382.1 to apply the most recent security fixes for TimesTen In-Memory Database.
- Oracle Enterprise Manager: please see Critical Patch Update Advisory July 2009 for the announcement of the most recent security fixes for Oracle Enterprise Manager. See My Oracle Support Note 881382.1 to apply the most recent security fixes for Oracle Enterprise Manager.
- Oracle Secure Enterprise Search: please see Critical Patch Update Advisory July 2009 for the announcement of the most recent security fixes for Oracle Secure Enterprise Search. See My Oracle Support Note 881382.1 to apply the most recent security fixes for Oracle Secure Enterprise Search.
- Oracle Secure Backup: please see Critical Patch Update Advisory July 2009 for the announcement of the most recent security fixes for Oracle Secure Backup. See My Oracle Support Note 881382.1 to apply the most recent security fixes for Oracle Secure Backup.
- Oracle Siebel Enterprise: please see Critical Patch Update Advisory July 2009 for the announcement of the most recent security fixes for Oracle Siebel Enterprise. See My Oracle Support Note 955263.1 to apply the most recent security fixes for Oracle Siebel Enterprise.
Unsupported Products and De-Supported Versions
Unsupported products, releases and versions are not tested for the presence of vulnerabilities addressed by this Critical Patch Update. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities. Hence Oracle recommends that customers upgrade their Oracle products to a supported version.
Critical Patch Update patches are not provided for product versions that are no longer covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers upgrade to the latest supported version of Oracle products in order to obtain patches.
Products in Extended Support
Critical Patch Update patches are available to customers who have purchased Extended Support under the Lifetime Support Policy. Customers must have a valid Extended Support service contract to download Critical Patch Update patches for products in the Extended Support Phase. Critical Patch Update patches may not be downloaded to update products supported with Sustaining Support, or to update any unsupported products.
Supported Database, Fusion Middleware, EM Grid Control and Collaboration Suite products are patched in accordance with the Software Error Correction Support Policy explained in My Oracle Support Note 209768.1. Please review the Technical Support Policies for further guidelines regarding support policies and phases of support.
On Request Model for Oracle Database and Oracle Application Server
Oracle proactively creates patches only for platform/version combinations that, based on historical data, customers are likely to download for the next Critical Patch Update. We create patches for historically inactive platform/version combinations of the Oracle Database and Oracle Application Server only if requested by customers.
Additional details regarding the products, versions and platforms that will be supported for the next Critical Patch Update and the process for requesting On Request patches are available in the Critical Patch Update October 2009 Patch Availability Document for Oracle Products (My Oracle Support Note 881382.1).
Credit Statement
The following people or organizations discovered and brought security vulnerabilities addressed by this Critical Patch Update to Oracle’s attention: Yaniv Azaria of Imperva, Inc.; Cesar Cerrudo of Argeniss; Deniz Cevik of Intellect; Joxean Koret; Joxean Koret of iSIGHT Partners Global Vulnerability Partnership; Alexander Kornbrust of Red Database Security; David Litchfield of NGS Software; Ryan Permeh of McAfee Avert labs; Guy Pilosof of Sentrigo; Aviv Pode of Sentrigo; Alexandr Polyakov of Digital Security; Pawel Romanek of Asseco Business Solutions; Amichai Shulman of Imperva, Inc.; Rajat Swarup; Laszlo Toth; Luka Treiber of ACROS Security; Wei Wang of McAfee Avert labs; and Dennis Yurichev.
Security-In-Depth Contributors
Oracle provides recognition to people that have contributed to our Security-In-Depth program (see FAQ). People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates.
For this Critical Patch Update, Oracle recognizes Yaniv Azaria of Imperva, Inc.; and Aviv Pode of Sentrigo for contributions to Oracle’s Security-In-Depth program.
Critical Patch Update Schedule
Critical Patch Updates are typically released on the Tuesday closest to the 15th day of January, July, April and October. The next four dates are:
- 12 January 2010
- 13 April 2010
- 13 July 2010
- 12 October 2010
References
- Oracle Critical Patch Updates and Security Alerts main page [ Oracle Technology Network ]
- Oracle PeopleSoft Security main page [ Oracle PeopleSoft/JDEdwards Support ]
- Critical Patch Update – October 2009 Documentation Map [ My Oracle Support Note 946854.1 ]
- Oracle Critical Patch Updates and Security Alerts – Frequently Asked Questions [ CPU FAQ ]
- Risk Matrix definitions [ Risk Matrix Definitions ]
- Use of Common Vulnerability Scoring System (CVSS) by Oracle [ Oracle CVSS Scoring ]
- List of public vulnerabilities fixed in Critical Patch Updates and Security Alerts [ Oracle Technology Network ]
- Software Error Correction Support Policy [ My Oracle Support Note 209768.1 ]
- Previous Security Advisories Notifications for BEA products [ BEA Security Advisories ]
Modification History
| 2009-Oct-20 | Rev 1. Initial Release |
Appendix- Oracle Database
Oracle Database Executive Summary
This Critical Patch Update contains 16 new security fixes for the Oracle Database Server Suite divided as follows:
Oracle Database Risk Matrix
| CVE# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Last Affected Patch set (per Supported Release) | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
| CVE-2009-1992 | Core RDBMS | Oracle Net | None | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | 9.2.0.8, 10.1.0.5, 10.2.0.4 | See Note 1 |
| CVE-2009-1979 | Network Authentication | Oracle Net | None | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | 10.1.0.5, 10.2.0.4 | See Note 2 |
| CVE-2009-1985 | Network Authentication | Oracle Net | None | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4 | See Note 2 |
| CVE-2009-1007 | Data Mining | Oracle Net | Execute on SYS.DMP_SYS | No | 6.5 | Network | Low | Single | Partial+ | Partial+ | Partial+ | 10.2.0.4 | |
| CVE-2009-1994 | Oracle Spatial | Oracle Net | Execute on MDSYS.PRVT_CMT_CBK | No | 6.5 | Network | Low | Single | Partial+ | Partial+ | Partial+ | 10.1.0.5 | |
| CVE-2009-2001 | PL/SQL | Oracle Net | Create Procedure | No | 6.5 | Network | Low | Single | Partial+ | Partial+ | Partial+ | 10.2.0.4, 11.1.0.7 | |
| CVE-2009-1993 | Application Express | Oracle Net | Execute on FLOWS_030000. WWV_EXECUTE_IMMEDIATE | No | 5.5 | Network | Low | Single | Partial+ | Partial+ | None | 3.0.1 | See Note 3 |
| CVE-2009-1018 | Workspace Manager | Oracle Net | Execute on SYS.LTRIC (WMSYS.LTRIC) | No | 5.5 | Network | Low | Single | Partial+ | Partial+ | None | 10.2.0.4 | |
| CVE-2009-1964 | Workspace Manager | Oracle Net | Create Session | No | 5.5 | Network | Low | Single | Partial+ | Partial+ | None | 10.2.0.4 | |
| CVE-2009-1965 | Net Foundation Layer | Local Logon | None | Yes | 5.4 | Adjacent Network | Medium | None | Partial+ | Partial+ | Partial+ | 9.2.0.8, 10.1.0.5 | See Note 1 |
| CVE-2009-1997 | Authentication | Oracle Net | None | Yes | 5.0 | Network | Low | None | Partial+ | None | None | 10.2.0.3, 11.1.0.7 | |
| CVE-2009-2000 | Authentication | Oracle Net | None | Yes | 5.0 | Network | Low | None | Partial+ | None | None | 11.1.0.7 | |
| CVE-2009-1995 | Advanced Queuing | Oracle Net | Execute on SYS.DBMS_AQ_INV | No | 4.9 | Network | Medium | Single | Partial | Partial | None | 10.2.0.4, 11.1.0.7 | |
| CVE-2009-1991 | Oracle Text | Oracle Net | Execute on CTXSYS.DRVXTABC | No | 3.6 | Network | High | Single | Partial+ | Partial+ | None | 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4 | |
| CVE-2009-1971 | Data Pump | Oracle Net | Create Session | No | 3.5 | Network | Medium | Single | None | Partial+ | None | 10.1.0.5, 10.2.0.3, 11.1.0.7 | |
| CVE-2009-1972 | Auditing | Oracle Net | Execute on DBMS_SYS_SQL, DBMS_SQL | No | 2.1 | Network | High | Single | None | Partial | None | 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.4, 11.1.0.7 | |
Notes:
- This vulnerability only affects the Windows platform.
- The CVSS Base Score is 10.0 only for Windows. For Linux, Unix and other platforms, the CVSS Base Score is 7.5, and the impacts for Confidentiality, Integrity and Availability are Partial+.
- Please see section on Overview of Oracle Application Express for additional information.
Oracle Database Server Client-Only Installations
The following Oracle Database Server vulnerability included in this Critical Patch Update affects client-only installations: CVE-2009-1992.
Overview of Oracle Application Express
Oracle Application Express is a rapid web application development tool for the Oracle Database. In Oracle Database releases up to and including 10g Release 2, Oracle Application Express was separately installed from a Companion CD supplied with the Oracle Database CD set or from a package downloaded from an Oracle web site. If you have not installed Oracle Application Express from the companion CD or from a packaged download from an Oracle web site, no further action is required. From Oracle Database 11g onwards, Oracle Application Express is included in the default installation of the Oracle Database.
If you have Oracle Application Express installed in an Oracle Database home, then refer to Critical Patch Update October 2009 Patch Availability Document for Oracle Products, My Oracle Support Note 881382.1 for the version to be installed.
Appendix – Oracle Application Server
Oracle Application Server Executive Summary
This Critical Patch Update contains 3 new security fixes for the Oracle Application Server. 2 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have the Oracle Application Server installed.
Oracle Application Server products that are bundled with the Oracle Database are affected by the vulnerabilities listed in the Oracle Database section. They are not discussed further in this section and are not listed in the Oracle Application Server risk matrix.
Oracle Application Server Risk Matrix
| CVE# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Last Affected Patch set (per Supported Release) | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
| CVE-2009-1999 | Business Intelligence Enterprise Edition | HTTP | None | Yes | 4.3 | Network | Medium | None | None | Partial | None | None | See Note 1 |
| CVE-2009-3407 | Portal | HTTP | None | Yes | 4.3 | Network | Medium | None | None | Partial | None | 10.1.2.3, 10.1.4.2 | |
| CVE-2009-1990 | Business Intelligence Enterprise Edition | None | None | No | 1.7 | Local | Low | Single | Partial | None | None | 10.1.3.4.1 | |
Notes:
- Fixed in all supported versions. No patch provided in this Critical Patch Update.
Appendix – Oracle E-Business Suite and Applications
Oracle E-Business Suite and Applications Executive Summary
This Critical Patch Update contains 8 new security fixes for Oracle Applications. 5 of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. None of these fixes are applicable to client-only installations, i.e., installations that do not have Oracle Applications installed.
Oracle E-Business Suite products include Oracle Database and Oracle Fusion Middleware components that are affected by the vulnerabilities listed in the Oracle Database and Fusion Middleware sections. The exposure of Oracle E-Business Suite products is dependent on the Oracle Database and Fusion middleware versions being used. Oracle Database and Fusion Middleware security fixes are not listed in the Oracle E-Business Suite risk matrix, but since vulnerabilities affecting these versions may affect Oracle E-Business Suite products, Oracle recommends that customers apply the October 2009 Critical Patch Update to the Oracle Database and Fusion Middleware components of Oracle E-Business Suite. Refer to Oracle E-Business Suite Critical Patch Update for October 2009 Note 880170.1 for a more detailed information.
Oracle E-Business Suite Risk Matrix
| CVE# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Last Affected Patch set (per Supported Release) | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
| CVE-2009-3400 | Oracle Advanced Benefits | HTTP | None | No | 5.5 | Network | Low | Single | Partial | Partial | None | 11.5.10.2, 12.0.6, 12.1.1 | |
| CVE-2009-3392 | Agile Engineering Data Management (EDM) | ECI | None | Yes | 5.4 | Adjacent Network | Medium | None | Partial | Partial | Partial | 6.1.0.0 | |
| CVE-2009-3408 | Oracle Application Object Library | HTTP | None | Yes | 5.1 | Network | High | None | Partial+ | Partial+ | Partial+ | 11.5.10 | |
| CVE-2009-3395 | AutoVue | HTTP, TCP | None | Yes | 5.0 | Network | Low | None | None | None | Partial+ | 19.3.2 | |
| CVE-2009-3393 | Oracle Application Object Library | HTTP | None | Yes | 4.3 | Network | Medium | None | None | Partial | None | 11.5.10.2 | |
| CVE-2009-3397 | Oracle Application Object Library | HTTP | None | Yes | 4.3 | Network | Medium | None | Partial | None | None | 12.0.6, 12.1.1 | |
| CVE-2009-3402 | Oracle Applications Framework | HTTP | None | No | 2.1 | Network | High | Single | Partial | None | None | 11.5.10.2, 12.0.6, 12.1.1 | |
| CVE-2009-3401 | Oracle Applications Technology Stack | HTTP | None | No | 1.7 | Local | Low | Single | Partial+ | None | None | 11.5.10.2, 12.0.6, 12.1.1 | |
Appendix – Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne
Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Executive Summary
This Critical Patch Update contains 4 new security fixes for the Oracle PeopleSoft and JDEdwards Suite. None of these vulnerabilities may be remotely exploitable without authentication, i.e., none may be exploited over a network without the need for a username and password.
Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne Risk Matrix
| CVE# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Last Affected Patch set (per Supported Release) | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
| CVE-2009-3405 | JD Edwards Tools | DB Access | None | No | 4.1 | Adjacent Network | Low | Single | None | Partial | Partial+ | 8.98.1.4 | |
| CVE-2009-3404 | PeopleSoft PeopleTools & Enterprise Portal | HTTP | Valid Session | No | 4.0 | Network | Low | Single | None | Partial | None | 8.49.23 | |
| CVE-2009-3409 | PeopleSoft Enterprise HCM (TAM) | HTTP | Valid Session | No | 3.6 | Network | High | Single | Partial | Partial | None | 8.9 Bundle 21 9.0 Bundle 10 | |
| CVE-2009-3406 | JD Edwards Tools | JDENET | None | No | 2.7 | Adjacent Network | Low | Single | Partial+ | None | None | 8.98.2.1 | |
Appendix – BEA Product Suite
BEA Products Executive Summary
This Critical Patch Update contains 6 new security fixes for the Oracle BEA Products Suite. All of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
The BEA Critical Patch Update patches have become cumulative with the introduction of the October 2009 Critical Patch Update. The BEA October 2009 Critical Patch Update patches include security fixes from July 2009 Critical Patch Update. The BEA Web Logic Server patches are cumulative at sub-component level (e.g. WLS console, Web application are sub-components). However, the patches in October 2009 Critical Patch Update do not include all the earlier advisories (unless otherwise noted), so BEA customers should refer to Previous Security Advisories to identify previous security fixes they want to apply.
BEA Product Suite Risk Matrix
| CVE# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Last Affected Patch set (per Supported Release) | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
| CVE-2009-3403 | JRockit | See Note 1 | None | Yes | 10.0 | Network | Low | None | Complete | Complete | Complete | R27.6.4: JRE/JDK 1.4.2, 5 and 6 | See Note 1 |
| CVE-2009-0217 | JRockit | None | None | Yes | 5.0 | Network | Low | None | None | Partial | None | R27.6.3: JRE/JDK 6 | See Note 2 |
| CVE-2009-2625 | JRockit | None | None | Yes | 5.0 | Network | Low | None | None | None | Partial | R27.6.4: JRE/JDK 5 and 6 | See Note 3 |
| CVE-2009-2002 | WebLogic Portal | HTTP | None | Yes | 4.3 | Network | Medium | None | None | Partial | None | 8.1.6, 9.2.3, 10.0.1, 10.2.1, 10.3.1.0.0 | |
| CVE-2009-3396 | WebLogic Server | HTTP | WLS Console | Yes | 4.3 | Network | Medium | None | None | Partial | None | 9.0, 9.1, 9.2.3, 10.0.1, 10.3 | |
| CVE-2009-3399 | WebLogic Server | HTTP | WLS Console | Yes | 4.3 | Network | Medium | None | None | Partial | None | 7.0.6, 8.1.5 | |
Notes:
- Sun MicroSystems released a Security Alert in August 2009 to address multiple vulnerabilities affecting the Sun Java Runtime Environment. Oracle CVE-2009-3403 refers to the advisories that were applicable to JRockit from the Sun Alert. The CVSS score of this vulnerability CVE# reflects the highest among those fixed in JRockit. The score is calculated by National Vulnerability Database (NVD), not Oracle. The complete list of all advisories addressed in JRockit under CVE-2009-3403 is as follows: CVE-2009-2670, CVE-2009-2671, CVE-2009-2672, CVE-2009-2673, CVE-2009-2674, CVE-2009-2675, CVE-2009-2676.
- The score for CVE-2009-0217 is calculated by National Vulnerability Database (NVD), not Oracle.
- The score for CVE-2009-2625 is calculated by National Vulnerability Database (NVD), not Oracle.
Appendix – Oracle Industry Applications Product Suite
Oracle Industry Applications Product Suite Executive Summary
This Critical Patch Update contains 1 new security fix for Oracle Industry Applications. This vulnerability is not remotely exploitable without authentication, i.e., may not be exploited over a network without the need for a username and password.
Oracle Industry Applications Risk Matrix
| CVE# | Component | Protocol | Package and/or Privilege Required | Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Last Affected Patch set (per Supported Release) | Notes | ||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
| CVE-2009-1998 | Oracle Communications Order and Service Management | HTTP | Web Client | No | 4.9 | Network | Medium | Single | Partial | Partial | None | 2.8.0, 6.2.0, 6.3.0, 6.3.1 | |
Appendix- Product Dependencies
Oracle Product Dependency for CPU patching
This section highlights Oracle products that have dependencies on security vulnerability fixes announced in this Critical Patch Update. Oracle recommends that the customers apply Critical Patch Updates to all dependent products.
Oracle Beehive
This Critical Patch Update contains no new security fixes for the Oracle Beehive. Oracle Beehive contains the Oracle Database and Oracle Application Server components that are affected by vulnerabilities listed in the Oracle Database and Oracle Application Server sections. Hence Oracle recommends that customers apply the October 2009 Critical Patch Update to the Oracle Database and Oracle Application Server components of Oracle Beehive Collaboration Software.
Oracle Collaboration Suite
This Critical Patch Update contains no new security fixes for Oracle Collaboration Suite. Oracle Collaboration Suite contains the Oracle Database and Oracle Application Server components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Application Server sections. Hence Oracle recommends that customers apply the October 2009 Critical Patch Update to the Oracle Database and Oracle Application Server components of Oracle Collaboration Suite.
Secure Enterprise Search
This Critical Patch Update contains no new security fixes for Oracle Secure Enterprise Search. Oracle Secure Enterprise Search 10g includes Oracle Database 10g version 10.1.0.5, and since vulnerabilities affecting this Database version may affect Oracle Secure Enterprise Search, Oracle recommends that customers apply the October 2009 Critical Patch Update to the embedded Database.
Oracle Enterprise Manager
This Critical Patch Update contains no new security fixes for Oracle Enterprise Manager. Oracle Enterprise Manager 10g Grid Control includes Oracle Database and Oracle Application Server components that are affected by the vulnerabilities listed in the Oracle Database and Oracle Application Server sections. The exposure of a particular installation of Oracle Enterprise Manager depends on the Oracle Database and Oracle Application Server versions being used. Oracle recommends that customers apply the October 2009 Critical Patch Update to the embedded Oracle Database and Oracle Application Server.
Microsoft patches 34 vulnerabilities
by IDF Agent on Oct.15, 2009, under Uncategorized
In this week’s huge patch, Microsoft delivers 13 bulletins that fix 34 vulnerabilities targeting Windows, Internet Explorer, .NET framework, Forefront, MS Office, SQL server, Developer Tools and Silverlight.
Vulnerabilities in SMB v2 Could Allow Remote Code Execution
This security update resolves one publicly disclosed and two privately reported vulnerabilities in Server Message Block Version 2 (SMBv2). The most severe of the vulnerabilities could allow remote code execution if an attacker sent a specially crafted SMB packet to a computer running the Server service. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate from outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
This security update is rated Critical for supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.
Vulnerabilities in Windows Media Runtime Could Allow Remote Code Execution
This security update resolves two privately reported vulnerabilities in Windows Media Runtime. The vulnerabilities could allow remote code execution if a user opened a specially crafted media file or received specially crafted streaming content from a Web site or any application that delivers Web content. An attacker who successfully exploited these vulnerabilities could gain the same user rights as the local user. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
This security update is rated Critical for DirectShow WMA Voice Codec, Windows Media Audio Voice Decoder, and Audio Compression Manager on supported editions of Microsoft Windows 2000; Windows XP; Windows Server 2003, except for Itanium-based editions; Windows Vista; and Windows Server 2008, except for Itanium-based editions. For more information, see the subsection, Affected and Non-Affected Software, in this section.
The security update addresses the vulnerabilities by changing the manner in which the Windows Media Runtime processes ASF files and initializes functions in compressed audio files. For more information about the vulnerabilities, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.
Vulnerability in Windows Media Player Could Allow Remote Code Execution
This update resolves two newly discovered vulnerabilities. These vulnerabilities are documented in the “Vulnerability Details” section of this bulletin.
If a user is logged on with administrative user rights, an attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less affected than users who operate with administrative user rights.
We recommend that customers apply the update immediately.
Cumulative Security Update for Internet Explorer
This security update resolves three privately reported vulnerabilities and one publicly disclosed vulnerability in Internet Explorer. The vulnerabilities could allow remote code execution if a user views a specially crafted Web page using Internet Explorer. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Cumulative Security Update of ActiveX Kill Bits
This security update addresses a privately reported vulnerability that is common to multiple ActiveX controls and is currently being exploited. The vulnerability that affects ActiveX controls that were compiled using the vulnerable version of the Microsoft Active Template Library (ATL) could allow remote code execution if a user views a specially crafted Web page with Internet Explorer, instantiating the ActiveX control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities in Microsoft Active Template Library (ATL) ActiveX Controls for Microsoft Office Could Allow Remote Code Execution
This security update resolves several privately reported vulnerabilities in ActiveX Controls for Microsoft that were compiled with a vulnerable version of Microsoft Active Template Library (ATL). The vulnerabilities could allow remote code execution if a user loaded a specially crafted component or control. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities in the Microsoft .NET Common Language Runtime Could Allow Remote Code Execution
This security update resolves three privately reported vulnerabilities in Microsoft .NET Framework and Microsoft Silverlight. The vulnerabilities could allow remote code execution on a client system if a user views a specially crafted Web page using a Web browser that can run XAML Browser Applications (XBAPs) or Silverlight applications, or if an attacker succeeds in persuading a user to run a specially crafted Microsoft .NET application. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights. The vulnerabilities could also allow remote code execution on a server system running IIS, if that server allows processing ASP.NET pages and an attacker succeeds in uploading a specially crafted ASP.NET page to that server and executing it, as could be the case in a Web hosting scenario. Microsoft .NET applications, Silverlight applications, XBAPs and ASP.NET pages that are not malicious are not at risk of being compromised because of this vulnerability.
Vulnerabilities in GDI+ Could Allow Remote Code Execution
This security update resolves several privately reported vulnerabilities in Microsoft Windows GDI+. These vulnerabilities could allow remote code execution if a user viewed a specially crafted image file using affected software or browsed a Web site that contains specially crafted content. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities in FTP Service for Internet Information Services Could Allow Remote Code Execution
This security update resolves two publicly disclosed vulnerabilities in the FTP Service in Microsoft Internet Information Services (IIS) 5.0, Microsoft Internet Information Services (IIS) 5.1, Microsoft Internet Information Services (IIS) 6.0, and Microsoft Internet Information Services (IIS) 7.0. On IIS 7.0, only FTP Service 6.0 is affected. The vulnerabilities could allow remote code execution (RCE) on systems running FTP Service on IIS 5.0, or denial of service (DoS) on systems running FTP Service on IIS 5.0, IIS 5.1, IIS 6.0 or IIS 7.0.
Vulnerabilities in Windows CryptoAPI Could Allow Spoofing
This security update resolves two publicly disclosed vulnerabilities in Microsoft Windows. The vulnerabilities could allow spoofing if an attacker gains access to the certificate used by the end user for authentication.
Vulnerability in Indexing Service Could Allow Remote Code Execution
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow remote code execution if an attacker set up a malicious Web page that invokes the Indexing Service through a call to its ActiveX component. This call could include a malicious URL and exploit the vulnerability, granting the attacker access to the client system with the privileges of the user browsing the Web page. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights.
Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege
This security update resolves several privately reported vulnerabilities in the Windows kernel. The most severe of the vulnerabilities could allow elevation of privilege if an attacker logged on to the system and ran a specially crafted application. An attacker must have valid logon credentials and be able to log on locally to exploit any of these vulnerabilities. The vulnerabilities could not be exploited remotely or by anonymous users.
Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service
This security update resolves a privately reported vulnerability in Microsoft Windows. The vulnerability could allow denial of service if an attacker sent a maliciously crafted packet during the NTLM authentication process.
How do you know if your privacy is being protected?
by IDF Agent on Oct.09, 2009, under Uncategorized
How do you know if your privacy is being protected?
* Privacy policy – Before submitting your name, email address, or other
personal information on a website, look for the site’s privacy policy.
This policy should state how the information will be used and whether or
not the information will be distributed to other organizations.
Companies sometimes share information with partner vendors who offer
related products or may offer options to subscribe to particular mailing
lists. Look for indications that you are being added to mailing lists by
default—failing to deselect those options may lead to unwanted spam. If
you cannot find a privacy policy on a website, consider contacting the
company to inquire about the policy before you submit personal
information, or find an alternate site. Privacy policies sometimes
change, so you may want to review them periodically.
* Evidence that your information is being encrypted – To protect attackers
from hijacking your information, any personal information submitted
online should be encrypted so that it can only be read by the
appropriate recipient. Many sites use SSL, or secure sockets layer, to
encrypt information. Indications that your information will be encrypted
include a URL that begins with “https:” instead of “http:” and a lock
icon in the bottom right corner of the window (see Understanding Web
Site Certificates for more information). Some sites also indicate
whether the data is encrypted when it is stored. If data is encrypted in
transit but stored insecurely, an attacker who is able to break into the
vendor’s system could access your personal information.
What additional steps can you take to protect your privacy?
* Do business with credible companies – Before supplying any information
online, consider the answers to the following questions: do you trust
the business? is it an established organization with a credible
reputation? does the information on the site suggest that there is a
concern for the privacy of user information? is there legitimate contact
information provided?
* Do not use your primary email address in online submissions – Submitting
your email address could result in spam. If you do not want your primary
email account flooded with unwanted messages, consider opening an
additional email account for use online (see Reducing Spam for more
information). Make sure to log in to the account on a regular basis in
case the vendor sends information about changes to policies.
* Avoid submitting credit card information online – Some companies offer a
phone number you can use to provide your credit card information.
Although this does not guarantee that the information will not be
compromised, it eliminates the possibility that attackers will be able
to hijack it during the submission process.
* Devote one credit card to online purchases – To minimize the potential
damage of an attacker gaining access to your credit card information,
consider opening a credit card account for use only online. Keep a
minimum credit line on the account to limit the amount of charges an
attacker can accumulate.
* Avoid using debit cards for online purchases – Credit cards usually
offer some protection against identity theft and may limit the monetary
amount you will be responsible for paying. Debit cards, however, do not
offer that protection. Because the charges are immediately deducted from
your account, an attacker who obtains your account information may empty
your bank account before you even realize it.
* Take advantage of options to limit exposure of private information -
Default options on certain websites may be chosen for convenience, not
for security. For example, avoid allowing a website to remember your
password. If your password is stored, your profile and any account
information you have provided on that site is readily available if an
attacker gains access to your computer. Also, evaluate your settings on
websites used for social networking. The nature of those sites is to
share information, but you can restrict access to certain information so
that you limit who can see what (see Staying Safe on Social Network
Sites for more information).
_________________________________________________________________
Latest vulnerabilities
by IDF Agent on Oct.06, 2009, under Uncategorized
apple — safari:
Apple Safari, possibly before 4.0.3, on Mac OS X does not properly handle a ‘\0′ character in a domain name in the subject’s Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority
avast — avast_antivirus_home
avast — avast_antivirus_professional:
Stack-based buffer overflow in aswMon2.sys in avast! Home and Professional for Windows 4.8.1351, and possibly other versions before 4.8.1356, allows local users to cause a denial of service (system crash) and possibly gain privileges via a crafted IOCTL request to IOCTL
coreftp — core_ftp:
Stack-based buffer overflow in Core FTP 2.1 build 1612 allows user-assisted remote attackers to execute arbitrary code via a long hostname in an FTP server entry in a site backup file.
globalscape — cuteftp:
Heap-based buffer overflow in the Create New Site feature in GlobalSCAPE CuteFTP Professional, Home, and Lite 8.3.3 and 8.3.3.0054 allows user-assisted remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via a site list containing an entry with a long label.
google — chrome:
Google Chrome, possibly 3.0.195.21 and earlier, does not properly handle a ‘\0′ character in a domain name in the subject’s Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority