Vigil@nce: Oracle AS, several vulnerabilities of July 2008
July 2008 by Vigil@nce
Several vulnerabilities are corrected by the CPU of July 2008.
– Gravity: 3/4
– Consequences: privileged access/rights, user access/rights, data
– reading, data creation/edition, data deletion, denial of service
of service
– Provenance: internet client
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Creation date: 16/07/2008
– Identifier: VIGILANCE-VUL-7950
IMPACTED PRODUCTS
– Oracle Application Server [confidential versions]
– Oracle Portal
DESCRIPTION
The CPU (Critical Patch Update) of July 2008 corrects several
vulnerabilities of Oracle Application Server. Oracle’s announce
contains a detailed table, summarized below.
An attacker (via HTTP and not authenticated) can obtain
information, alter information or create a denial of service via a
vulnerability of Oracle HTTP Server. [grav:3/4; CVE-2007-1359]
An attacker (via HTTP and not authenticated) can inject a SQL
query in the WWV_RENDER_REPORT package in order to obtain or alter
information via Oracle Portal. [grav:3/4; CVE-2008-2589]
An attacker (via HTTP and not authenticated) can obtain or alter
information via a vulnerability of Oracle Portal. [grav:3/4;
CVE-2008-2594]
An attacker (via HTTP and not authenticated) can obtain or alter
information via a vulnerability of Oracle Portal. [grav:3/4;
CVE-2008-2609]
An attacker (via LDAP and not authenticated) can send a malformed
LDAP query in order to dereference a NULL pointer, and then create
a denial of service in Oracle Internet Directory. [grav:2/4;
CVE-2008-2595]
An attacker (via HTTP and not authenticated) can alter information
via a vulnerability of Hyperion BI Plus. [grav:3/4; CVE-2008-2612]
An attacker (via HTTP and not authenticated) can alter information
via a vulnerability of Oracle HTTP Server. [grav:3/4;
CVE-2008-2614]
An attacker (via HTTP and not authenticated) can alter information
via a vulnerability of Oracle Portal. [grav:3/4; CVE-2008-2583]
An attacker (via HTTP and not authenticated) can alter information
via a vulnerability of Oracle Portal. [grav:3/4; CVE-2008-2593]
CHARACTERISTICS
– Identifiers: CVE-2007-1359, CVE-2008-2583, CVE-2008-2589,
CVE-2008-2593, CVE-2008-2594, CVE-2008-2595, CVE-2008-2609,
CVE-2008-2612, CVE-2008-2614, VIGILANCE-VUL-7950
– Url: https://vigilance.aql.fr/tree/1/7950