Multiple Oracle E-Business Suite unspecified vulnerabilities

oracle-ebusiness-multiple-unspecifed (26058) The risk level is classified as MediumMedium Risk

Description:

Multiple versions of Oracle E-Business Suite have multiple unspecified vulnerabilities that could be exploited by remote attackers to view, add, modify, or delete information in the back-end database.

These vulnerabilities exist in the following components:

  • Application Install
  • Financials for Asia/Pacific
  • iProcurement
  • Oracle Application Object Library
  • Oracle Applications Technology Stack
  • Oracle Diagnostics Interfaces
  • Oracle General Ledger
  • Oracle Order Capture
  • Oracle Receivables
  • Oracle Thesaurus Management System

Platforms Affected:

  • Oracle, E-Business Suite 11.0
  • Oracle, E-Business Suite 11.5.1
  • Oracle, E-Business Suite 11.5.10
  • Oracle, E-Business Suite 11.5.10 CU2
  • Oracle, E-Business Suite 11.5.2
  • Oracle, E-Business Suite 11.5.3
  • Oracle, E-Business Suite 11.5.4
  • Oracle, E-Business Suite 11.5.5
  • Oracle, E-Business Suite 11.5.6
  • Oracle, E-Business Suite 11.5.7
  • Oracle, E-Business Suite 11.5.8
  • Oracle, E-Business Suite 11.5.9
  • Oracle, Pharmaceutical 4.5.0
  • Oracle, Pharmaceutical 4.5.1
  • Oracle, Pharmaceutical 4.5.2

Remedy:

Refer to Oracle Critical Patch Update - April 2006 for patch, upgrade, or suggested workaround information. See References.

Consequences:

Gain Access

References:

  • Full-Disclosure Mailing List, Tue Apr 18 2006 - 14:04:23 CDT, Multiple critical and high risk issues in Oracle's database server at http://archives.neohapsis.com/archives/fulldisclosure/2006-04/0461.html.
  • Oracle Web site, Oracle Critical Patch Update - April 2006 at http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html. (APPS01 - APPS13 and OPA01)
  • Red-Database-Security Web site, Details Oracle Critical Patch Update April 2006 - V1.03 at http://www.red-database-security.com/advisory/oracle_cpu_apr_2006.html.
  • US-CERT Technical Cyber Security Alert TA06-109A, Oracle Products Contain Multiple Vulnerabilities at http://www.us-cert.gov/cas/techalerts/TA06-109A.html.
  • BID-17590: Oracle April 2006 Security Update Multiple Vulnerabilities
  • CVE-2006-1880: Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors, as identified by Vuln# (1) APPS01 in the (a) Application Install component; (2) APPS09 in the (b) Oracle Diagnostics Interfaces component; (3) APPS10 in the (c) Oracle General Ledger component; (4) APPS12 and (5) APPS13 in the (d) Oracle Receivables component.
  • CVE-2006-1881: Unspecified vulnerability in the Financials for Asia/Pacific component in Oracle E-Business Suite and Applications 11.5.9 has unknown impact and attack vectors. component, aka Vuln# APPS02.
  • CVE-2006-1882: Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10 have unknown impact and attack vectors, as identified by Vuln# (1) APPS03 in (a) iProcurement; (2) APPS04 in (b) Oracle Application Object Library; (3) APPS06, (4) APPS07, and (5) APPS08 in (c) Oracle Applications Technology Stack; and (6) APPS11 in (d) Oracle Order Capture.
  • CVE-2006-1883: Unspecified vulnerability in the Oracle Application Object Library component in Oracle E-Business Suite and Applications 11.5.10CU1 has unknown impact and attack vectors, aka Vuln# APPS05.
  • CVE-2006-1884: Unspecified vulnerability in the Oracle Thesaurus Management System component in Oracle E-Business Suite and OPA 4.5.2 Applications has unknown impact and attack vectors, aka Vuln# OPA01.
  • SA19712: Oracle Products Multiple Vulnerabilities
  • SA19859: HP Oracle for OpenView Multiple Vulnerabilities
  • SECTRACK ID: 1015961: Oracle Database and Other Products Have Multiple Unspecified Vulnerabilities With Unspecified Impact
  • US-CERT VU#619194: Oracle Order Capture vulnerability
  • US-CERT VU#824833: Oracle Application Object Library vulnerability
  • US-CERT VU#940729: Oracle Diagnostics Interfaces vulnerability
  • VUPEN/ADV-2006-1397: Oracle Products Multiple SQL Injection and Security Bypass Vulnerabilities
  • VUPEN/ADV-2006-1571: HP Oracle for Openview Multiple SQL Injection and Security Bypass Vulnerabilities

Reported:

Apr 18, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page