lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <010e01c7cd9b$15f1edb0$41d5c910$@com>
Date: Mon, 23 Jul 2007 21:33:57 -0500
From: "Integrigy Alerts" <alerts@...egrigy.com>
To: <bugtraq@...urityfocus.com>
Subject: Oracle E-Business Suite - Multiple Vulnerabilities

Multiple security vulnerabilities have been corrected in the Oracle Business
Suite 11i and R12 as part of July 2007 Oracle Critical Patch Update (CPU).
All Internet accessible environments should prioritize patch 6045931
(APPS04/05/06) in order to correct multiple vulnerabilities in the On-line
help or temporarily disable the help functionality using the Oracle supplied
"URL Firewall".

APPS01 / CVE-2007-3865
Customer Intelligence (BIC) (R12 only)
SQL Injection

APPS02 / CVE-2007-3866
Configurator (CZ)
Cross Site Scripting

APPS03 / CVE-2007-3866
Internet Expenses (AP)
Cross Site Scripting

APPS04 / CVE-2007-3867
APPS05 / CVE-2007-3867
APPS06 / CVE-2007-3867
On-line Help (FND)
SQL Injection, Cross Site Scripting (multiple), Information Disclosure

APPS07 / CVE-2007-3867
Customer Intelligence (BIC)
SQL Injection

APPS08 / CVE-2007-3867
iPayment (IBY)
Information Disclosure

APPS09 / CVE-2007-3866
Application Object Library (FND)
SQL Injection

APPS10 / CVE-2007-3867
Human Resources (PER)
SQL Injection

See the Oracle Critical Patch Update July 2007 Advisory for exact versions
and CVSS base metric scores.

Fix: Apply the patches as directed in Oracle Metalink Note ID 432882.1.

Credit: These vulnerabilities were discovered by Stephen Kost and Jack
Kanter of Integrigy Corporation

For more details on the impact of the July 2007 CPU on Oracle E-Business
Suite implementations, see Integrigy's analysis of the CPU at -

http://www.integrigy.com/oracle-cpu-july-2007

Integrigy has included checks for these vulnerabilities in AppSentry, a
vulnerability scanner for Oracle Applications, and AppDefend, an application
intrusion prevention system for Oracle Applications.

For more information or questions regarding these vulnerabilities or
remediation steps, please contact us at alerts@...egrigy.com.


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ