Ad: Manage updates with the Download App
ie8 fix

Spyware, viruses, & security forum: VULNERABILITIES / FIXES - April 18, 2012

by: Carol~ April 18, 2012 8:47 AM PDT

Like this

0 people like this thread

Staff pick

VULNERABILITIES / FIXES - April 18, 2012

by Carol~ Moderator - 4/18/12 8:47 AM

Apache HTTP Server LD_LIBRARY_PATH Security Issue

Release Date : 2012-04-18

Criticality level : Not critical
Impact : Privilege escalation
Where : Local system
Solution Status : Vendor Patch

Software: Apache 2.4.x

Description:
A security issue has been reported in Apache HTTP Server, which can be exploited by malicious, local users to gain escalated privileges.

The security issue is caused due to the application incorrectly setting the environment variable LD_LIBRARY_PATH. This can be exploited to gain escalated privileges by e.g. tricking a user into running certain scripts in a directory containing a malicious library.

The security issue is reported in versions prior to 2.4.2.

Solution:
Update to version 2.4.2.

Provided and/or discovered by:
Reported by the vendor.

Original Advisory:
http://www.apache.org/dist/httpd/CHANGES_2.4.2

http://secunia.com/advisories/48849/


Reply
Report offensive post
Email to friend

Oracle PeopleSoft Human Capital Management Human Resources

by Carol~ Moderator - 4/18/12 8:52 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle PeopleSoft Human Capital Management Human Resources Unspecified Vulnerability

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Exposure of sensitive information
Where : From local network
Solution Status : Vendor Patch

Software: Oracle PeopleSoft Human Capital Management (HCM) 9.x

Description:
A vulnerability has been reported in Oracle PeopleSoft Human Capital Management, which can be exploited by malicious users to disclose potentially sensitive information.

The vulnerability is caused due to an unspecified error in the Human Resources component and can be exploited to read certain PeopleSoft Enterprise HCM accessible data.

The vulnerability is reported in version 9.1 Bundle #9.

Solution:
Apply update (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported this vulnerability as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixPS

http://secunia.com/advisories/48877/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle Outside In Technology Outside In Image Export SDK

by Carol~ Moderator - 4/18/12 8:52 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle Outside In Technology Outside In Image Export SDK Multiple Vulnerabilities

Release Date : 2012-04-18

Criticality level : Highly critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Software: Oracle Outside In Technology 8.x

Description:
Multiple vulnerabilities have been reported in Oracle Outside In Technology, which can be exploited by malicious people to compromise a user's system.

1) An error within the Outside In Image Export SDK component can be exploited to execute arbitrary code.

2) Another error within the Outside In Image Export SDK component can be exploited to execute arbitrary code.

3) Another error within the Outside In Image Export SDK component can be exploited to execute arbitrary code.

4) Another error within the Outside In Image Export SDK component can be exploited to execute arbitrary code.

The vulnerabilities are reported in versions 8.3.5 and 8.3.7.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixFMW

http://secunia.com/advisories/48867/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle Identity Manager User Config Management Unspecified

by Carol~ Moderator - 4/18/12 8:52 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle Identity Manager User Config Management Unspecified Vulnerability

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Manipulation of data
Exposure of sensitive information
Where : From local network
Solution Status : Vendor Patch

Software: Oracle Identity Manager 11g

Description:
A vulnerability has been reported in Oracle Identity Manager, which can be exploited by malicious users to disclose potentially sensitive information and manipulate certain data.

The vulnerability is caused due to an unspecified error in the User Config Management component and can be exploited to read, update, insert, or delete Identity Manager accessible data.

The vulnerability is reported in version 11.1.1.3 and 11.1.1.5.

Solution:
Apply update (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported this vulnerability as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixFMW

http://secunia.com/advisories/48861/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle WebCenter Forms Recognition Designer Two

by Carol~ Moderator - 4/18/12 8:53 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle WebCenter Forms Recognition Designer Two Vulnerabilities

Release Date : 2012-04-18

Criticality level : Moderately critical
Impact : Manipulation of data
Exposure of sensitive information
DoS
Where : From remote
Solution Status : Vendor Patch

Software: Oracle WebCenter Forms Recognition 10.x

Description:
Two vulnerabilities have been reported in Oracle WebCenter Forms Recognition, which can be exploited by malicious people to disclose potentially sensitive information, manipulate certain data, and cause a DoS (Denial of Service).

1) An unspecified error exists within the Designer component. No further information is currently available.

2) Another unspecified error exists within the Designer component. No further information is currently available.

The vulnerabilities are reported in version 10.1.3.5.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixFMW

http://secunia.com/advisories/48869/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle E-Business Suite Multiple Vulnerabilities

by Carol~ Moderator - 4/18/12 8:53 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Moderately critical
Impact : Manipulation of data
Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch

Software: Oracle E-Business Suite 12.x

Description:
Multiple vulnerabilities have been reported in Oracle E-Business Suite, which can be exploited by malicious people to disclose potentially sensitive information and manipulate certain data.

1) An unspecified error within the HTML pages subcomponent of the Oracle Application Object Library can be exploited to disclose and manipulate certain library data.

2) An unspecified error within the Change Password Page subcomponent of the Oracle Application Object Library can be exploited to disclose certain library data.

3) An unspecified error within the REST Services subcomponent of the Oracle Application Object Library can be exploited to manipulate certain library data.

4) An unspecified error within the Runtime Catalog subcomponent of the Oracle iStore component can be exploited to manipulate certain iStore data.

Please see the vendor's advisory for a list of affected versions.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixEBS

http://secunia.com/advisories/48871/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle Primavera P6 Enterprise Project Portfolio Management

by Carol~ Moderator - 4/18/12 8:53 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle Primavera P6 Enterprise Project Portfolio Management Unspecified Vulnerability

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Manipulation of data
Where : From local network
Solution Status : Vendor Patch

Software: Oracle Primavera P6 Enterprise Project Portfolio Management 6.x
Oracle Primavera P6 Enterprise Project Portfolio Management 8.x

Description:
A vulnerability has been reported in Oracle Primavera P6 Enterprise Project Portfolio Management, which can be exploited by malicious people to manipulate certain data.

The vulnerability is caused due to an unspecified error in the Web application component and can be exploited to manipulate certain application data.

The vulnerability is reported in versions 6.2.1, 8.0, 8.1, and 8.2.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported this vulnerability as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixPVA

http://secunia.com/advisories/48888/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle MySQL Server Multiple Vulnerabilities

by Carol~ Moderator - 4/18/12 8:57 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Less critical
Impact : DoS
Where : From local network
Solution Status : Vendor Patch

Software: MySQL 5.x

Description:
Multiple vulnerabilities have been reported in Oracle MySQL Server, which can be exploited by malicious users to cause a DoS (Denial of Service).

1) An unspecified error in the Server Optimizer component can be exploited to cause a crash.

2) An unspecified error in the MyISAM component can be exploited to cause a crash.

3) An unspecified error in the Partition component can be exploited to cause a crash.

4) An unspecified error in the Server DML component can be exploited to cause a crash.

5) An unspecified error in the Server Optimizer component can be exploited to cause a crash.

6) An unspecified error in the Server Optimizer component can be exploited to cause a crash.

Please see the vendor's advisory for a list of affected versions.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixMSQL

http://secunia.com/advisories/48890/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle E-Business Suite iStore Component Data Manipulation

by Carol~ Moderator - 4/18/12 8:57 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle E-Business Suite iStore Component Data Manipulation Vulnerability

Release Date : 2012-04-18

Criticality level : Moderately critical
Impact : Manipulation of data
Where : From remote
Solution Status : Vendor Patch

Software: Oracle E-Business Suite 11i

Description:
A vulnerability has been reported in Oracle E-Business Suite, which can be exploited by malicious people to manipulate certain data.

The vulnerability is reported in version 11.5.10.2.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported this vulnerability as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixEBS

http://secunia.com/advisories/48892/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle BI Publisher Administration Unspecified Vulnerability

by Carol~ Moderator - 4/18/12 8:57 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Manipulation of data
Where : From local network
Solution Status : Vendor Patch

Software: Oracle BI Publisher 10.x

Description:
A vulnerability has been reported in Oracle BI Publisher, which can be exploited by malicious people to manipulate certain data.

The vulnerability is caused due to an unspecified error in the Administration component and can be exploited to update, insert, or delete certain BI Publisher accessible data.

The vulnerability is reported in versions 10.1.3.4.1 and 10.1.3.4.2.

Solution:
Apply update (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported this vulnerability as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixFMW

http://secunia.com/advisories/48857/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle JDeveloper Java Business Objects Unspecified

by Carol~ Moderator - 4/18/12 8:57 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle JDeveloper Java Business Objects Unspecified Vulnerability

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Manipulation of data
Where : From local network
Solution Status : Vendor Patch

Software: Oracle Developer Suite 10g
Oracle JDeveloper 10g

Description:
A vulnerability has been reported in Oracle JDeveloper, which can be exploited by malicious people to manipulate certain data.

The vulnerability is caused due to an unspecified error in the Java Business Objects component and can be exploited to update, insert, or delete certain Oracle JDeveloper accessible data.

The vulnerability is reported in version 10.1.3.5.

Solution:
Apply update (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported this vulnerability as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixFMW

http://secunia.com/advisories/48863/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle PeopleSoft Enterprise CRM Unspecified Vulnerability

by Carol~ Moderator - 4/18/12 8:58 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Manipulation of data
Where : From local network
Solution Status : Vendor Patch

Software: Oracle PeopleSoft Enterprise Customer Relationship Management (CRM) 9.x

Description:
A vulnerability has been reported in Oracle PeopleSoft Enterprise CRM, which can be exploited by malicious people to manipulate certain data.

The vulnerability is caused due to an unspecified error within the SEC component. No further information is currently available.

The vulnerability is reported in version 9.1.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported the vulnerability as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixPS

http://secunia.com/advisories/48876/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle Identity Manager Connector for Database User

by Carol~ Moderator - 4/18/12 8:58 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle Identity Manager Connector for Database User Management Unspecified Vulnerability

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Manipulation of data
Where : From local network
Solution Status : Vendor Patch

Software: Oracle Identity Manager Connector for Database User Management 9.x

Description:
A vulnerability has been reported in Oracle Identity Manager Connector for Database User Management, which can be exploited by malicious users to manipulate certain data.

The vulnerability is caused due to an unspecified error in the Database User component and can be exploited to update, insert, or delete Identity Manager Connector accessible data.

The vulnerability is reported in version 9.1.0.4.

Solution:
Apply update (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported this vulnerability as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixPS:

http://secunia.com/advisories/48858/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle PeopleSoft Enterprise PeopleTools Multiple

by Carol~ Moderator - 4/18/12 9:03 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle PeopleSoft Enterprise PeopleTools Multiple Vulnerabilities

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Privilege escalation
System access
Manipulation of data
Exposure of sensitive information
Where : From local network
Solution Status : Vendor Patch

Software: Oracle PeopleSoft PeopleTools 8.x

Description:
Multiple vulnerabilities have been reported in Oracle PeopleSoft Enterprise PeopleTools, which can be exploited by malicious, local users to gain escalated privileges, by malicious users to disclose potentially sensitive information, manipulate certain data, and compromise a vulnerable system, and by malicious people to manipulate certain data.

1) An unspecified error in the Query component can be exploited by authenticated users to potentially execute arbitrary code.

2) An unspecified error in the Search component can be exploited by authenticated users to disclose and manipulate all PeopleTools accessible data.

3) An unspecified error in the Portal component can be exploited to manipulate certain PeopleTools accessible data.

4) An unspecified error in the PIA Core Technology component can be exploited by authenticated users to manipulate certain PeopleTools accessible data.

5) An unspecified error in the core component can be exploited by authenticated users to manipulate certain PeopleTools accessible data.

6) An unspecified error in the File Processing component can be exploited by local users to escalate their privileges.

The vulnerabilities are reported in versions 8.50, 8.51, and 8.52.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixPS

http://secunia.com/advisories/48882/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle PeopleSoft Enterprise Portal Unspecified

by Carol~ Moderator - 4/18/12 9:03 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle PeopleSoft Enterprise Portal Unspecified Vulnerability

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Manipulation of data
Where : From local network
Solution Status : Vendor Patch

Software: Oracle PeopleSoft Enterprise Applications Portal 9.x

Description:
A vulnerability has been reported in Oracle PeopleSoft Enterprise Portal, which can be exploited by malicious users to manipulate certain data.

The vulnerability is caused due to an unspecified error within the Enterprise Portal component. No further information is currently available.

The vulnerability is reported in version 9.1.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported the vulnerability as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixPS

http://secunia.com/advisories/48883/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle Enterprise Manager Grid Control Multiple

by Carol~ Moderator - 4/18/12 9:03 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle Enterprise Manager Grid Control Multiple Vulnerabilities

Release Date : 2012-04-18

Criticality level : Moderately critical
Impact : Manipulation of data
Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch

Software: Oracle Enterprise Manager 10.x
Oracle Enterprise Manager 11.x

Description:
Multiple vulnerabilities have been reported in Oracle Enterprise Manager Grid Control, which can be exploited by malicious users and malicious people to disclose potentially sensitive information and manipulate certain data.

1) An unspecified error within the Security Framework subcomponent of the Enterprise Manager Base Platform component can be exploited to disclose and manipulate certain Base Platform accessible data.

2) An unspecified error within the Enterprise Config Management subcomponent of the Enterprise Manager Base Platform component can be exploited by authenticated users to disclose and manipulate all Base Platform accessible data.

3) An unspecified error within the Enterprise Config Management subcomponent of the Enterprise Manager Base Platform component can be exploited by authenticated users to disclose and manipulate all Base Platform accessible data.

4) An unspecified error within the Schema Management subcomponent of the Enterprise Manager Base Platform component can be exploited to manipulate certain Base Platform accessible data.

5) An unspecified error within the Schema Management subcomponent of the Enterprise Manager Base Platform component can be exploited to manipulate certain Base Platform accessible data.

6) An unspecified error within the Security Framework subcomponent of the Enterprise Manager Base Platform component can be exploited to manipulate certain Base Platform accessible data.

Please see the vendor's advisory for a list of affected versions.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixEM

http://secunia.com/advisories/48870/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle JRockit Multiple Vulnerabilities

by Carol~ Moderator - 4/18/12 9:03 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Highly critical
Impact : Exposure of sensitive information
DoS
System access
Where : From remote
Solution Status : Vendor Patch

Software: Oracle JRockit

Description:
Oracle has acknowledged multiple vulnerabilities in Oracle JRockit, which can be exploited by malicious people to disclose potentially sensitive information, cause a DoS (Denial of Service), and compromise a vulnerable system.

The vulnerabilities are reported in versions R27.7.1 and prior and R28.2.2 and prior.

Solution:
Apply updates (please see the vendor's advisory for details).

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixFMW

http://secunia.com/advisories/48864/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle Database Multiple Vulnerabilities

by Carol~ Moderator - 4/18/12 9:04 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Moderately critical
Impact : Manipulation of data
Exposure of sensitive information
DoS
System access
Where : From remote
Solution Status : Vendor Patch

Software: Oracle Database 10.x
Oracle Database 11.x

Description:
Multiple vulnerabilities have been reported in Oracle Database, which can be exploited by malicious users to compromise a vulnerable system, by malicious users and malicious people to disclose potentially sensitive information and manipulate certain data, and by malicious people to cause a DoS (Denial of Service).

1) An error in the Oracle Spatial component can be exploited by authenticated users to execute arbitrary code.

Successful exploitation of this vulnerability requires Create session, create index, alter index, and create table privileges.

2) An error in the Core RDBMS component can be exploited by authenticated users to execute arbitrary code.

Successful exploitation of this vulnerability requires create library and create procedure privileges.

3) Another error in the Core RDBMS component can be exploited to manipulate certain Core RDBMS accessible data and cause a DoS.

4) An error in the OCI component can be exploited to disclose or manipulate certain data.

5) Some errors exist within Enterprise Manager Grid Control.

6) An error in the Application Express component can be exploited to manipulate certain data.

7) An error within the RDBMS Core component can be exploited by authenticated users to manipulate certain data.

Successful exploitation of this vulnerability requires Create Session privileges.

The vulnerabilities are reported in the following products and versions:
* Oracle Database 11g Release 2 versions 11.2.0.2 and 11.2.0.3
* Oracle Database 11g Release 1 version 11.1.0.7
* Oracle Database 10g Release 2 versions 10.2.0.3, 10.2.0.4, and 10.2.0.5

Solution:
Apply patches (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixDB

http://secunia.com/advisories/48855/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

HP Onboard Administrator Denial of Service Vulnerability

by Carol~ Moderator - 4/18/12 9:04 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Less critical
Impact : DoS
Where : From local network
Solution Status : Vendor Patch

Operating System: HP Onboard Administrator 3.x

Description:
HP has acknowledged a vulnerability in HP Onboard Administrator, which can be exploited by malicious people to cause a DoS (Denial of Service).

The vulnerability is reported in versions 3.50 and prior.

Solution:
Update to version 3.55.

Original Advisory:
HPSBMU02766 SSRT100624:
http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c03285138

http://secunia.com/advisories/48830/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle Grid Engine Two Vulnerabilities

by Carol~ Moderator - 4/18/12 9:05 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Privilege escalation
System access
Where : From local network
Solution Status : Vendor Patch

Software: Oracle Grid Engine 6.x

Description:
Two vulnerabilities have been reported in Oracle Grid Engine, which can be exploited by malicious, local users to gain escalated privileges and by malicious users to compromise a vulnerable system.

1) An unspecified error within the qrsh component can be exploited by authenticated users to execute arbitrary code.

2) An unspecified error within the sgepasswd component can be exploited by local users to gain escalated privileges.

The vulnerabilities are reported in versions 6.1 and 6.2.

Solution:
Apply patches (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixSUNS

http://secunia.com/advisories/48826/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle GlassFish Enterprise Server Unspecified

by Carol~ Moderator - 4/18/12 9:05 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle GlassFish Enterprise Server Unspecified Vulnerabilities

Release Date : 2012-04-18

Criticality level : Moderately critical
Impact : Manipulation of data
Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch

Software: Oracle GlassFish Server 3.x

Description:
Two vulnerabilities have been reported in Oracle GlassFish Enterprise Server, which can be exploited by malicious people to disclose sensitive information and manipulate certain data.

1) An unspecified error in the Web Container sub-component can be exploited to disclose and manipulate certain data and cause a DoS via specially crafted HTTP requests.

2) An unspecified error in the Web Container sub-component can be exploited to disclose and manipulate certain data via specially crafted HTTP requests.

The vulnerabilities are reported in version 3.1.1.

Solution:
Apply patch (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
https://blogs.oracle.com/security/entry/april_2012_critical_patch_update
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixSUNS

http://secunia.com/advisories/48798/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Gentoo update for freetype

by Carol~ Moderator - 4/18/12 9:39 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Highly critical
Impact : System access
DoS
Where : From remote
Solution Status : Vendor Patch

Operating System: Gentoo Linux

Description:
Gentoo has issued an update for freetype. This fixes multiple vulnerabilities, which can be exploited by malicious people to potentially compromise an application using the library.

Solution:
Update to "media-libs/freetype-2.4.9" or later.

Original Advisory:
GLSA 201204-04:
http://security.gentoo.org/glsa/glsa-201204-04.xml

http://secunia.com/advisories/48822/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Gentoo update for polkit

by Carol~ Moderator - 4/18/12 9:39 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Exposure of system information
Privilege escalation
Where : Local system
Solution Status : Vendor Patch

Operating System: Gentoo Linux

Description:
Gentoo has issued an update for polkit. This fixes a weakness and a security issue, which can be exploited by malicious, local users to disclose certain system information and gain escalated privileges.

Solution:
Update to "sys-auth/polkit-0.104-r1" or later.

Original Advisory:
GLSA 201204-06:
http://security.gentoo.org/glsa/glsa-201204-06.xml

http://secunia.com/advisories/48817/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle Solaris Multiple Vulnerabilities

by Carol~ Moderator - 4/18/12 9:39 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Manipulation of data
Exposure of sensitive information
Privilege escalation
Where : From remote
Solution Status : Vendor Patch

Operating System: Oracle Solaris 11.x
Sun Solaris 10.x
Sun Solaris 8.x
Sun Solaris 9.x

Description:
Multiple vulnerabilities have been reported in Oracle Solaris, which can be exploited by malicious, local users to cause a DoS (Denial of Service) and gain escalated privileges and by malicious people to disclose potentially sensitive information and manipulate certain data.

1) An unspecified error in the bsmconv and bsmunconv components can be exploited by local users to gain escalated privileges.

2) An unspecified error in the Kernel/sockfs component can be exploited by local users to cause a crash.

3) An unspecified error in the gssd component can be exploited by local users to gain escalated privileges.

4) An unspecified error in the Password Policy component can be exploited by local users to gain escalated privileges.

5) An unspecified error in the Kernel/Privileges component can be exploited by local users to gain escalated privileges.

6) An unspecified error in the SCTP component can be exploited by local users to cause a crash.

7) An unspecified error in the libsasl component can be exploited to read, update, insert, or delete certain Solaris accessible data.

8) An unspecified error in the Kernel/GLD component can be exploited by authenticated users to read certain Solaris accessible data.

The vulnerabilities are reported in versions 8, 9, 10, and 11.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixSUNS

http://secunia.com/advisories/48809/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Gentoo update for DBD-Pg

by Carol~ Moderator - 4/18/12 9:39 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Less critical
Impact : System access
Where : From remote
Solution Status : Vendor Patch

Operating System: Gentoo Linux

Description:
Gentoo has issued an update for DBD-Pg. This fixes two vulnerabilities, which can be exploited by malicious people to compromise an application using the module.

Solution:
Update to "dev-perl/DBD-Pg-2.19.0" or later.

Original Advisory:
GLSA 201204-08:
http://security.gentoo.org/glsa/glsa-201204-08.xml

http://secunia.com/advisories/48824/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

PARC Enterprise M Series XSCF Control Package

by Carol~ Moderator - 4/18/12 9:40 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

PARC Enterprise M Series XSCF Control Package Vulnerabilities

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Exposure of sensitive information
DoS
Where : From local network
Solution Status : Vendor Patch

Operating System: Sun SPARC Enterprise Server M Series

Description:
Two vulnerabilities have been reported in SPARC Enterprise M Series, which can be exploited by malicious, local users to disclose sensitive information and by malicious people to cause a DoS (Denial of Service).

1) An unspecified error in the XSCF Control Package (XCP) component can be exploited to cause a crash via specially crafted SSH requests.

2) An unspecified error in the XSCF Control Package (XCP) component can be exploited by local users to gain access to a subset of SPARC Enterprise M Series Servers accessible data.

The vulnerabilities are reported in SPARC Enterprise M Series Servers running XCP 1110 and prior.

Solution:
Apply patches (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixSUNS

http://secunia.com/advisories/48837/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle FLEXCUBE Direct Banking Unspecified Vulnerabilities

by Carol~ Moderator - 4/18/12 9:44 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Manipulation of data
Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch

Software: Oracle FLEXCUBE Direct Banking 5.x
Oracle FLEXCUBE Direct Banking 6.x

Description:
Multiple vulnerabilities have been reported in Oracle FLEXCUBE Direct Banking, which can be exploited by malicious users to disclose sensitive information and manipulate certain data.

1) An unspecified error in the Core-Base sub-component can be exploited to manipulate certain data via specially crafted HTTP requests.

This vulnerability is only reported in versions 5.0.2 and 5.3.0 through 5.3.4.

2) An unspecified error in the Core-My Services sub-component can be exploited to disclose certain application data via specially crafted HTTP requests.

3) An unspecified error in the Core-Help sub-component can be exploited to manipulate certain data via specially crafted HTTP requests.

This vulnerability is only reported in versions 6.0.1 and 6.2.0.

4) An unspecified error in the Virtual Banking sub-component can be exploited to disclose certain application data via specially crafted HTTP requests.

5) An unspecified error in the Core-Base sub-component can be exploited to manipulate certain data via specially crafted HTTP requests.

6) Some unspecified errors in the Core-Base sub-component can be exploited to disclose certain application data via specially crafted HTTP requests.

7) An unspecified error in the Logging sub-component can be exploited to manipulate certain data.

The vulnerabilities are reported in versions 5.0.2, 5.3.0 through 5.3.4, 6.0.1, and 6.2.0.

Solution:
Apply patch (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
https://blogs.oracle.com/security/entry/april_2012_critical_patch_update
http://www.oracle.com/technetwork/topics/security/cpuapr2012verbose-366316.html#Oracle%20Financial%20Services%20Software

http://secunia.com/advisories/48886/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Gentoo update for adobe-flash

by Carol~ Moderator - 4/18/12 9:44 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Highly critical
Impact : Security Bypass
Cross Site Scripting
Exposure of sensitive information
System access
Where : From remote
Solution Status : Vendor Patch

Operating System: Gentoo Linux

Description:
Gentoo has issued an update for adobe-flash. This fixes multiple vulnerabilities, which can be exploited by malicious people to conduct cross-site scripting attacks, gain knowledge of potentially sensitive information, bypass certain security restrictions, and compromise a user's system.

Solution:
Update to "www-plugins/adobe-flash-11.2.202.228" or later.

Original Advisory:
GLSA 201204-07:
http://security.gentoo.org/glsa/glsa-201204-07.xml

http://secunia.com/advisories/48819/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle PeopleSoft Enterprise FCSM Unspecified Vulnerability

by Carol~ Moderator - 4/18/12 9:44 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch

Software: Oracle PeopleSoft Enterprise Financials and Supply Chain Management (FSCM) 9.x

Description:
A vulnerability has been reported in Oracle PeopleSoft Enterprise FCSM, which can be exploited by malicious users to disclose potentially sensitive information.

The vulnerability is caused due to an unspecified error in the Receivables component and can be exploited to read certain PeopleSoft Enterprise FCSM accessible data.

The vulnerability is reported in versions 9.0 and 9.1.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported this vulnerability as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html#AppendixPS

http://secunia.com/advisories/48880/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Oracle PeopleSoft Enterprise Human Resource Management

by Carol~ Moderator - 4/18/12 9:44 AM

In Reply to: VULNERABILITIES / FIXES - April 18, 2012 by Carol~ Moderator

Oracle PeopleSoft Enterprise Human Resource Management System (HRMS) Unspecified Vulnerabilities

Release Date : 2012-04-18

Criticality level : Less critical
Impact : Manipulation of data
Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch

Software: Oracle PeopleSoft Enterprise Human Resource Management System (HRMS) 8.x
Oracle PeopleSoft Enterprise Human Resource Management System (HRMS) 9.x

Description:
Multiple vulnerabilities have been reported in Oracle PeopleSoft Enterprise Human Resource Management System, which can be exploited by malicious users to disclose sensitive information and manipulate certain data.

1) An unspecified error in the eCompensation Manager Desktop sub-component can be exploited to disclose and manipulate certain data via specially crafted HTTP requests.

This vulnerability is reported in version 9.0.

2) An unspecified error in the eCompensation sub-component can be exploited to disclose certain data via specially crafted HTTP requests.

This vulnerability is reported in version 8.9 through Bundle #26.

3) An unspecified error in the Candidate Gateway sub-component can be exploited to disclose certain data via specially crafted HTTP requests.

This vulnerability is reported in version 9.1.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpuapr2012-366314.html

http://secunia.com/advisories/48878/


Was this reply helpful? (0)   (0)

Staff pick

Reply
Report offensive post
Email to friend

Forum Icon Legend

  • UnreadUnread
  • ReadRead
  • Locked threadLocked thread
  •   
  •   
  •   
  •   
  •   
  •   
  •   
  • ModeratorModerator
  • CNET StaffCNET Staff
  • Samsung StaffSamsung Staff
  • Norton Authorized Support TeamNorton Authorized Support Team
  • AVG StaffAVG Staff
  • avast! Staffavast! Staff
  • Webroot Support TeamWebroot Support Team
  • Acer Customer Experience TeamAcer Customer Experience Team
  • Windows Outreach TeamWindows Outreach Team
  • DISH staffDISH staff
  • Dell StaffDell Staff
  • Intel StaffIntel Staff
  • QuestionQuestion
  • Resolved questionResolved question
  • General discussionGeneral discussion
  • TipTip
  • Alert or warningAlert or warning
  • PraisePraise
  • RantRant

You are e-mailing the following post: Post Subject

Your e-mail address is used only to let the recipient know who sent the e-mail and in case of transmission error. Neither your address nor the recipient's address will be used for any other purpose.

Sorry, there was a problem emailing this post. Please try again.

Submit Email Cancel

Thank you. Sent email to

Close

Thank you. Sent email to

Close

You are reporting the following post: Post Subject

If you believe this post is offensive or violates the CNET Forums' Usage policies, you can report it below (this will not automatically remove the post). Once reported, our moderators will be notified and the post will be reviewed.

Offensive: Sexually explicit or offensive language

Spam: Advertisements or commercial links

Disruptive posting: Flaming or offending other users

Illegal activities: Promote cracked software, or other illegal content

Sorry, there was a problem submitting your post. Please try again.

Submit Report Cancel

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

Your message has been submitted and will be reviewed by our staff. Thank you for helping us maintain CNET's great community.

Close

You are posting a reply to: Post Subject

The posting of advertisements, profanity, or personal attacks is prohibited. Please refer to the CNET Forums policies for details. All submitted content is subject to CBS Interactive Site Terms of Use.

You are currently tracking this discussion. Click here to manage your tracked discussions.

If you're asking for technical help, please be sure to include all your system info, including operating system, model number, and any other specifics related to the problem. Also please exercise your best judgment when posting in the forums--revealing personal information such as your e-mail address, telephone number, and address is not recommended.

Sorry, there was a problem submitting your post. Please try again.

Sorry, there was a problem generating the preview. Please try again.

Duplicate posts are not allowed in the forums. Please edit your post and submit again.

Submit Reply Preview Cancel

Thank you, , your post has been submitted.

> Click here to view your post. > Manage your tracked discussions. > Track this discussion. Close

Thank you, , your post has been submitted and will appear on our site shortly.

Close