Oracle Siebel CRM Multiple Vulnerabilities

by Carol~ Moderator - 1/16/13 12:34 PM

In Reply to: VULNERABILITIES / FIXES - January 16, 2013 by Carol~ Moderator

Release Date : 2013-01-16

Criticality level : Less critical
Impact: Manipulation of data
DoS
Exposure of sensitive information
Where: From local network
Solution Status : Vendor Patch

Software: Oracle Siebel CRM 8.x

Description:
Multiple vulnerabilities have been reported in Oracle Siebel CRM, which can be exploited by malicious users to disclose certain sensitive information and cause a DoS (Denial of Service) and by malicious people to disclose certain sensitive information, manipulate certain data, and cause a DoS (Denial of Service).

1) An error within the Highly Interactive Web UI component can be exploited to read certain Siebel CRM accessible data.

2) An error within the Siebel Core - Server Infrastructure component can be exploited to cause a partial hang or crash.

3) Another error within the Siebel Core - Server Infrastructure component can be exploited to cause a partial hang or crash.

4) An error within the Siebel Calendar component can be exploited to update, insert, or delete certain Siebel CRM accessible data.

5) Another error within the Siebel Calendar component can be exploited to update, insert, or delete certain Siebel CRM accessible data.

6) An error within the Security component can be exploited by authenticated users to read certain Siebel CRM accessible data.

7) An error within the Siebel Apps - Multi-channel Technologies component can be exploited by authenticated users to read certain Siebel CRM accessible data.

8) An error within the Siebel Apps - Multi-channel Technologies component can be exploited by authenticated users to cause a partial hang or crash.

9) An error within the Siebel Core - Server Infrastructure component can be exploited by authenticated users to cause a partial hang or crash.

10) An error within the Siebel UI Framework component can be exploited by authenticated users to certain Siebel CRM accessible data.

The vulnerabilities are reported in versions 8.1.1 and 8.2.2.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
It is currently unclear who reported the vulnerabilities as the Oracle Critical Patch Update for January 2013 only provides a bundled list of credits. This section will be updated when/if the original reporters provide more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html#AppendixSECR

http://secunia.com/advisories/51891/