Oracle JD Edwards EnterpriseOne Tools Enterprise

by Carol~ Moderator - 1/16/13 12:35 PM

In Reply to: VULNERABILITIES / FIXES - January 16, 2013 by Carol~ Moderator

Oracle JD Edwards EnterpriseOne Tools Enterprise Infrastructure SEC Information Disclosure

Release Date : 2013-01-16

Criticality level : Less critical
Impact: Exposure of sensitive information
Where: From local network
Solution Status : Vendor Patch

Software: JD Edwards EnterpriseOne Tools 24.x
JD Edwards EnterpriseOne Tools 8.x
JD Edwards EnterpriseOne Tools 9.x

Description:
A vulnerability has been reported in Oracle JD Edwards EnterpriseOne Tools, which can be exploited by malicious users to gain knowledge of certain sensitive information.

The vulnerability is caused due to an unspecified error in the Enterprise Infrastructure SEC sub-component and can be exploited via JDENET to read a subset of application accessible data.

The vulnerability is reported in versions 8.98, 9.1, and 24.

Solution:
Apply updates.

Provided and/or discovered by:
It is currently unclear who reported this vulnerability as the Oracle Critical Patch Update for January 2013 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Original Advisory:
Oracle:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html#AppendixJDE

http://secunia.com/advisories/51890/