Some vulnerabilities and a security issue have been reported in various Oracle products. Some have unknown impacts, others can be exploited by malicious people to cause a DoS (Denial of Service), conduct spoofing and cross-site scripting and SQL injection attacks, disclose sensitive information, or compromise a vulnerable system, and by malicious users to conduct SQL injection attacks or potentially compromise a vulnerable system.

1) Multiple vulnerabilities in JRockit can be exploited by malicious people to cause a DoS (Denial of Service) or compromise a user's system.

For more information:
SA34451

2) A vulnerability in Oracle Complex Event Processing can be exploited to disclose sensitive information.

For more information see vulnerability #1 in:
SA34975

3) An error exists within the processing of certain XML Signature documents within Oracle WebLogic Server (Web Services Component) and Oracle Secure Development Toolkit/Oracle Web Services Manager.

For more information, see security issue #4 in:
SA34461

4) Input passed via the "search_p_groups" parameter to "/search/query/search" in Oracle Secure Enterprise Search is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

5) Input passed via the "searchQuery" parameter to "/consolehelp/console-help.portal" in Oracle WebLogic Server is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

6) An error in Oracle Database Server when handling "TTC" data types can be exploited to corrupt memory.

7) An error in Oracle Database Server when handling multiple NSPTCN packets can be exploited to cause a crash.

8) An error in Oracle Database Server when processing TTIPFN packets can be exploited to trigger a high CPU consumption.

9) An error when processing a large number of TNS commands can be exploited to crash the listener process.

10) Input passed to the "Type", "snapshot", and "table" parameters in /em/console/ecm/history/configHistory, and to the "fConfigGuid" parameter in /em/console/ecm/config/compare/compareWizSecondConfig is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code via the Oracle Enterprise Manager web interface.

Successful exploitation of this vulnerability requires valid user credentials.

11) Input via unspecified parameters to the administration server of Oracle Secure Backup is not properly sanitised before being used to invoke commands. This can be exploited to inject and execute arbitrary commands with SYSTEM privileges via specially crafted requests.

Successful exploitation of this vulnerability requires authentication.

12) Input passed via the "username" parameter to login.php in the administration server of Oracle Secure Backup is not properly sanitised before being used in an SQL query. This can be exploited to manipulate the SQL query and log in with administrative privileges.

13) An error in the "REPCAT_RPC.VALIDATE_REMOTE_RC" function can be exploited to execute arbitrary PL/SQL code.

Successful exploitation requires that an additional PL/SQL injection vulnerability is successfully exploited.

14) A boundary error in Oracle Database can be exploited to cause a buffer overflow and potentially execute arbitrary code.

For more information see vulnerability #11 in:
SA34693

The remaining vulnerabilities are caused due to unspecified errors. No more information is currently available.

The vulnerabilities are reported in the following products and versions:
* Oracle Database 11g, version 11.1.0.6, 11.1.0.7
* Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
* Oracle Database 10g, version 10.1.0.5
* Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
* Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0
* Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.3.0, 10.1.3.4.0
* Oracle Identity Management 10g, version 10.1.4.0.1, 10.1.4.2.0, 10.1.4.3.0
* Oracle E-Business Suite Release 12, version 12.1
* Oracle E-Business Suite Release 12, version 12.0.6
* Oracle E-Business Suite Release 11i, version 11.5.10.2
* Oracle Enterprise Manager Database Control 11, version 11.1.0.6, 11.1.0.7
* Oracle Enterprise Manager Grid Control 10g Release 4, version 10.2.0.4
* PeopleSoft Enterprise PeopleTools versions: 8.49
* PeopleSoft Enterprise HRMS versions: 8.9 and 9.0
* Siebel Highly Interactive Client versions: 7.5.3, 7.7.2, 7.8, 8.0, 8.1
* Oracle WebLogic Server 10.3, 10.0MP1
* Oracle WebLogic Server 9.0 GA, 9.1 GA, 9.2 through 9.2 MP3
* Oracle WebLogic Server 8.1 through 8.1 SP6
* Oracle WebLogic Server 7.0 through 7.0 SP7
* Oracle Complex Event Processing 10.3 and WebLogic Event Server 2.0
* Oracle JRockit R27.6.3 and earlier (JDK/JRE 6, 5, 1.4.2)
* Oracle Secure Backup prior to version 10.2.0.3
* Oracle Secure Enterprise Search prior to version 10.1.8.3

Solution
Apply patches (please see the vendor's advisory).

Provided and/or discovered by
4, 5) Alexandr Polyakov of Digital Security
6-9) Dennis Yurichev
10, 14) Esteban Martinez Fayo of Application Security, Inc.
11, 12) Anonymous, reported via ZDI
13) David Litchfield of NGS Software

The vendor also credits:
* Kowsik Guruswamy of Mu Security
* Joxean Koret
* Alexander Kornbrust of Red Database Security
* Oleg P. of HSC Security Portal
* noderat ratty

Changelog
Further details available to Secunia VIM customers

Original Advisory
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

Digital Security:
http://dsecrg.com/pages/vul/show.php?id=125
http://dsecrg.com/pages/vul/show.php?id=131

Dennis Yurichev:
http://blogs.conus.info/node/23
http://blogs.conus.info/node/24
http://blogs.conus.info/node/25
http://blogs.conus.info/node/26

Esteban Martinez Fayo:
http://www.appsecinc.com/resources/alerts/oracle/2009-04.shtml
http://www.appsecinc.com/resources/alerts/oracle/2009-05.shtml

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-058/
http://www.zerodayinitiative.com/advisories/ZDI-09-059/

David Litchfield:
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0354.html

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers