Status Tracking Note JVNTR-2009-11

Oracle Updates for Multiple Vulnerabilities - April 2009 (TA09-105A)

Overview

Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.
Event Information

Date (UTC)Description
2009-04-15 19:42 US-CERT
TA09-105A: Oracle Updates for Multiple Vulnerabilities
Via US-CERT Mailing List
2009-04-15 13:03 US-CERT
Oracle Releases Critical Patch Update for April 2009
US-CERT Current Activity
Oracle has released their Critical Patch Update for April 2009 to address 43 vulnerabilities across several products.
2009-04-14 22:40 Oracle
Oracle Critical Patch Update Advisory - January 2009
2009-04-14 21:38 SANS Internet Storm Center
Oracle quarterly patches
Oracle also released their quarterly load of patches today.
2007-11-07 Zero Day Initiative (ZDI)
ZDI-09-017: Oracle Applications Server 10g Format String Vulnerability
Vulnerability Reported
The specific flaw exists within the Oracle Process Manager and Notification (opmn) daemon which is an HTTP daemon listening on a TCP port above 6000. The daemon fails to properly handle format string tokens in the POST URI when logging to the file $ORACLE_HOME/opmn/logs/opmn.log. Exploitation of this issue can result in arbitrary code execution.

Reference

Date first published (UTC): 2009-04-18T08:02+00:00
Date last updated (UTC): 2009-04-18T08:02+00:00
Valid HTML 4.01!