Category Archives: Vulnerability Management

Oracle Critical Patch Update October 2012 Review

Vulnerability Management

Oracle has provide his Critical Patch Update (CPU) for October 2012 how has been released on Tuesday, October 16. This CPU contains 109 security vulnerability fixes across 11 of Oracle products. On the 109 security vulnerabilities 32 of them may be remotely exploitable without authentication, this represent 29% of the vulnerabilities. The highest CVSS Base Score for vulnerabilities in this CPU is 10.0 and concern Oracle Database Server and Oracle Fusion Middleware. 6 vulnerabilities have a CVSS base score upper or equal to 7.0.

As you may know Oracle is using CVSS 2.0 (Common Vulnerability Scoring System) in order to score the reported vulnerabilities. But as you also may know security researchers disagree with the usage of CVSS by Oracle. Oracle play with CVSS score by creating a “Partial+” impact rating how don’t exist in CVSS 2.0, and by interpreting the “Complete” rating in a different way than defined in CVSS 2.0.

Oracle Database Server

5 vulnerabilities are reported for “Oracle Database Server” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 10.0. Affected component is “Core RDBMS“.

CVE-2012-3132, with a CVSS base score of 6.5 is related to the security alert emitted during August 2012CVE-2012-3137 has a Oracle CVSS base score of 10.0 but an NIST CVSS base score of 6.4CVE-2012-1751 has a CVSS base score of 6.5CVE-2012-3151 a CVSS base score of 3.3 and CVE-2012-3146 a CVSS base score of 2.1.

Oracle Fusion Middleware

26 vulnerabilities are reported for “Oracle Fusion Middleware” and 13 of them may be remotely exploitable without authentication. The highest CVSS score of this vulnerability is 10.0. Affected component is “Oracle JRockit“, “Oracle Reports Developer“, “Oracle Event Processing“, “Oracle WebLogic Server“, “Oracle Imaging and Process Management“, “Oracle WebCenter Sites“, “Oracle Application Server Single Sign-On“, “Oracle BI Publisher“, “Oracle Business Intelligence Enterprise Edition” and “Oracle Outside In Technology“.

CVE-2012-3202 has a CVSS base score of 10.0CVE-2012-3152 and CVE-2012-3153 have a CVSS base score of 6.4. CVE-2011-1411 has a CVSS base score of 5.8. CVE-2012-0106, CVE-2012-3183CVE-2012-3185 and CVE-2012-3186 have a CVSS base score of 4.9. CVE-2012-3175, CVE-2012-0518CVE-2012-3194CVE-2012-1686CVE-2012-0071CVE-2012-0093 and CVE-2012-3184 have a CVSS base score of 4.3. CVE-2012-3193, CVE-2012-0086CVE-2012-0090CVE-2012-0092 and CVE-2012-0108 have a CVSS base score of 3.5CVE-2012-0095CVE-2012-3214CVE-2012-3217 and CVE-2012-5065 have a CVSS base score of 2.1.

Oracle E-Business Suite

9 vulnerabilities are reported for “Oracle E-Business Suite” and 6 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.4. Affected components are “Oracle Human Resources“, “Oracle Applications Technology Stack“, “Oracle iRecruitment“, “Oracle Application Object Library“, “Oracle iStore“, “Oracle Field Service“, “Oracle Marketing” and “Oracle Applications Framework“.

CVE-2012-3196 has a CVSS base score of 6.4CVE-2012-3171 and CVE-2012-3222 have a CVSS base score of 5.0CVE-2012-3139CVE-2012-3138 and CVE-2012-5058 have a CVSS base score of 4.3CVE-2012-3148 and CVE-2012-3164 have a CVSS base score of 3.5CVE-2012-3162 has a CVSS base score of 1.7.

Oracle Supply Chain Products Suite

9 vulnerabilities are reported for “Oracle Supply Chain Products Suite” and 4 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 5.5. Affected components are “Oracle Agile PLM For Process“, “Oracle Agile PLM Framework” and “Oracle Agile Product Supplier Collaboration for Process“.

CVE-2012-3140 and CVE-2012-5092 have a CVSS base score of 5.5CVE-2012-5094 has a CVSS base score of 5.0CVE-2012-3161CVE-2012-5093 and CVE-2012-5091 have a CVSS base score of 4.3CVE-2012-3154CVE-2012-3200 and CVE-2012-5090 have a CVSS base score of 4.0.

Oracle PeopleSoft Products

9 vulnerabilities are reported for “Oracle PeopleSoft Products” and 1 of them may be remotely exploitable without authentication. The CVSS score of this vulnerability is 4.3. Affected component are “PeopleSoft Enterprise PeopleTools” and “PeopleSoft Enterprise Campus Solutions“.

CVE-2012-3182 has a CVSS base score of 4.3CVE-2012-3201CVE-2012-3195CVE-2012-3198 and CVE-2012-3181 have a CVSS base score of 4.0CVE-2012-3188CVE-2012-3176 and CVE-2012-3179 have a CVSS base score of 3.5CVE-2012-3191 has a CVSS base score of 2.1.

Oracle Siebel CRM

2 vulnerabilities are reported for “Oracle Siebel CRM” and 1 of them may be remotely exploitable without authentication. The CVSS score of this vulnerability is 4.3. Affected component is “Siebel UI Framework“.

CVE-2012-3230 has a CVSS base score of 4.3CVE-2012-3229 has a CVSS base score of 4.0.

Oracle Industry Applications

2 vulnerabilities are reported for “Oracle Industry Applications” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 6.8. Affected components are “Oracle Central Designer” and “Oracle Clinical/Remote Data Capture“.

CVE-2012-5066 has a CVSS base score of 6.8CVE-2012-1763 has a CVSS base score of 4.0.

Oracle Financial Services Software

13 vulnerabilities are reported for “Oracle Financial Services Software” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 5.5. Affected components are “Oracle FLEXCUBE Universal Banking” and “Oracle FLEXCUBE Direct Banking“.

CVE-2012-3226 has a CVSS base score of 5.5CVE-2012-5063 has a CVSS base score of 5.0CVE-2012-3228 has a CVSS base score of 4.9CVE-2012-3141 and CVE-2012-5061 have a CVSS base score of 4.0CVE-2012-3225 has a CVSS base score of 3.6CVE-2012-3142CVE-2012-3157CVE-2012-3224CVE-2012-3227 and CVE-2012-5064 have a CVSS base score of 3.5CVE-2012-3223 has a CVSS base score of 2.1CVE-2012-3145 has a CVSS base score of 1.5.

Oracle Sun Products Suite

18 vulnerabilities are reported for “Oracle Sun Products Suite” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 7.8. Affected components are “Solaris“, “Oracle GlassFish Server“, “Sun GlassFish Enterprise Server“, “Sun Java System Application Server“, “SPARC T3“, “Netra SPARC T3“, “SPARC T4” and “Netra SPARC T4“.

CVE-2012-3210 and CVE-2012-3189 have a CVSS base score of 7.8CVE-2012-3199CVE-2012-0217 and CVE-2012-3204 have a CVSS base score of 7.2CVE-2012-3187 has a CVSS base score of 6.9CVE-2012-3209 has a CVSS base score of 5.6CVE-2012-3155 has a CVSS base score of 5.0CVE-2012-3207 and CVE-2012-3208 have a CVSS base score of 4.9CVE-2012-3212 has a CVSS base score of 4.7CVE-2012-3211 has a CVSS base score of 4.6CVE-2012-5095 has a CVSS base score of 4.4CVE-2012-3165 has a CVSS base score of 3.6CVE-2012-3206CVE-2012-3203 and CVE-2012-3205 have a CVSS base score of 2.1CVE-2012-3215 has a CVSS base score of 1.7.

Oracle Virtualization

2 vulnerabilities are reported for “Oracle Virtualization” and 1 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 4.3. Affected components are “Secure Global Desktop” and “Oracle VM Virtual Box“.

CVE-2012-1685 has a CVSS base score of 4.3CVE-2012-3221 has a CVSS base score of 2.1.

Oracle MySQL

14 vulnerabilities are reported for “Oracle MySQL” and 2 of them may be remotely exploitable without authentication. The highest CVSS score of these vulnerabilities is 9.0. Affected components are “MySQL Server“.

CVE-2012-3163 has a CVSS base score of 9.0CVE-2012-3158 has a CVSS base score of 7.5CVE-2012-3177 has a CVSS base score of 6.8CVE-2012-3147 has a CVSS base score of 6.4CVE-2012-3166CVE-2012-3173CVE-2012-3144CVE-2012-3150 and CVE-2012-3180 have a CVSS base score of 4.0CVE-2012-3149CVE-2012-3156CVE-2012-3167 and CVE-2012-3197 have a CVSS base score of 3.5CVE-2012-3160 has a CVSS base score of 2.1.

Microsoft October 2012 Patch Tuesday Review

Vulnerability Management

Microsoft has release, the 9 October 2012, during his October Patch Tuesday, one new security advisory, two security advisories updates and nine security bulletins. On the seven security bulletins one of them has a Critical security rating.

Microsoft Security Advisory 2661254

MSA-2661254, released during the Microsoft August 2012 Patch Tuesday, has been updated. This security advisory is the suite of the Flame malware attacks consequences. This MSA, as planned and announced, is pushed as a security update through KB2661254.

Microsoft Security Advisory 2737111

MSA-2737111, release during the Microsoft August 2012 Patch Tuesday, has been updated. The update reflect publication of MS12-067 for Microsoft FAST Search Server 2010 for SharePoint.

Microsoft Security Advisory 2749655

MSA-2749655 is concerning an issue involving specific digital certificates that were generated by Microsoft without proper timestamp attributes. This could cause compatibility issues between affected binaries and Microsoft Windows.

MS12-064 – Vulnerabilities in Microsoft Word Could Allow Remote Code Execution

MS12-064 security update, classified as Critical, allowing remote code execution, is the fix for two privately reported vulnerabilities. CVE-2012-0182 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous researcher, working with TippingPoint’s Zero Day InitiativeCVE-2012-2528 has a 9.3 CVSS base score and was discovered and privately reported by an anonymous researcher, working with Beyond Security’s SecuriTeam Secure Disclosure program.

Affected softwares are:

  • Microsoft Office 2003 Service Pack 3
  • Microsoft Office 2007 Service Pack 2 & Service Pack 3
  • Microsoft Office 2010 Service Pack 1 (32-bit and 64-bit editions)
  • Microsoft Word Viewer 
  • Microsoft Office Compatibility Pack Service Pack 2 & Service Pack 3

MS12-065 – Vulnerability in Microsoft Works Could Allow Remote Code Execution

MS12-065 security update, classified as Important, allowing remote code execution, is fixing one vulnerability CVE-2012-2550. This vulnerability has a 9.3 CVSS base score and was discovered and privately reported by an unknown security researcher.

Affected software is:

  • Microsoft Works 9

MS12-066 – Vulnerability in HTML Sanitization Component Could Allow Elevation of Privilege

MS12-066 security update, classified as Important, allowing elevation of privilege, is fixing one vulnerability CVE-2012-2520. This vulnerability has a 4.3 CVSS base score and was discovered exploited in the wild by Drew Hintz of Google Security Team.

Affected softwares are:

  • Microsoft InfoPath 2007 Service Pack 2 & Service Pack 3
  • Microsoft InfoPath 2010 Service Pack 1 (32-bit & 64-bit editions)
  • Microsoft Communicator 2007 R2
  • Microsoft Lync 2010 (32-bit & 64-bit)
  • Microsoft Lync 2010 Attendee
  • Microsoft SharePoint Server 2007 Service Pack 2 & Service Pack 3 (32-bit & 64-bit editions)
  • Microsoft SharePoint Server 2010 Service Pack 1
  • Microsoft Groove Server 2010 Service Pack 1
  • Microsoft Windows SharePoint Services 3.0 Service Pack 2 (32-bit & 64-bit version)
  • Microsoft SharePoint Foundation 2010 Service Pack 1 
  • Microsoft Office Web Apps 2010 Service Pack 1

MS12-067 – Vulnerabilities in FAST Search Server 2010 for SharePoint Parsing Could Allow Remote Code Execution

MS12-067 security update, classified as Important, allowing remote execution, is fixing multiple vulnerabilities also fixed in MS12-058 during Microsoft August 2012 Patch Tuesday.

MS12-068 – Vulnerability in Windows Kernel Could Allow Elevation of Privilege

MS12-068 security update, classified as Important, allowing elevation of privilege, is fixing one vulnerability CVE-2012-2529. This vulnerability has a 6.9 CVSS base score and was discovered and privately reported by an anonymous researcher, working with VeriSign iDefense Labs.

Affected softwares are:

  • Windows XP Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Vista Service Pack 2
  • Windows Vista x64 Edition Service Pack 2
  • Windows Server 2008 for 32-bit Systems Service Pack 2
  • Windows Server 2008 for x64-based Systems Service Pack 2
  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 for 32-bit Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 for x64-based Systems Service Pack 2 (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

MS12-069 – Vulnerability in Kerberos Could Allow Denial of Service

MS12-069 security update, classified as Important, allowing denial of service, is fixing one vulnerability CVE-2012-2551. This vulnerability has a 5.0 CVSS base score and was discovered and privately reported by an unknown security researcher.

Affected softwares are:

  • Windows 7 for 32-bit Systems
  • Windows 7 for 32-bit Systems Service Pack 1
  • Windows 7 for x64-based Systems
  • Windows 7 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1
  • Windows Server 2008 R2 for x64-based Systems (Server Core installation)
  • Windows Server 2008 R2 for x64-based Systems Service Pack 1 (Server Core installation)

MS12-070 – Vulnerability in SQL Server Could Allow Elevation of Privilege

MS12-070 security update, classified as Important, allowing elevation of privilege, is fixing one vulnerability CVE-2012-2552. This vulnerability has a 4.3 CVSS base score and was discovered and privately reported by an unknown security researcher.

Affected softwares are:

  • Microsoft SQL Server 2000 Reporting Services Service Pack 2
  • Microsoft SQL Server 2005 Express Edition with Advanced Services Service Pack 4
  • Microsoft SQL Server 2005 for 32-bit Systems Service Pack 4
  • Microsoft SQL Server 2005 for x64-based Systems Service Pack 4
  • Microsoft SQL Server 2008 for 32-bit Systems Service Pack 2
  • Microsoft SQL Server 2008 for 32-bit Systems Service Pack 3
  • Microsoft SQL Server 2008 for x64-based Systems Service Pack 2
  • Microsoft SQL Server 2008 for x64-based Systems Service Pack 3
  • Microsoft SQL Server 2008 R2 for 32-bit Systems Service Pack 1
  • Microsoft SQL Server 2008 R2 for x64-based Systems Service Pack 1
  • Microsoft SQL Server 2012 for 32-bit Systems
  • Microsoft SQL Server 2012 for x64-based Systems

APSB12-22 – Adobe October 2012 Patch Tuesday Review

Vulnerability Management,

Adobe has release, the 8 October 2012, during his October Patch Tuesday, one security bulletin dealing with 25 vulnerabilities. All these security bulletins have a Critical severity rating. All of these vulnerabilities have a CVSS base score of 10.0.

APSB12-22 – Security updates available for Adobe Flash Player

APSB12-22 is concerning :

  • Adobe Flash Player 11.4.402.278 and earlier versions for Windows
  • Adobe Flash Player 11.4.402.265 and earlier versions for Macintosh
  • Adobe Flash Player 11.2.202.238 and earlier versions for Linux
  • Adobe Flash Player 11.1.115.17 and earlier versions for Android 4.x
  • Adobe Flash Player 11.1.111.16 and earlier versions for Android 3.x and 2.x
  • Adobe AIR 3.4.0.2540 and earlier versions for Windows and Macintosh
  • Adobe AIR 3.4.0.2540 SDK (includes AIR for iOS) and earlier versions
  • Adobe AIR 3.4.0.2540 and earlier versions for Android

CVE-2012-5248 (CVSS base score of 10.0), CVE-2012-5249 (CVSS base score of 10.0), CVE-2012-5250 (CVSS base score of 10.0), CVE-2012-5251 (CVSS base score of 10.0), CVE-2012-5252 (CVSS base score of 10.0), CVE-2012-5253 (CVSS base score of 10.0), CVE-2012-5254 (CVSS base score of 10.0), CVE-2012-5255 (CVSS base score of 10.0), CVE-2012-5256 (CVSS base score of 10.0), CVE-2012-5257 (CVSS base score of 10.0), CVE-2012-5258 (CVSS base score of 10.0), CVE-2012-5259 (CVSS base score of 10.0), CVE-2012-5260 (CVSS base score of 10.0), CVE-2012-5261 (CVSS base score of 10.0), CVE-2012-5262 (CVSS base score of 10.0), CVE-2012-5263 (CVSS base score of 10.0), CVE-2012-5264 (CVSS base score of 10.0), CVE-2012-5265 (CVSS base score of 10.0), CVE-2012-5266 (CVSS base score of 10.0), CVE-2012-5267 (CVSS base score of 10.0), CVE-2012-5268 (CVSS base score of 10.0), CVE-2012-5269 (CVSS base score of 10.0), CVE-2012-5270 (CVSS base score of 10.0) and CVE-2012-5271 (CVSS base score of 10.0) have been discovered and reported by Mateusz Jurczyk, Gynvael Coldwind, and Fermin Serna of the Google Security Team.

CVE-2012-5272 (CVSS base score of 10.0) has been discovered and reported by instruder of Code Audit Labs of vulnhunt.com.

All these vulnerabilities have, at this moment, unknown CVSS 2.0 base scores, but could lead to code executions.

I advise you to update asap your Adobe Flash Player.

VMware Security Advisory VMSA-2012-0014 Review

Vulnerability Management

VMware has release,the 04 October 2012, one security advisory VMSA-2012-0014 concerning VMware vCenter Operation, vCenter CapacityIQ and Movie Decoder.

VMware Movie Decoder Installer binary planting vulnerability

VMware Movie Decoder is affected by one vulnerability, CVE-2012-4897, with a 6.9 CVSS base score. The vulnerability was discovered and reported by Mitja Kolsek of ACROS Security. Movie Decoder previous to version 9.0 are affected.

vCenter Operations cross-site scripting vulnerability

vCenter Operations is affected by a XSS vulnerability, CVE-2012-5050, with a 4.3 CVSS base score. The vulnerability was discovered and reported by Alexander Minozhenko of ERPScan. vCOps previous to version 5.0.x are affected.

vCenter CapacityIQ path traversal vulnerability

vCenter CapacityIQ is affected by a path traversal vulnerability, CVE-2012-5051, with a 5.0 CVSS base score. The vulnerability was discovered and reported by Alexander Minozhenko of ERPScan. CapacityIQ previous to vCOps 5.0.x are affected.