Vulnerability Name:

CVE-2007-2134 (CCN-33809)

Assigned:2007-04-17
Published:2007-04-17
Updated:2018-10-16
Summary:Unspecified vulnerability in the HTML Server in Oracle JD Edwards EnterpriseOne SP23_Q1 and 8.96.I1 has unknown impact and local attack vectors, aka JDE01.
The vendor has addressed this issue through the release of the following patch information: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html
CVSS v3 Severity:9.3 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)
Exploitability Metrics:Attack Vector (AV): Local
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Changed
Impact Metrics:Confidentiality (C): High
Integrity (I): High
Availibility (A): High
CVSS v2 Severity:7.2 High (CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
7.2 High (CCN CVSS v2 Vector: AV:L/AC:L/Au:N/C:C/I:C/A:C)
Exploitability Metrics:Access Vector (AV): Local
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): Complete
Integrity (I): Complete
Availibility (A): Complete
Vulnerability Type:CWE-Other
Vulnerability Consequences:Informational
References:Source: CCN
Type: Full-Disclosure Mailing List, Wed Apr 18 2007 - 11:07:27 CDT
Oracle E-Business Suite Vulnerability Information April 2007

Source: MITRE
Type: CNA
CVE-2007-2108

Source: MITRE
Type: CNA
CVE-2007-2109

Source: MITRE
Type: CNA
CVE-2007-2110

Source: MITRE
Type: CNA
CVE-2007-2111

Source: MITRE
Type: CNA
CVE-2007-2112

Source: MITRE
Type: CNA
CVE-2007-2113

Source: MITRE
Type: CNA
CVE-2007-2114

Source: MITRE
Type: CNA
CVE-2007-2115

Source: MITRE
Type: CNA
CVE-2007-2116

Source: MITRE
Type: CNA
CVE-2007-2117

Source: MITRE
Type: CNA
CVE-2007-2118

Source: MITRE
Type: CNA
CVE-2007-2119

Source: MITRE
Type: CNA
CVE-2007-2120

Source: MITRE
Type: CNA
CVE-2007-2121

Source: MITRE
Type: CNA
CVE-2007-2122

Source: MITRE
Type: CNA
CVE-2007-2123

Source: MITRE
Type: CNA
CVE-2007-2124

Source: MITRE
Type: CNA
CVE-2007-2125

Source: MITRE
Type: CNA
CVE-2007-2126

Source: MITRE
Type: CNA
CVE-2007-2127

Source: MITRE
Type: CNA
CVE-2007-2128

Source: MITRE
Type: CNA
CVE-2007-2129

Source: MITRE
Type: CNA
CVE-2007-2130

Source: MITRE
Type: CNA
CVE-2007-2131

Source: MITRE
Type: CNA
CVE-2007-2132

Source: MITRE
Type: CNA
CVE-2007-2133

Source: MITRE
Type: CNA
CVE-2007-2134

Source: MITRE
Type: CNA
CVE-2007-2135

Source: MITRE
Type: CNA
CVE-2007-2170

Source: CCN
Type: IBM Security Bulletin 1268889
Oracle Engine Upgrade and Critical Patch - TCIM 6.0/7.0/8.0 Embedded Database Engine Upgrade (10.1.0.5) and April 2007 Oracle Critical Path Update

Source: CCN
Type: US-CERT VU#809457
Oracle Database vulnerable to privilege escalation

Source: CCN
Type: Oracle Critical Patch Update - April 2007
Oracle Critical Patch Update Advisory - April 2007

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpuapr2007-090632.html

Source: CCN
Type: OSVDB ID: 39920
Oracle PeopleSoft Enterprise Human Capital Management Unspecified Information Disclosure

Source: CCN
Type: OSVDB ID: 39921
Oracle PeopleSoft JD Edwards HTTP Server Browser Cache Login Credential Disclosure

Source: CCN
Type: OSVDB ID: 39922
Oracle PeopleSoft PeopleTools Unspecified FTP Script Upload Issue

Source: CCN
Type: OSVDB ID: 39923
Oracle PeopleSoft PeopleTools Unspecified Stored XSS

Source: CCN
Type: OSVDB ID: 39924
Oracle Database Core RDBMS NTLM SSPI AcceptSecurityContext Function Remote Privilege Escalation

Source: CCN
Type: OSVDB ID: 39925
Oracle Database Rules Manager Expression Filter RLMGR_TRUNCATE_MAINT Trigger Race Condition

Source: CCN
Type: OSVDB ID: 39926
Oracle Database Core RDBMS NULL DACL Multiple Function Arbitrary Code Execution

Source: CCN
Type: OSVDB ID: 39929
Oracle Database Streams DBMS_APPLY_USER_AGENT.SET_REGISTRATION_HANDLER Procedure SQL Injection

Source: CCN
Type: OSVDB ID: 39931
Oracle Database Change Data Capture (CDC) DBMS_CDC_IPUBLISH.CHGTAB_CACHE CHANGE_TABLE_NAME Parameter Remote Overflow

Source: CCN
Type: OSVDB ID: 39932
Oracle Database Change Data Capture (CDC) DBMS_CDC_PUBLISH Multiple SQL Injections

Source: CCN
Type: OSVDB ID: 39934
Oracle Database Instant Client genezi Command Unspecified Local Issue

Source: CCN
Type: OSVDB ID: 39935
Oracle Database Text ctxsrv Command Unspecified Local Issue

Source: CCN
Type: OSVDB ID: 39936
Oracle Database Upgrade/Downgrade mig Command Local Overflow

Source: CCN
Type: OSVDB ID: 39939
Oracle Database Agent Unauthenticated Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 39940
Oracle Collaboration Suite Workspace Unspecified Authenticated Issue (OCS01)

Source: CCN
Type: OSVDB ID: 39942
Oracle Application Server COREid Access HTTP Unspecified Remote Issue

Source: CCN
Type: OSVDB ID: 39943
Oracle Application Server Wireless HTTP Unspecified Remote Issue

Source: CCN
Type: OSVDB ID: 39944
Oracle Application Server Portal HTTP Unspecified Remote Issue

Source: CCN
Type: OSVDB ID: 39945
Oracle Application Server Portal HTTP Unspecified Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 39948
Oracle E-Business Suite Report Manager Unauthenticated Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 39949
Oracle E-Business Suite Application Object Library Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 39950
Oracle E-Business Suite iStore Unspecified Remote Information Disclosure (APPS05)

Source: CCN
Type: OSVDB ID: 39951
Oracle E-Business Suite iStore Unspecified Remote Information Disclosure (APPS06)

Source: CCN
Type: OSVDB ID: 39952
Oracle E-Business Suite iSupport Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 39953
Oracle E-Business Suite Sales Online Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 39954
Oracle E-Business Suite Trade Management Remote Information Disclosure

Source: CCN
Type: OSVDB ID: 39955
Oracle E-Business Suite Applications Manager Patch Administrator Local Information Disclosure

Source: CCN
Type: Red-Database-Security Web site
Details Oracle Critical Patch Update April 2007

Source: MISC
Type: UNKNOWN
http://www.red-database-security.com/advisory/oracle_cpu_apr_2007.html

Source: HP
Type: UNKNOWN
SSRT061201

Source: BID
Type: UNKNOWN
23532

Source: SECTRACK
Type: UNKNOWN
1017927

Source: CERT
Type: US Government Resource
TA07-108A

Source: VUPEN
Type: UNKNOWN
ADV-2007-1426

Source: XF
Type: UNKNOWN
oracle-cpu-april2007(33809)

Source: CCN
Type: IBM Internet Security Systems X-Force Database
Oracle E-Business Suite APPLSYS.FND_DM_NODES node deletion

Vulnerable Configuration:Configuration 1:
  • cpe:/a:oracle:enterpriseone:8.96.11:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterpriseone:sp23_q1:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:oracle:database_server:10.1.0.4:r1:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:10.1.2.0.1:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:10.1.2.0.2:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:10.2.0.1:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:10.1.0.5:r1:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:9.2.0.7:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:collaboration_suite:10.1.2:r1:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:11.5.10:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:10.2.0.2:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:application_server:9.0.4.3:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterpriseone:8.96:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.22:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.47:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_peopletools:8.48:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:9.2.0.8:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:10.2.0.3:r2:*:*:*:*:*:*
  • OR cpe:/a:oracle:secure_enterprise_search:10.1.6:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:12.0.0:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager:9.2.0.7:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:enterprise_manager:9.2.0.8:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:peoplesoft_enterprise_human_capital_management:8.9:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:database_server:9.0.1.5::fips+:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:11.5.7:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:11.5.8:*:*:*:*:*:*:*
  • OR cpe:/a:oracle:e-business_suite:11.5.9:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    oracle enterpriseone 8.96.11
    oracle enterpriseone sp23_q1
    oracle database server 10.1.0.4 r1
    oracle application server 10.1.2.0.1 r2
    oracle application server 10.1.2.0.2 r2
    oracle database server 10.2.0.1 r2
    oracle database server 10.1.0.5 r1
    oracle database server 9.2.0.7 r2
    oracle collaboration suite 10.1.2 r1
    oracle e-business suite 11.5.10
    oracle database server 10.2.0.2 r2
    oracle application server 9.0.4.3
    oracle enterpriseone 8.96
    oracle peoplesoft enterprise peopletools 8.22
    oracle peoplesoft enterprise peopletools 8.47
    oracle peoplesoft enterprise peopletools 8.48
    oracle database server 9.2.0.8 r2
    oracle database server 10.2.0.3 r2
    oracle secure enterprise search 10.1.6
    oracle e-business suite 12.0.0
    oracle enterprise manager 9.2.0.7
    oracle enterprise manager 9.2.0.8
    oracle peoplesoft enterprise human capital management 8.9
    oracle database server 9.0.1.5
    oracle e-business suite 11.5.7
    oracle e-business suite 11.5.8
    oracle e-business suite 11.5.9