| Check Point Reference: |
CPAI-2009-071 |
| Date Published: |
24 Apr 2009 |
| Severity: |
High
|
| Last Updated: |
Thursday 01 January, 2009 |
| Source: |
Secunia ID: 34693 |
| Industry Reference: |
CVE-2009-0993
|
| Protection Provided by: |
|
| Who is Vulnerable? | Oracle Application Server 10g |
| Vulnerability Description |
A vulnerability was reported in Oracle Application Server, a multi-platform solution for developing and deploying enterprise applications and web sites. The flaw is due to insufficient validation of the URI part of HTTP requests. Remote attackers could exploit this vulnerability by sending a crafted HTTP request containing a malicious URI string. Successful exploitation would allow the attacker to execute arbitrary code in the context of the affected process. |
| Update/Patch Avaliable | Oracle has released an advisory addressing this vulnerability:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html |
| Vulnerability Details | The vulnerability lies in the Oracle Application Server OPMN service. Oracle Process Manager and Notification Server (OPMN) is essential for running Oracle Application Server and is installed with every Oracle Application Server installation type. The vulnerable code uses the URI string as part of a format string without validation. By embedding format strings, attackers may be able to inject and execute arbitrary code. |
Feedback