Oracle Security Alert for CVE-2011-3192


Description

This security alert addresses the security issue CVE-2011-3192, a denial of service vulnerability in Apache HTTPD, which is applicable to Oracle HTTP Server products based on Apache 2.0 or 2.2. This vulnerability may be remotely exploitable without authentication, i.e. it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to impact the availability of un-patched systems.

Affected Products and Versions

  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
  • Oracle Application Server 10g Release 3, version 10.1.3.5.0 (Only affected when Oracle HTTP Server 10g based on Apache 2.0 has been installed from Application Server Companion CD)
  • Oracle Application Server 10g Release 2, version 10.1.2.3.0 (Only affected when Oracle HTTP Server 10g based on Apache 2.0 has been installed from Application Server Companion CD)

     

    Please note that Oracle Enterprise Manager includes the Oracle Fusion Middleware component that is affected by this vulnerability. Oracle Enterprise Manager is affected only if the affected Oracle Fusion Middleware version (noted above) is being used. Since a vulnerability affecting Oracle Fusion Middleware versions may affect Oracle Enterprise Manager, Oracle recommends that customers apply the fix for this vulnerability to the Oracle Fusion Middleware component of Oracle Enterprise Manager. For information on what patches need to be applied to your environments, refer to Security Alert CVE-2011-3192 Patch Availability Document, My Oracle Support Note 1357871.1.

Patch Availability

Patches and relevant information for protection against this vulnerability can be found at:

My Oracle Support Note 1357871.1

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.

References


Modification History


Date Comments
2011-September-15 Rev 1. Initial Release

 

Oracle Fusion Middleware Risk Matrix

 

CVE# Component Protocol Sub-
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen-
tication
Confiden-
tiality
Integrity Avail-
ability
CVE-2011-3192 Oracle HTTP Server HTTP - Yes 5.0 Network Low None None None Partial+ 10.1.2.3 (Companion CD), 10.1.3.5 (Companion CD), 11.1.1.3, 11.1.1.4, 11.1.1.5 See Note 1
 

 

Notes:

  1. The National Vulnerability Database has reported a CVSS Base Score for this vulnerability of 7.8 indicating a complete Operating System denial of service (DOS); however a complete Operating System denial of service is not possible on any platform supported by Oracle, and as a result, Oracle has given the vulnerability a CVSS Base Score of 5.0 indicating a complete denial of service of the Oracle HTTP Server but not the Operating System.