Oracle Security Alert for CVE-2011-5035


Update

Products such as Oracle Audit Vault, Oracle Database, Oracle Enterprise Manager Grid Control and Oracle Identity Management include Oracle Containers for J2EE (OC4J). OC4J is affected by CVE-2011-5035, so security patches need to be applied to OC4J instances in these products. Please refer to Patch Availability Document (My Oracle Support Note 1400322.1) for information on downloading and applying these patches.

Products such as AquaLogic Data Services Platform, AquaLogic Interaction Logging Utilities, Oracle Communications Converged Application Server, Oracle Data Service Integrator, Oracle Enterprise Manager Base Platform, Oracle Enterprise Repository, Oracle Secure Enterprise Search, Oracle Service Bus, WebCenter Interaction, WebLogic Integration, WebLogic Portal, WebLogic SIP Server, WebLogic Workshop include WebLogic Server. WebLogic Server is also affected by CVE-2011-5035, so security patches need to be applied to WebLogic Server instances in these products. Please refer to Patch Availability Document (My Oracle Support Note 1400322.1) for information on downloading and applying these patches.

Description

This security alert addresses the security issue CVE-2011-5035, a denial of service vulnerability in Oracle WebLogic Server, Oracle Application Server (component: Oracle Container for J2EE/OC4J) and Oracle iPlanet Web Server due to hashing collisions. This vulnerability may be remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to affect the system availability.

Affected Products, Versions and Patch Availability

Security Alert patches are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that Security Alert patches are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and VersionsRisk MatrixPatch Availability and Installation Information
Oracle Application Server 10g Release 3, version 10.1.3.5.0Oracle Fusion Middleware Risk MatrixMy Oracle Support Note 1400322.1
Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5), 12cR1 (12.1.1)Oracle Fusion Middleware Risk MatrixMy Oracle Support Note 1400322.1
Oracle iPlanet Web Server 7.0 and Oracle Java System Web Server 6.1Oracle Sun Products Suite Risk MatrixMy Oracle Support Note 1400369.1

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the table above.

Please note that the fix for the same vulnerability in Oracle GlassFish server was released in January 2012, Oracle Critical Patch Update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.

References


Modification History


DateComments
2012-March-29Rev 2. Updated information about products that include WLS and OC4J
2012-January-31Rev 1. Initial Release

 

Appendix - Oracle Fusion Middleware

 

 

Oracle Fusion Middleware Executive Summary

 

This Security Alert contains 2 new security fixes for Oracle Fusion Middleware.  Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Fusion Middleware Risk Matrix


CVE#ComponentProtocolSub-
component
Remote Exploit without Auth.?CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base ScoreAccess VectorAccess ComplexityAuthen-
tication
Confiden-
tiality
IntegrityAvail-
ability
CVE-2011-5035Oracle Containers for J2EEHTTPServletsYes5.0NetworkLowNoneNoneNonePartial+10.1.3.5 
CVE-2011-5035Oracle WebLogic ServerHTTPWeb ContainerYes5.0NetworkLowNoneNoneNonePartial+9.2.4, 10.0.2, 10.3.3, 10.3.4, 10.3.5 12.1.1 
 

 


 

Appendix - Oracle Sun Products Suite

 

 

Oracle Sun Products Suite Executive Summary

 

This Security Alert contains 1 new security fix for the Oracle Sun Products Suite.  This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password. 

 

Oracle Sun Products Suite Risk Matrix


CVE#ComponentProtocolSub-
component
Remote Exploit without Auth.?CVSS VERSION 2.0 RISK (see Risk Matrix Definitions)Supported Versions AffectedNotes
Base ScoreAccess VectorAccess ComplexityAuthen-
tication
Confiden-
tiality
IntegrityAvail-
ability
CVE-2011-5035Oracle iPlanet Web Server, Java System Web ServerHTTPWeb ContainerYes5.0NetworkLowNoneNoneNonePartial+Oracle iPlanet Web Server 7.0 and Java System Web Server 6.1