Products such as Oracle Audit Vault, Oracle Database, Oracle Enterprise Manager Grid Control and Oracle Identity Management include Oracle Containers for J2EE (OC4J). OC4J is affected by CVE-2011-5035, so security patches need to be applied to OC4J instances in these products. Please refer to Patch Availability Document (My Oracle Support Note 1400322.1) for information on downloading and applying these patches.
Products such as AquaLogic Data Services Platform, AquaLogic Interaction Logging Utilities, Oracle Communications Converged Application Server, Oracle Data Service Integrator, Oracle Enterprise Manager Base Platform, Oracle Enterprise Repository, Oracle Secure Enterprise Search, Oracle Service Bus, WebCenter Interaction, WebLogic Integration, WebLogic Portal, WebLogic SIP Server, WebLogic Workshop include WebLogic Server. WebLogic Server is also affected by CVE-2011-5035, so security patches need to be applied to WebLogic Server instances in these products. Please refer to Patch Availability Document (My Oracle Support Note 1400322.1) for information on downloading and applying these patches.
This security alert addresses the security issue CVE-2011-5035, a denial of service vulnerability in Oracle WebLogic Server, Oracle Application Server (component: Oracle Container for J2EE/OC4J) and Oracle iPlanet Web Server due to hashing collisions. This vulnerability may be remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to affect the system availability.
Security Alert patches are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that Security Alert patches are available for the versions they are currently running.
Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.
The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:
Affected Products and Versions | Risk Matrix | Patch Availability and Installation Information |
---|---|---|
Oracle Application Server 10g Release 3, version 10.1.3.5.0 | Oracle Fusion Middleware Risk Matrix | My Oracle Support Note 1400322.1 |
Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5), 12cR1 (12.1.1) | Oracle Fusion Middleware Risk Matrix | My Oracle Support Note 1400322.1 |
Oracle iPlanet Web Server 7.0 and Oracle Java System Web Server 6.1 | Oracle Sun Products Suite Risk Matrix | My Oracle Support Note 1400369.1 |
For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the table above.
Please note that the fix for the same vulnerability in Oracle GlassFish server was released in January 2012, Oracle Critical Patch Update.
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.
Date | Comments |
---|---|
2012-March-29 | Rev 2. Updated information about products that include WLS and OC4J |
2012-January-31 | Rev 1. Initial Release |
This Security Alert contains 2 new security fixes for Oracle Fusion Middleware. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
CVE# | Component | Protocol | Sub- component |
Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2011-5035 | Oracle Containers for J2EE | HTTP | Servlets | Yes | 5.0 | Network | Low | None | None | None | Partial+ | 10.1.3.5 | |
CVE-2011-5035 | Oracle WebLogic Server | HTTP | Web Container | Yes | 5.0 | Network | Low | None | None | None | Partial+ | 9.2.4, 10.0.2, 10.3.3, 10.3.4, 10.3.5 12.1.1 |
This Security Alert contains 1 new security fix for the Oracle Sun Products Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.
CVE# | Component | Protocol | Sub- component |
Remote Exploit without Auth.? | CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) | Supported Versions Affected | Notes | ||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Base Score | Access Vector | Access Complexity | Authentication | Confidentiality | Integrity | Availability | |||||||
CVE-2011-5035 | Oracle iPlanet Web Server, Java System Web Server | HTTP | Web Container | Yes | 5.0 | Network | Low | None | None | None | Partial+ | Oracle iPlanet Web Server 7.0 and Java System Web Server 6.1 |