Oracle Security Alert for CVE-2011-5035

Update

Products such as Oracle Audit Vault, Oracle Database, Oracle Enterprise Manager Grid Control and Oracle Identity Management include Oracle Containers for J2EE (OC4J). OC4J is affected by CVE-2011-5035, so security patches need to be applied to OC4J instances in these products. Please refer to Patch Availability Document (My Oracle Support Note 1400322.1) for information on downloading and applying these patches.

Products such as AquaLogic Data Services Platform, AquaLogic Interaction Logging Utilities, Oracle Communications Converged Application Server, Oracle Data Service Integrator, Oracle Enterprise Manager Base Platform, Oracle Enterprise Repository, Oracle Secure Enterprise Search, Oracle Service Bus, WebCenter Interaction, WebLogic Integration, WebLogic Portal, WebLogic SIP Server, WebLogic Workshop include WebLogic Server. WebLogic Server is also affected by CVE-2011-5035, so security patches need to be applied to WebLogic Server instances in these products. Please refer to Patch Availability Document (My Oracle Support Note 1400322.1) for information on downloading and applying these patches.

Description

This security alert addresses the security issue CVE-2011-5035, a denial of service vulnerability in Oracle WebLogic Server, Oracle Application Server (component: Oracle Container for J2EE/OC4J) and Oracle iPlanet Web Server due to hashing collisions. This vulnerability may be remotely exploitable without authentication, i.e., it may be exploited over a network without the need for a username and password. A remote user can exploit this vulnerability to affect the system availability.

Affected Products, Versions and Patch Availability

Security Alert patches are provided only for product versions that are covered under the Premier Support or Extended Support phases of the Lifetime Support Policy. We recommend that customers plan product upgrades to ensure that Security Alert patches are available for the versions they are currently running.

Product releases that are not under Premier Support or Extended Support are not tested for the presence of vulnerabilities addressed by this Security Alert. However, it is likely that earlier versions of affected releases are also affected by these vulnerabilities.

The list of affected product releases and versions that are in Premier Support or Extended Support, under the Oracle Lifetime Support Policy is as follows:

Affected Products and Versions Risk Matrix Patch Availability and Installation Information
Oracle Application Server 10g Release 3, version 10.1.3.5.0 Oracle Fusion Middleware Risk Matrix My Oracle Support Note 1400322.1
Oracle WebLogic Server, versions 9.2.4, 10.0.2, 11gR1 (10.3.3, 10.3.4, 10.3.5), 12cR1 (12.1.1) Oracle Fusion Middleware Risk Matrix My Oracle Support Note 1400322.1
Oracle iPlanet Web Server 7.0 and Oracle Java System Web Server 6.1 Oracle Sun Products Suite Risk Matrix My Oracle Support Note 1400369.1

For each administered Oracle product, consult the documentation for patch availability information and installation instructions referenced from the table above.

Please note that the fix for the same vulnerability in Oracle GlassFish server was released in January 2012, Oracle Critical Patch Update.

Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.

References

Modification History

Date Comments
2012-March-29 Rev 2. Updated information about products that include WLS and OC4J
2012-January-31 Rev 1. Initial Release

Appendix - Oracle Fusion Middleware

 

Oracle Fusion Middleware Executive Summary

This Security Alert contains 2 new security fixes for Oracle Fusion Middleware. Both of these vulnerabilities may be remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Fusion Middleware Risk Matrix

CVE# Component Protocol Sub-
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2011-5035 Oracle Containers for J2EE HTTP Servlets Yes 5.0 Network Low None None None Partial+ 10.1.3.5
CVE-2011-5035 Oracle WebLogic Server HTTP Web Container Yes 5.0 Network Low None None None Partial+ 9.2.4, 10.0.2, 10.3.3, 10.3.4, 10.3.5 12.1.1
 

Appendix - Oracle Sun Products Suite

Oracle Sun Products Suite Executive Summary

This Security Alert contains 1 new security fix for the Oracle Sun Products Suite. This vulnerability is remotely exploitable without authentication, i.e., may be exploited over a network without the need for a username and password.

Oracle Sun Products Suite Risk Matrix

CVE# Component Protocol Sub-
component
Remote Exploit without Auth.? CVSS VERSION 2.0 RISK (see Risk Matrix Definitions) Supported Versions Affected Notes
Base Score Access Vector Access Complexity Authen­tication Confid­entiality Inte­grity Avail­ability
CVE-2011-5035 Oracle iPlanet Web Server, Java System Web Server HTTP Web Container Yes 5.0 Network Low None None None Partial+ Oracle iPlanet Web Server 7.0 and Java System Web Server 6.1