Security Vulnerabilities on OAS 10.1.2.3

Similar Messages

• Java 1.4.2 Security Vulnerabilities

  Hello,
  I'm looking for a link that lists the security vulnerabilities of Java 1.4.2 and I am having trouble finding a comprehensive list. Our security officer doesn't want us using 1.4.2 because of security vulnerabilities and I want to confirm what they are. But, I have not seen any report of what these issues are. This relates specifically to our Java version in relation to our Discoverer Plus use. Does anyone have a link of known Java 1.4 security issues?
  Thanks!

  Check this
  http://sunsolve.sun.com/search/document.do?assetkey=1-26-57591-1

• Oracle Security Vulnerabilities?

  Hi all,
  We're running many PHP 5.x applications in a distributed environment that use the OCI client to access Oracle 10g databases.
  Our server administration group is migrating to a new server and is refusing to install or support the OCI Instant client under Linux saying it's a security problem. Specifically, they say that the OCI Instant Client is exposed to buffer overflows and stack smashing. Their recommendation? Rewrite all our apps to use another database. Yeah, right.
  They provided me with two sources to explain the issues:
  http://www.dummies.com/WileyCDA/DummiesArticle/id-2900.html
  and
  Re: Problems with libclntsh.so.10.1 and PHP/Apache HTTPD
  Is this really a security problem? If so, what can be done to mitigate the risk?
  Thanks,
  John

  Hi all,
  I thought I’d jump in this thread with a few thoughts.
  Security flaws unfortunately affect software, both commercial and open source. I believe that what sets Oracle apart from many other vendors is the company’s commitment to security. Oracle Software Security Assurance (http://www.oracle.com/security/software-security-assurance.html) includes the most transparent vulnerability remediation policy in the industry. Furthermore, the Critical Patch Update (CPU) process (http://www.oracle.com/technology/deploy/security/alerts.htm) provides a predictable mechanism for the remediation of security vulnerabilities in Oracle software. By comparison, open source involves unpredictable releases of security fixes.
  Now, getting back to the discussion in this thread: as much as we try to prevent vulnerabilities during development, as is the case with all large software products, some make their way into released code. As vulnerabilities are discovered, Oracle fixes them in order of severity and release fixes for them through the Critical Patch Update.
  An attacker could attempt to exploit the unpatched vulnerabilities through OCI or other protocols providing access to the database (This is not specific to OCI). Oracle’s recommendation is therefore to remain current on the Critical Patch Update (the last one was issued on July 17, 2007). Keep in mind that the CPU is cumulative for the database, and applying the most recent CPU will bring you at current security patch level, and this will significantly contribute to improving your organization’s security posture.
  Do not hesitate to contact me if you have questions at [email protected]
  Sincerely
  Eric Maurice
  Manager – Oracle Software Security Assurance

• OSX Security Vulnerabilities - 20 found according to this article

  Via Gizmodo, here is an article about a guy finding 20 zero-day security holes in OSX. Zero-day threats refer to security vulnerabilities which do not yet have a fix. At present, Macs are highly resistant but not immune to viruses, but this article does raise a few red flags. Thoughts?
  Article: http://www.h-online.com/security/news/item/Mac-OS-X-safer-but-less-secure-Update -957981.html

  I've reposted this message in the "Using Mac OS X 10.6 Snow Leopard" forum. I posted here out of habit. I could not see how to delete the message, so please refer to this thread instead:
  http://discussions.apple.com/thread.jspa?threadID=2371811&tstart=0

• OSX Security Vulnerabilities - 20 found according to article

  Via Gizmodo, here is an article about a guy finding 20 zero-day security holes in OSX. Zero-day threats refer to security vulnerabilities which do not yet have a fix. At present, Macs are highly resistant but not immune to viruses, but this article does raise a few red flags. Thoughts?
  Article: http://www.h-online.com/security/news/item/Mac-OS-X-safer-but-less-secure-Update -957981.html

  Usually these "security bulletin" type postings are completely bogus. The guy is trying to make a living finding exploits. So, he finds 20 in Mac OS X, and then goes to the media so he can make a name for himself. Most people will say "Wow, 20 exploits! That is a lot, maybe we should be worried. Maybe OS X is not as secure as we think it is."
  But, what is totally missing here that is completely necessary to make a conclusion like that is any semblance of detail. The comments on Giz nailed it already. Are these "exploits" in the core OS, or are they in Flash? Etc. Most importantly, are these "holes" able to be exploited remotely? If I had to guess I would have to say most are not remotely exploitable. So, if this is true, are they really something to worry about? Absolutely not.
  So, the guy holds back the details so that he can get some interest from some company that makes security software. Pay him a nice royalty to provide that information. Or maybe, he's fishing for Apple to hire him so that they can patch those holes. Either way, I'm not sure I can take him seriously.
  And honestly:
  Macs are highly resistant but not immune to viruses
  This statement is false and reads like a journalist trying to cover their bases when they really don't know what they're talking about. OS X is currently immune from viruses by the definition of the word. Of course, there are a couple "trojans" around, but those require you to type in your admin password and install yourself. So, they aren't really a threat at all, at least compared to what we see on Windows.
  --Travis

• Are Security Vulnerabilities fixed by applying Oracle Server Patchsets

  Hi,
  I would like to know whether by applying Oracle Server Patchsets or by upgrading the Oracle Server from one version to another do we overcome the Security Vulnerabilities highlighted in the previous patchset or Oracle Server Version.
  For example if I have an Oracle Server 9.2.0.1 and I apply server patchest 9.2.0.8 do I overcome all the security vulnerabilities highlighted for version 9.2.0.1 and all other intervening versions. Similarly, if I upgrade my Oracle Server 9.2.0.6 to say Oracle Server 10g 10.2.0.3 do I overcome all security vulnerabilites highlighted fro 9.2.0.6 and all other intervening releases.
  Best Regards
  Syed Zaib ul Qamar

  Is there a link; or where can I go to find the types of and/or categories for the security vulnerabilities associated with (past and present) versions of Oracle? I work with a very large team of developers and some are DBAs that perform mainly custom coding in C++ and a little in Ada. I would like to ensure that our team is continually aware of the both past and current Oracle vulnerabilities when developing applications/scripts (designing, coding, reviewing, building, etc.), testing (including security) , quality assurance, packaging, and etc.
  Perhaps, this is a lot to ask; but, this at least a good palce to start.

• Oracle XDK Java removing security vulnerabilities

  Hi All,
  I am looking for removing security vulnerabilities that may be associated with XML parsers.
  I am looking which version of Oracle XDK Java has removed security vulnerabilities associated with XML Parsing.
  Also what is the latest version Oracle XDK Java is present in market.
  Also is new version are backward compatible. Do we need to see is any change in API level occurs.
  Currently we are using Oracle XDK Java 10.2.0.2.
  Just a description of security vulnerabilities that may be associated with XML parsers are
  "The vulnerabilities are related to the parsing of XML elements with unexpected byte values and recursive parentheses, which cause the program to access memory out of bounds, or to loop indefinitely. The effects of the vulnerabilities include denial of service and potentially code execution. The vulnerabilities can be exploited by enticing a user to open a specially modified file, or by submitting it to a server that handles XML content.:
  Regards
  Atul Parti

  Which JVM is the security tool complaining about (what is the directory path, for example)?
  My guess is that the tool is complaining about the older JVM that Oracle installs in order to run the Oracle Universal Installer and the other Java-based installation tools.  If that's the case, those JVMs do not generally represent a security issue because they are not running anything on a day-to-day basis.  They're only used by things like the OUI which only get invoked when someone wants to do something like install new software.  Ideally, you'd be able to have the conversation with the security folks and explain that those older JVMs exist only for the limited purpose of running the OUI and the other configuration tools. 
  If the security folks want you to upgrade the Java version (as opposed to just installing patches to the older JVMs), that has a decent probability of breaking the various installation and configuration tools.  That may not have much impact on a day-to-day basis but may make administration tasks in the future more challenging. 
  Justin

• Nearly 200 security vulnerabilities. iPad 1 ...

  ...  doesn't get an update. Can't be used for web surfing anymore. This is unreal. Any news on fixing the security holes? I.e. iOS 5.1.2?
  Or at least release a free boot loader so a fixable OS can be installed, like Android. I can't believe to have paid 600 bucks and can throw that away now, just after 2 years.
  As soon as my MBA late 2010 or my wife's MacBook Pro die, we'll substitute with generic Ultrabooks/Ultrathins. I'm not at all satisfied with Apple anymore.

  Ups, just forgotten to add the "proof" that there is a real security threat without an update: Apple lists around 200 security vulnerabilities in iOS5, which are fixed within iOS6.
  http://support.apple.com/kb/HT5503
  So if you're doing some product search and buy online with the iPad 1, the risk that you get hacked and robbed rises every hour without update. Thus the iPad 1 can't be used for web surfing anymore - the only thing I bought it for. And I was wrong, I even paid 700 bucks for it (3G, 32GB). That was stupid. Intelligence dictates not to repeat such a horrible mistake again.

• Kerberos Pre-Authentication - Security Vulnerabilities

  I have an issue with some Java applets locking out AD accounts, or prompting for a password.
  The solutions I have, and work, is to check the "Do not require Kerberos preauthentication" located in the user account of Active Directory Users and Computers, or to create a registry DWORD key called allowtgtsessionkey with a value of 1. 
  This key is located in
  HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\Kerberos\Parameters.
  Can you advise by enabling this option or creating the reg key, does this open any security vulnerabilities?  I have read on another forum that creating the key on a PC where a users has local admin rights, will be an issue, but was very vague.
  Many thanks
  Larry

  Hi,
  If the issue persists, please:
  Find out from which machine/device bad password attempts are generated.
  Locate any services/scheduled tasks/disconnected remote desktop connections/scripts/mapped drives which could be storing credentials, then clear stored credentials.
  More information for you:
  Troubleshooting Account Lockout
  https://technet.microsoft.com/en-us/library/cc773155%28v=ws.10%29.aspx?f=255&MSPPError=-2147217396
  Account getting locked out
  https://social.technet.microsoft.com/Forums/en-US/92454597-b414-4840-82fd-16dd92a1706d/account-getting-locked-out
  Account Locked - Event 4771 Failure Code 0x18
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/6187d7e2-d38a-4ecd-bf80-12ce3589c8e1/account-locked-event-4771-failure-code-0x18?forum=winserversecurity
  Error for Active Directory
  https://social.technet.microsoft.com/Forums/windowsserver/en-US/4923356c-1820-4626-83f2-8a57a7c48ccc/error-for-active-directory?forum=winserverDS
  Best Regards,
  Amy
  Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact
  [email protected]

• Security Vulnerabilities on CPUCMS

  Hi All
  Could someone assist me please?
  We running a demo version of CPUCMS at a customer and the System administrator has advised that there are
  security vulnerabilities on the server that runs CPUCMS and he would like to do the following:
  1) Locate file C:\PROGRA~1\CSCOpx\MDC\Apache\conf\httpd.conf
  Remove      -    SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!LOW:RC4+RSA:+HIGH:+MEDIUM:!SSLv2:!EXP:!eNULL
  Add below:-
  SSLHonorCipherOrder On
        SSLCipherSuite RC4-SHA:HIGH:!ADH
  2.)    Disable remote service rexec  , rlogin and rsh
  Please advise if anyone has done this and also the impact it might cause on the application?
  Many thanks
  Shabeer

  Hi All
  Could someone assist me please?
  We running a demo version of CPUCMS at a customer and the System administrator has advised that there are
  security vulnerabilities on the server that runs CPUCMS and he would like to do the following:
  1) Locate file C:\PROGRA~1\CSCOpx\MDC\Apache\conf\httpd.conf
  Remove      -    SSLCipherSuite ALL:!ADH:!EXPORT56:!EXPORT40:!LOW:RC4+RSA:+HIGH:+MEDIUM:!SSLv2:!EXP:!eNULL
  Add below:-
  SSLHonorCipherOrder On
        SSLCipherSuite RC4-SHA:HIGH:!ADH
  2.)    Disable remote service rexec  , rlogin and rsh
  Please advise if anyone has done this and also the impact it might cause on the application?
  Many thanks
  Shabeer

• Security Vulnerabilities

  Hi List,
  Similar to like Bug Toolkit, Does Cisco have a tool which can provide a list of Security Vulnerabilities based on the IOS version you specify ?
  Bug Toolkit gives the list of all bugs, most of them are related to the functionality rather than Security. Filtering Security bugs is a difficult task.
  Cisco publishes security advisories, which gives the list of affected IOS versions.
  But, my requirement is to get the list of vulnerabilities after provision of IOS version.
  Was just wondering what is the best way to achieve this.
  Thanks,

  Cisco has a security advisory site. There is also a product alert tool here. I belive this is what you are looking for.
  http://www.cisco.com/en/US/products/products_security_advisories_listing.html
  Hope this helps.
  Steve

• Security vulnerabilities in apache that comes with oracle database.

  Hi,
  We are having a QA database in Oracle enterprise version 9.2.0.4 on OS : OSF1.
  Recently our security team ran a test and found that the apache1.3 that comes as component of Oracle database is prone to security vulnerabilities. Also they suggested to remove the apache or upgrade to latest as remedy.
  When contacted to Oracle support, Oracle team replied apache upgrade should not be done instead latest apache seprately can be installed as reverse proxy. But when asked for steps/document there is no reply. Anyone faced this problem can provide any help/suggestion in this regard.
  I am attaching some of the threads identified by our Security Team for reference.
  1. Apache 1.3 HTTP Server Expect Header Cross-Site Scripting XXXX and YYYYYY ports 7782, 4889, 3339.
  2. Apache HTTP Server 413 Error HTTP Request Method Cross-Site Scripting Weakness
  3. Keep-Alive: timeout=15, max=100
  Connection: Keep-Alive
  Transfer-Encoding: chunked
  Content-Type: text/html; charset=iso-8859-1
  <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
  <HTML><HEAD>
  <TITLE>417 Expectation Failed</TITLE>
  </HEAD><BODY>
  <H1>Expectation Failed</H1>
  The expectation given in the Expect request-header
  field could not be met by this server.<P>
  The client sent<PRE>
  Expect: <script>alert(document.domain)</script>
  </PRE>
  but we only allow the 100-continue expectation.
  -CR

  I dont know how to find which components are using the apache. Help me if there is any way to find it. Only information i can say you is there is no other software installed that in that server other than oracle Database.

• OS X security vulnerabilities

  hi,
  our office network was attacked by hackers and they did some damage. everything in the office is windoze so that's not surprising but i was wondering if Mac OS X has any known security vulnerabilities ?
  best regards
  ЯML

  you might find this discussion helpful: http://discussions.apple.com/thread.jspa?threadID=2371811&tstart=0.

• IPhone security vulnerabilities ????

  This was sent out to all employees at my local gov offices... anyone know what she is talking about?
  I know iPhones are the latest cool gadget. However, there are security vulnerabilities associated with having them on our network in order to get your e-mail from the Exchange server. We are researching and trying to stay current on the issues and solutions. I do recommend that before you purchase an iPhone with expectations of using County network resources like e-mail, please contact us.
  <Edited by Moderator>

  Security is a 'cool' word to say, we're not sure how we're going to support this, or we don't want you to use it. Essentially this is a cool myth to make people afraid. (think of airport security and the 'orange' alerts we're conditioned to be fearful of)
  If you can get your work email at home via POP, IMAP and/or web access, the iPhone poses no more or less security threat than your home PC or laptop do.
  The only 'security issue' I can really see is that an iPhone is much easier to loose or have stolen, in which case, since there is no password needed to access the emails stored on the phone, someone 'could' view confidential emails stored on the phone, as well as send new emails, until a password is changed on the corporate side.

• CS4 Security Vulnerabilites

  I'm fairly new at the Dreamweaver software but looking to use
  the CS4 edition for designing a computer security business website,
  Is there any Dreamweaver CS4 security vulnerabilities? I've read
  some vulnerabilities with the CS3 edition with the CSS code in the
  'insert flash video' option with cross scripting. Anybody know or
  here of anything yet? Thanks.

  Hi Craig,
  Regarding this vulnerability,
  1) Vulnerability - SSL / TLS Renegotiation DoS
  You shouldn't be worrying as the code you are running has by default renegotiation diabled. If not please go to parameter type ssl and disable it.
  (config)# Parameter-map type ssl SSL
  (config-parammap-ssl)# rehandshake enabled
  (config-parammap-ssl)# no rehandshake enabled------>This is the default.
  Regarding your second vulnerability:
  2) Vulnerability - SSL/TLS Protocol Initialization Vector Implementation Information Disclosure Vulnerability
  The workaround is to enable adding empty data blocks via SSL_OP_DONT_INSERT_EMPTY_FRAGMENTS or SSL_OP_ALL runtime options. This was introduced in OpenSSL 0.9.6d. And most of client browsers (IE, Firefox, etc) have included this.
  ACE uses TLS 1.0. However, we do not allow code execution on the device. Also the device supports the OpenSSL workaround from client connections that implement it. In this way, ACE is not affected by this vulnerability and no
  action is required for this.
  There's future enhancement request for TLS 1.1 and TLS 1.2 support on ACE, however there's no hard date on it yet.
  Please review the details in below feature enhancement request:
  http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtt13316
  This is fixed inb A530.
  Let me know if you have any questions.
  Regards,
  Kanwal