CVE-2009-0993
Oracle Applications Server 10g Format String Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Unspecified vulnerability in the OPMN component in Oracle Application Server 10.1.2.3 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the April 2009 CPU. Oracle has not commented on reliable researcher claims that this issue is a format string vulnerability that allows remote attackers to execute arbitrary code via format string specifiers in an HTTP POST URI, which are not properly handled when logging to opmn/logs/opmn.log.
Vulnerabilidad sin especificar en el componente OPMN en Oracle Application Server v10.1.2.3 permite a atacantes remotos afectar a la confidencialidad, la disponibilidad, y la integridad a través de vectores desconocidos.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Oracle Applications Server. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the Oracle Process Manager and Notification (opmn) daemon which is an HTTP daemon listening on a TCP port above 6000. The daemon fails to properly handle format string tokens in the POST URI when logging to the file $ORACLE_HOME/opmn/logs/opmn.log. Exploitation of this issue can result in arbitrary code execution.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2009-03-19 CVE Reserved
- 2009-04-14 CVE Published
- 2024-08-07 CVE Updated
- 2024-09-18 EPSS Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
CAPEC
References (8)
| URL | Tag | Source |
|---|---|---|
| http://secunia.com/advisories/34693 | Third Party Advisory | |
| http://www.oracle.com/technetwork/topics/security/cpuapr2009-099563.html | X_refsource_confirm |
|
| http://www.securityfocus.com/archive/1/502683/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/34461 | Vdb Entry | |
| http://www.securitytracker.com/id?1022055 | Vdb Entry | |
| http://www.us-cert.gov/cas/techalerts/TA09-105A.html | Third Party Advisory | |
| http://www.zerodayinitiative.com/advisories/ZDI-09-017 | X_refsource_misc |
|
| https://exchange.xforce.ibmcloud.com/vulnerabilities/50030 | Vdb Entry |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Oracle Search vendor "Oracle" | Application Server Search vendor "Oracle" for product "Application Server" | 10.1.2.3.0 Search vendor "Oracle" for product "Application Server" and version "10.1.2.3.0" | - |
Affected
| ||||||