This CPU contains fix for vulnerability in Oracle Application Server founded by Alexander Polyakov from ERPScan. This vulnerability allows remote attacker gain access to administrators session.
Also in this CPU Oracle provides recognition to ERPScan in Security-In-Depth program (see FAQ) for vulnerabilities in Oracle BEA Weblogic 10 and Oracle Database 11g. People are recognized for Security-In-Depth contributions if they provide information, observations or suggestions pertaining to security vulnerability issues that result in significant modification of Oracle code or documentation in future releases, but are not of such a critical nature that they are distributed in Critical Patch Updates. Additional information about vulnerabilities:
- Oracle Application Server (SOA): Linked XSS vulnerability
- Oracle BEA Weblogic 10: Multiple Linked ХSS vulnerabilities
- Oracle Database 11g: EXFSYS PL/SQL injection vulnerability
Early ERPScan received recognition in "Oracle Critical Patch Update Advisory — July 2008". First time Oracle thanked ERPScan researchers in "Oracle Critical Patch Update Advisory — January 2008".