Oracle JD Edwards EnterpriseOne Server and Tools are prone to an overflow condition. The JDENet Service fails to properly sanitize user-supplied input resulting in a heap-based buffer overflow. With a specially crafted packet, a remote attacker can potentially execute arbitrary code.

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. Check the vendor advisory or solution in the references section.

• CVE ID: 2011-0803 (see also: NVD)
• Secunia Advisory ID: 44279
• Related OSVDB ID: 71913 71914 71915 71916 71917 71919 71921 71922 71923 71924 71925
• Mail List Post: http://seclists.org/fulldisclosure/2011/Apr/456
• News Article: http://www.computerworld.com/s/article/9215838/Oracle_to_fix_73_security_bugs_next_week
• Other Advisory URL: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-11 [ Auth Req'd ]
• Vendor Specific Solution URL: http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html#AppendixJDE

• Juan Pablo Perez Etchegoyen - Onapsis