Oracle JD Edwards EnterpriseOne Server and Tools contains a flaw related to the XMLCallObject kernel. The issue is triggered when a remote attacker sends a specially crafted message. This may allow an attacker to execute arbitrary code.

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch to address this vulnerability. Check the vendor advisory or solution in the references section.

• CVE ID: 2011-0825 (see also: NVD)
• Secunia Advisory ID: 44279
• Related OSVDB ID: 71913 71914 71915 71916 71917 71918 71919 71921 71922 71923 71924
• Mail List Post: http://seclists.org/bugtraq/2011/Apr/277
  http://seclists.org/fulldisclosure/2011/Apr/453
• News Article: http://www.computerworld.com/s/article/9215838/Oracle_to_fix_73_security_bugs_next_week
• Other Advisory URL: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2011-08 [ Auth Req'd ]
• Vendor Specific Solution URL: http://www.oracle.com/technetwork/topics/security/cpuapr2011-301950.html#AppendixJDE

• Juan Pablo Perez Etchegoyen - Onapsis