VUPEN Security - Oracle Products Multiple Remote SQL Injection and Security Bypass Vulnerabilities / Exploit (Security Advisories)

	Contact \| Site en Français

VUPEN VNS v4.0

Features and Options

Free 14-Day Trial

Partner Program

Receive More Information

Latest Intelligence

VUPEN Security Advisories

Virus and Malware Alerts

VUPEN Security Research

Threat Watch Blog

Zero-Day Monitor

Search Engine

Mailing List & RSS

>> Oracle Products Multiple Remote SQL Injection and Security Bypass Vulnerabilities

Title : Oracle Products Multiple Remote SQL Injection and Security Bypass Vulnerabilities
VUPEN ID : VUPEN/ADV-2006-4065
CVE ID : CVE-2006-5332 - CVE-2006-5333 - CVE-2006-5334 - CVE-2006-5335 - CVE-2006-5336 - CVE-2006-5337 - CVE-2006-5338 - CVE-2006-5339 - CVE-2006-5340 - CVE-2006-5341 - CVE-2006-5342 - CVE-2006-5343 - CVE-2006-5344 - CVE-2006-5345 - CVE-2006-5346 - CVE-2006-5347 - CVE-2006-5348 - CVE-2006-5349 - CVE-2006-5350 - CVE-2006-5351 - CVE-2006-5352 - CVE-2006-5353 - CVE-2006-5354 - CVE-2006-5355 - CVE-2006-5356 - CVE-2006-5357 - CVE-2006-5358 - CVE-2006-5359 - CVE-2006-5360 - CVE-2006-5361 - CVE-2006-5362 - CVE-2006-5363 - CVE-2006-5364 - CVE-2006-5365 - CVE-2006-5366 - CVE-2006-5367 - CVE-2006-5368 - CVE-2006-5369 - CVE-2006-5370 - CVE-2006-5371 - CVE-2006-5372 - CVE-2006-5373 - CVE-2006-5374 - CVE-2006-5375 - CVE-2006-5376 - CVE-2006-5377 - CVE-2006-5378 - CVE-2006-5599
CWE ID : VUPEN VNS Only

CVSS V2 : VUPEN VNS Only

Rated as : High Risk

Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2006-10-17

Technical Description

Receive VUPEN Security alerts in a Text format

Receive VUPEN Security alerts in a PDF format

Receive VUPEN Security alerts in an XML format

More than one hundred vulnerabilities have been identified in various Oracle products, which could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information, conduct SQL injection attacks, or bypass security restrictions. These flaws are due to errors in various components (e.g. XMLDB, Oracle Forms, or Oracle Application Object Library).

Affected Products

Oracle Database 10g Release 2 version 10.2.0.1
Oracle Database 10g Release 2 version 10.2.0.2
Oracle Database 10g Release 1 version 10.1.0.4
Oracle Database 10g Release 1 version 10.1.0.5
Oracle9i Database Release 2 version 9.2.0.6
Oracle9i Database Release 2 version 9.2.0.7
Oracle8i Database Release 3 version 8.1.7.4
Oracle Application Express (formerly called HTML DB) versions 1.5 through 2.0
Oracle Application Server 10g Release 3 version 10.1.3.0.0
Oracle Application Server 10g Release 2 versions 10.1.2.0.0 through 10.1.2.0.2
Oracle Application Server 10g Release 2 version 10.1.2.1.0
Oracle Application Server 10g Release 1 (9.0.4) version 9.0.4.2
Oracle Application Server 10g Release 1 (9.0.4) version 9.0.4.3
Oracle Collaboration Suite 10g Release 1 version 10.1.2.0
Oracle9i Collaboration Suite Release 2 version 9.0.4.2
Oracle E-Business Suite Release 11i versions 11.5.7 through 11.5.10 CU2
Oracle E-Business Suite Release 11.0
Oracle Pharmaceutical Applications versions 4.5.0 through 4.5.1
Oracle PeopleSoft Enterprise PeopleTools version 8.22
Oracle PeopleSoft Enterprise PeopleTools version 8.46
Oracle PeopleSoft Enterprise PeopleTools version 8.47
Oracle PeopleSoft Enterprise PeopleTools version 8.48
Oracle PeopleSoft Enterprise Portal Solutions and Enterprise Portal version 8.8
Oracle PeopleSoft Enterprise Portal Solutions and Enterprise Portal version 8.9
JD Edwards EnterpriseOne Tools version 8.95
JD Edwards EnterpriseOne Tools version 8.96
JD Edwards OneWorld Tools SP23
Oracle Developer Suite versions 6i 9.0.4.1
Oracle Developer Suite versions 6i 9.0.4.2
Oracle Developer Suite versions 6i 9.0.4.3
Oracle Developer Suite versions 6i 10.1.2.0.2
Oracle Developer Suite versions 6i 10.1.2.2
Oracle9i Database Release 1 version 9.0.1.4
Oracle9i Database Release 1 version 9.0.1.5
Oracle9i Database Release 1 version 9.0.1.5 FIPS
Oracle9i Application Server Release 2 version 9.0.2.3
Oracle9i Application Server Release 2 version 9.0.3.1
Oracle9i Application Server Release 1 version 1.0.2.2
Oracle Database 10g Release 1 version 10.1.0.3
Oracle9i Database Release 2 version 9.2.0.5
Oracle Application Server 10g Release 1 (9.0.4) version 9.0.4.1

Solution

Apply Critical Patch Upgrade (October 2006) :
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html

Upgrade Oracle Application Express to version 2.2.1 :
http://www.oracle.com/technology/products/database/application_express/download.html

References

http://www.vupen.com/english/advisories/2006/4065
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html

Credits

Vulnerabilities reported by Johannes Fahrenkrug, Sacha Faust (S.P.I. Dynamics), Esteban Martinez Fayo (Application Security), Alexander Kornbrust (Red Database Security GmbH), David Litchfield (Next Generation Security Software), and Andrew Maksimenko (COMEC-92).

ChangeLog

2006-10-17 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts with CVE, CWE, and CVSS when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.

VUPEN Vulnerability
Notification Service

Latest Advisories

>> 2010-03-18

IBM DB2 Content Manager Web Services Single Sign-on Vulnerability

>> 2010-03-18

Transmission "tr_magnetParse()" Magnet Buffer Overflow Vulnerability

>> 2010-03-18

myMP3-Player Playlist Processing Buffer Overflow Vulnerability

>> 2010-03-18

VariCAD Products "DWB" File Processing Buffer Overflow Vulnerability

>> 2010-03-18

SugarCRM Document Name Handling Cross Site Scripting Vulnerability

More Informations