|
|
>> Oracle Products Multiple Remote SQL Injection and Security Bypass Vulnerabilities
|
More than one hundred vulnerabilities have been identified in various Oracle products, which could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information, conduct SQL injection attacks, or bypass security restrictions. These flaws are due to errors in various components (e.g. XMLDB, Oracle Forms, or Oracle Application Object Library).
Affected Products
Oracle Database 10g Release 2 version 10.2.0.1
Oracle Database 10g Release 2 version 10.2.0.2
Oracle Database 10g Release 1 version 10.1.0.4
Oracle Database 10g Release 1 version 10.1.0.5
Oracle9i Database Release 2 version 9.2.0.6
Oracle9i Database Release 2 version 9.2.0.7
Oracle8i Database Release 3 version 8.1.7.4
Oracle Application Express (formerly called HTML DB) versions 1.5 through 2.0
Oracle Application Server 10g Release 3 version 10.1.3.0.0
Oracle Application Server 10g Release 2 versions 10.1.2.0.0 through 10.1.2.0.2
Oracle Application Server 10g Release 2 version 10.1.2.1.0
Oracle Application Server 10g Release 1 (9.0.4) version 9.0.4.2
Oracle Application Server 10g Release 1 (9.0.4) version 9.0.4.3
Oracle Collaboration Suite 10g Release 1 version 10.1.2.0
Oracle9i Collaboration Suite Release 2 version 9.0.4.2
Oracle E-Business Suite Release 11i versions 11.5.7 through 11.5.10 CU2
Oracle E-Business Suite Release 11.0
Oracle Pharmaceutical Applications versions 4.5.0 through 4.5.1
Oracle PeopleSoft Enterprise PeopleTools version 8.22
Oracle PeopleSoft Enterprise PeopleTools version 8.46
Oracle PeopleSoft Enterprise PeopleTools version 8.47
Oracle PeopleSoft Enterprise PeopleTools version 8.48
Oracle PeopleSoft Enterprise Portal Solutions and Enterprise Portal version 8.8
Oracle PeopleSoft Enterprise Portal Solutions and Enterprise Portal version 8.9
JD Edwards EnterpriseOne Tools version 8.95
JD Edwards EnterpriseOne Tools version 8.96
JD Edwards OneWorld Tools SP23
Oracle Developer Suite versions 6i 9.0.4.1
Oracle Developer Suite versions 6i 9.0.4.2
Oracle Developer Suite versions 6i 9.0.4.3
Oracle Developer Suite versions 6i 10.1.2.0.2
Oracle Developer Suite versions 6i 10.1.2.2
Oracle9i Database Release 1 version 9.0.1.4
Oracle9i Database Release 1 version 9.0.1.5
Oracle9i Database Release 1 version 9.0.1.5 FIPS
Oracle9i Application Server Release 2 version 9.0.2.3
Oracle9i Application Server Release 2 version 9.0.3.1
Oracle9i Application Server Release 1 version 1.0.2.2
Oracle Database 10g Release 1 version 10.1.0.3
Oracle9i Database Release 2 version 9.2.0.5
Oracle Application Server 10g Release 1 (9.0.4) version 9.0.4.1
Solution
Apply Critical Patch Upgrade (October 2006) :
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html
Upgrade Oracle Application Express to version 2.2.1 :
http://www.oracle.com/technology/products/database/application_express/download.html
References
http://www.vupen.com/english/advisories/2006/4065
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html
Credits
Vulnerabilities reported by Johannes Fahrenkrug, Sacha Faust (S.P.I. Dynamics), Esteban Martinez Fayo (Application Security), Alexander Kornbrust (Red Database Security GmbH), David Litchfield (Next Generation Security Software), and Andrew Maksimenko (COMEC-92).
ChangeLog
2006-10-17 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
