|
|
>> Oracle Products Multiple Remote Command Execution and SQL Injection Vulnerabilities
|
Multiple vulnerabilities have been identified in various Oracle products, which could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information, conduct SQL injection and cross site scripting attacks, or bypass security restrictions.
The first issue is due to an input validation error in Oracle Database when handling certain parameters via XML DB, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.
The second issue is due to an input validation error in the "DBMS_AQ_INV" package, which could be exploited by malicious people to inject and execute arbitrary SQL queries.
The third vulnerability is due to a buffer overflow error in the Oracle Notification Service (ONS) when processing malformed requests sent to port 6200/TCP, which could be exploited by remote unauthenticated attackers to execute arbitrary commands.
The fourth issue is due to an input validation error in Oracle Application Server when processing requests via the "EmChartBean" component, which could be exploited by remote unauthenticated attackers to access and read the contents of arbitrary files via directory traversal attacks.
The fifth vulnerability is due to an input validation error in Oracle Reports Web Cartridge (RWCGI60) when processing the "genuser" parameter script, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.
Other unspecified vulnerabilities have also been identified in various components.
Affected Products
Oracle Database 10g Release 2 version 10.2.0.1
Oracle Database 10g Release 2 version 10.2.0.2
Oracle Database 10g Release 2 version 10.2.0.3
Oracle Database 10g Release 1 version 10.1.0.3
Oracle Database 10g Release 1 version 10.1.0.4
Oracle Database 10g Release 1 version 10.1.0.5
Oracle Identity Management 10g version 10.1.4.0.1
Oracle Application Server 10g Release 3 version 10.1.3.0.0
Oracle Application Server 10g Release 3 version 10.1.3.1.0
Oracle Application Server 10g Release 2 versions 10.1.2.0.0 through 10.1.2.0.2
Oracle Application Server 10g Release 2 version 10.1.2.1.0
Oracle Application Server 10g Release 2 version 10.1.2.2.0
Oracle Application Server 10g (9.0.4) version 9.0.4.2
Oracle Application Server 10g (9.0.4) version 9.0.4.3
Oracle Application Server 10g Release 1 (9.0.4) version 9.0.4.1
Oracle E-Business Suite Release 11i versions 11.5.7 through 11.5.10 CU2
Oracle E-Business Suite Release 11.0
Oracle Enterprise Manager 10g Grid Control Release 2 version 10.2.0.1
Oracle Enterprise Manager 10g Grid Control Release 1 version 10.1.0.4
Oracle Enterprise Manager 10g Grid Control Release 1 version 10.1.0.5
Oracle Enterprise Manager 10g Grid Control Release 1 version 10.1.0.3
Oracle PeopleSoft Enterprise PeopleTools version 8.22
Oracle PeopleSoft Enterprise PeopleTools version 8.47
Oracle PeopleSoft Enterprise PeopleTools version 8.48
Oracle Developer Suite, version 9.0.4.3
Oracle Developer Suite, version 10.1.2.0.2
Oracle Developer Suite, version 6i
Oracle8i Database Release 3 version 8.1.7.4
Oracle9i Database Release 2 version 9.2.0.7
Oracle9i Database Release 2 version 9.2.0.8
Oracle9i Database Release 1 version 9.0.1.5
Oracle9i Database Release 1 version 9.0.1.5 FIPS
Oracle9i Database Release 1 version 9.0.1.4
Oracle9i Application Server Release 2 version 9.0.2.3
Oracle9i Application Server Release 1 version 1.0.2.2
Oracle9i Database Release 2 version 9.2.0.5
Oracle9i Database Release 2 version 9.2.0.6
Solution
Apply Oracle Critical Patch Update (January 2007) :
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
References
http://www.vupen.com/english/advisories/2007/0210
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
http://www.red-database-security.com/advisory/oracle_xmldb_css2.html
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aq_inv.html
http://www.red-database-security.com/advisory/oracle_buffer_overflow_ons.html
http://www.symantec.com/enterprise/research/SYMSA-2007-001.txt
Credits
Vulnerabilities reported by Andy Davis (Information Risk Management), Vicente Aguilera Diaz (Internet Security Auditors), Esteban Martinez Fayo (Application Security), Tony Fogarty (BT Global Services), Oliver Karow (Symantec), Joxean Koret, Alexander Kornbrust (Red Database Security), David Litchfield and Mark Litchfield (Next Generation Security Software), and noderat ratty.
ChangeLog
2007-01-17 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
