|
|
>> Oracle Products Multiple Remote Command Execution and SQL Injection Vulnerabilities
|
Multiple vulnerabilities have been identified in various Oracle products, which could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information, conduct SQL injection and cross site scripting attacks, or bypass security restrictions. These issues are caused by errors in JavaVM, Advanced Queuing, DataGuard, Data Mining, Oracle Text, PL/SQL, Rules Manager, Spatial, Internet Directory, Progam Interface, SQL Compiler, Application Express, Jdeveloper, and Single Sign On components.
Affected Products
Oracle Database 10g Release 2 version 10.2.0.2
Oracle Database 10g Release 2 version 10.2.0.3
Oracle Database 10g version 10.1.0.5
Oracle9i Database Release 2 version 9.2.0.7
Oracle9i Database Release 2 version 9.2.0.8
Oracle9i Database Release 2 version 9.2.0.8DV
Oracle9i Database version 9.0.1.5 FIPS+
Oracle9i Application Server Release 1 version 1.0.2.2
Oracle Application Express (HTML DB) versions 1.5 through 2.2
Oracle Secure Enterprise Search 10g version 10.1.6
Oracle Secure Enterprise Search 10g version 10.1.8
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.0.0
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.1.0
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.2.0
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.3.0
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.0.1
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.0.2
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.1.0
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.2.0
Oracle Application Server 10g (9.0.4) version 9.0.4.3
Oracle10g Collaboration Suite version 10.1.2
Oracle E-Business Suite Release 11i versions 11.5.8 through 11.5.10 CU2
Oracle E-Business Suite Release 12 version 12.0.0
Oracle E-Business Suite Release 12 version 12.0.1
Oracle PeopleSoft Enterprise PeopleTools version 8.22
Oracle PeopleSoft Enterprise PeopleTools version 8.47
Oracle PeopleSoft Enterprise PeopleTools version 8.48
Oracle PeopleSoft Enterprise PeopleTools version 8.49
Oracle PeopleSoft Enterprise Human Capital Management version 8.9
Oracle PeopleSoft Enterprise Human Capital Management version 9.0
Oracle PeopleSoft Enterprise Customer Relationship Management version 8.9
Oracle PeopleSoft Enterprise Customer Relationship Management version 9.0
Solution
Apply Oracle Critical Patch Update (July 2007) :
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html
References
http://www.vupen.com/english/advisories/2007/2562
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html
http://www.red-database-security.com/advisory/oracle_apex_sql_injection_check_db_password.html
http://www.red-database-security.com/advisory/oracle_view_vulnerability.html
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_prvtaqis.html
Credits
Vulnerabilities reported by Esteban Martinez Fayo (Application Security), Jack Kanter and Stephen Kost (Integrigy), Guy Karlebach (Imperva), Joxean Koret, Alexander Kornbrust (Red Database Security), Michael Krax, David Litchfield and Paul M. Wright (Next Generation Security Software).
ChangeLog
2007-07-18 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time e-mail and SMS alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
