|
|
>> Oracle Products Multiple Code Execution and SQL Injection Vulnerabilities
|
Multiple vulnerabilities have been identified in various Oracle products, which could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information, conduct SQL injection and cross site scripting attacks, or bypass security restrictions. These issues are caused by errors in the Import, Export, Oracle Text, Spatial, Workspace Manager, Advanced Security Option, Core RDBMS, Database Control, Oracle Database Vault, Oracle Net Services, XML DB, Oracle Internet Directory, Oracle Help for Web, Advanced Queuing, SQL Execution, Oracle Process Mgmt & Notification, Oracle Portal, Oracle HTTP Server, Oracle Containers for J2EE, Oracle Single Sign-On, Oracle Application Object Library, Oracle Contracts Integration, Oracle Public Sector Human Resources, Oracle Marketing, Oracle Quoting, Oracle Exchange and Oracle Self-Service Web Applications components.
Affected Products
Oracle Database 10g Release 2 version 10.2.0.2
Oracle Database 10g Release 2 version 10.2.0.3
Oracle Database 10g version 10.1.0.5
Oracle Database 9i Release 2 version 9.2.0.8
Oracle Database 9i Release 2 version 9.2.0.8DV
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.0.0
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.1.0
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.2.0
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.3.0
Oracle Application Server 10g Release 2 (10.1.2) versions 10.1.2.0.1 through 10.1.2.0.2
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.1.0
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.2.0
Oracle Application Server 10g (9.0.4) version 9.0.4.3
Oracle Collaboration Suite 10g version 10.1.2
Oracle E-Business Suite Release 12 versions 12.0.0 through 12.0.3
Oracle E-Business Suite Release 11i versions 11.5.8 through 11.5.10 CU2
Oracle Enterprise Manager Database Control 10g Release 2 version 10.2.0.2
Oracle Enterprise Manager Database Control 10g Release 2 version 10.2.0.3
Oracle Enterprise Manager Database Control 10g Release 1 version 10.1.0.5
Oracle Enterprise Manager Grid Control 10g Release 1 version 10.1.0.5
Oracle Enterprise Manager Grid Control 10g Release 1 version 10.1.0.6
Oracle PeopleSoft Enterprise PeopleTools version 8.22
Oracle PeopleSoft Enterprise PeopleTools version 8.47
Oracle PeopleSoft Enterprise PeopleTools version 8.48
Oracle PeopleSoft Enterprise PeopleTools version 8.49
Oracle PeopleSoft Enterprise Human Capital Management version 8.9 (Absence Management Module)
Oracle PeopleSoft Enterprise Human Capital Management version 9.0 (Absence Management Module)
Solution
Apply Oracle Critical Patch Update (October 2007) :
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html
References
http://www.vupen.com/english/advisories/2007/3524
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2007.html
Credits
Vulnerabilities reported by Esteban Martinez Fayo (Application Security), Johannes Greil (SEC Consult), Joxean Koret, Zero Day Initiative, Alexander Kornbrust (Red Database Security) and David Litchfield (Next Generation Security Software).
ChangeLog
2007-10-17 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
