|
|
>> Oracle Products Multiple Code Execution and SQL Injection Vulnerabilities
|
Multiple vulnerabilities have been identified in various Oracle products, which could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information, conduct SQL injection and cross site scripting attacks, or bypass security restrictions.
These issues are caused by errors in the XML DB, Advanced Queuing, Spatial, Upgrade/Downgrade, Ultra Search, Core RDBMS, Jinitiator, BPEL Worklist Application, Forms, JDeveloper, Internet Directory, Mobile Application Server, Application Object Library, Applications Framework, Applications Manager, CRM Technical Foundation, Applications Technology Stack and PeopleTools components.
Affected Products
Oracle Database 11g version 11.1.0.6
Oracle Database 10g Release 2 version 10.2.0.2
Oracle Database 10g Release 2 version 10.2.0.3
Oracle Database 10g version 10.1.0.5
Oracle Database 9i Release 2 version 9.2.0.8
Oracle Database 9i Release 2 version 9.2.0.8DV
Oracle Database 9i version 9.0.1.5 FIPS+
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.0.0
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.1.0
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.3.0
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.0.2
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.1.0
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.2.0
Oracle Application Server 10g (9.0.4) version 9.0.4.3
Oracle Application Server 9i Release 1 version 1.0.2.2
Oracle Collaboration Suite 10g version 10.1.2
Oracle E-Business Suite Release 12 versions 12.0.0 through 12.0.3
Oracle E-Business Suite Release 11i versions 11.5.9 through 11.5.10 CU2
Oracle PeopleSoft Enterprise PeopleTools version 8.22
Oracle PeopleSoft Enterprise PeopleTools version 8.48
Oracle PeopleSoft Enterprise PeopleTools version 8.49
Solution
Apply Oracle Critical Patch Update (January 2008) :
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html
References
http://www.vupen.com/english/advisories/2008/0150
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2008.html
Credits
Vulnerabilities reported by CERT/CC, Esteban Martinez Fayo (Application Security, Inc.), Pete Finnigan, Joxean Koret, Alexander Kornbrust (Red Database Security), Ali Kumcu (inTellectPro), David Litchfield (NGS Software), Mariano Nunez Di Croce (CYBSEC S.A.), and Alexandr Polyakov (Digital Security).
ChangeLog
2008-01-16 : Initial release
Vulnerability Management
Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form. | |
|
