Secunia

73 vulnerabilities have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to gain knowledge of sensitive information, conduct cross-site scripting attacks, manipulate data, or cause a DoS (Denial of Service).

Details have been disclosed for the following vulnerabilities:

1) Input passed to the "CHANGE_SET_NAME" parameter of the "CREATE_SCN_CHANGE_SET" procedure is not properly sanitised and can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires execute permissions on the dbms_cdc_ipublish package.

2) Input passed to the "SUBSCRIPTION_NAME" parameter used in various procedures of the dbms_cdc_subscribe and dbms_cdc_isubscribe packages is not properly sanitised and can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires execute permissions on the dbms_cdc_subscribe or dbms_cdc_isubscribe package.

3) Input passed to the "OBJECT_TYPE" parameter used in various procedures of the dbms_metadata package is not properly sanitised and can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires execute permissions on the dbms_metadata package.

4) Input passed to the "CHANGE_SOURCE_NAME" parameter of the "ALTER_MANUALLOG_CHANGE_SOURCE" procedure is not properly sanitised and can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation requires execute permissions on the dbms_cdc_ipublish package.

5) An error within the Oracle interMedia system can be exploited to consume all available CPU resources via e.g. a specially crafted file.

6) Some input passed to the web interface of Oracle HTMLDB isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

7) The problem is that the SYS password is logged in clear text into the file "install.lst" when installing HTMLDB.

The following supported products are affected by one or more of the 73 vulnerabilities:
* Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.3.1, 10.1.0.4.
* Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6
* Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.4 (9.0.1.5 FIPS)
* Oracle8i Database Server Release 3, version 8.1.7.4
* Oracle Application Server 10g Release 2 (10.1.2)
* Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1
* Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
* Oracle9i Application Server Release 1, version 1.0.2.2
* Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2
* Oracle E-Business Suite and Applications Release 11i, versions 11.5.0 through 11.5.10
* Oracle E-Business Suite and Applications Release 11.0
* Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2, 10.1.0.3
* Oracle Enterprise Manager versions 9.0.4.0, 9.0.4.1
* PeopleSoft EnterpriseOne Applications, versions 8.9 SP2 and 8.93
* PeopleSoft OneWorldXe/ERP8 Applications, versions SP22 and higher

NOTE: Consult the original vendor advisory for a vulnerability matrix detailing affected components, requirements, and impact.

Solution
Apply patches (see vendor advisory).
Further details available in Customer Area

Provided and/or discovered by
1-5) Esteban MartÌnez Fayó, Argeniss.
6-7) Alexander Kornbrust, Red Database Security.

The vendor furthermore credits the following people:
* Stephen Kost, Integrigy.
* David Litchfield, NGSSoftware.

Changelog
Further details available in Customer Area

Original Advisory
Oracle:
http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf

NGSSoftware:
http://www.ngssoftware.com/advisories/oracle-03.txt

Argeniss:
http://www.appsecinc.com/resources/alerts/oracle/2005-01.html
http://www.appsecinc.com/resources/alerts/oracle/2005-02.html
http://www.appsecinc.com/resources/alerts/oracle/2005-03.html
http://www.appsecinc.com/resources/alerts/oracle/2005-04.html
http://www.appsecinc.com/resources/alerts/oracle/2005-05.html

Red Database Security:
http://www.red-database-security.com/advisory/oracle_htmldb_css.html
http://www.red-database-security.com/advisory/oracle_htmldb_plaintext_password.html

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area