|
 |
|
Oracle Products Multiple Unspecified Vulnerabilities
|
|
|
|
|
Secunia Advisory:
|
SA15991
|
|
|
Release Date:
|
2005-07-13
|
|
Last Update:
|
2006-02-07
|
|
|
Critical:
|

Moderately critical
|
|
Impact:
|
Unknown Cross Site Scripting Manipulation of data Exposure of sensitive information DoS
|
|
Where:
|
From remote
|
|
Solution Status:
|
Partial Fix
|
|
| Software: | Oracle Application Server 10g Oracle Applications 11.x Oracle Applications 11i Oracle Database 10.x Oracle Database 8.x Oracle E-Business Suite 11i Oracle Enterprise Manager 10.x Oracle Enterprise Manager 9.x Oracle JInitiator 1.x Oracle9i Application Server Oracle9i Collaboration Suite Oracle9i Database Enterprise Edition Oracle9i Database Standard Edition
|
| | CVE reference: | CVE-2005-2291 (Secunia mirror) CVE-2005-2292 (Secunia mirror) CVE-2005-2293 (Secunia mirror) CVE-2005-2294 (Secunia mirror) CVE-2005-3204 (Secunia mirror) CVE-2005-3205 (Secunia mirror) CVE-2005-3206 (Secunia mirror) CVE-2005-3207 (Secunia mirror)
|
|
|
|
|
|
Description: 47 vulnerabilities have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to conduct cross-site scripting attacks, cause a DoS (Denial of Service), gain knowledge of sensitive information, or to manipulate data.
Details have been disclosed for the following vulnerabilities:
1) JDeveloper starts sqlplus using a plain text password as a parameter.
2) Database passwords are stored in plain text in the JDeveloper configuration files, "IDEConnections.xml", "XSQLConfig.xml", and "settings.xml" .
3) Temporary files created by Oracle Forms Builder in the local "temp" directory contain plain text username and password of the current database connection used by Forms Builder. These files are not deleted when Forms Builder exits.
4) Oracle Forms application creates a temporary file in the "/tmp" directory of the application server if the number of records retrieved from the database exceeds the parameter "buffered records". This temporary file is world-readable and contains an unencrypted copy of the retrieved database records. This potentially allows local users to gain knowledge of sensitive information.
5) Several unspecified SQL injection and parameter manipulation vulnerabilities in the Oracle E-Business Suite can be exploited to execute malicious SQL statements in the database with privileges of the application database account.
6) An unspecified error in the CWM2_OLAP_AW_AWUTIL package can be exploited by malicious users to cause a DoS.
7) Certain input passed to the init function in the ORASSO.WPG_SESSION package and the EventQueueDisplay function in the OWF_MGR.WF_EVENT_HTML package isn't properly verified. This can be exploited to inject and execute arbitrary SQL code with the privileges of the package owner.
8) Certain input passed to the web interface of Oracle XMLDB and Oracle iSQL*Plus isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.
9) The problem is that it is possible to shut down the TNS Listener via a specially crafted URL in Oracle Forms and iSQL*Plus.
The following supported products are affected by one or more of the vulnerabilities:
* Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.4
* Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6
* Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.1.5 FIPS
* Oracle8i Database Server Release 3, version 8.1.7.4
* Oracle8 Database Release 8.0.6, version 8.0.6.3
* Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2, 10.1.0.3
* Oracle Enterprise Manager 10g Database Control, versions 10.1.0.2, 10.1.0.3, 10.1.0.4
* Oracle Enterprise Manager Application Server Control, versions 9.0.4.0, 9.0.4.1
* Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1
* Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
* Oracle9i Application Server Release 1, version 1.0.2.2
* Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2
* Oracle E-Business Suite and Applications Release 11i, versions 11.5.1 through 11.5.10
* Oracle E-Business Suite and Applications Release 11.0
* Oracle Workflow, versions 11.5.1 through 11.5.9.5
* Oracle Forms and Reports, versions 4.5.10.22, 6.0.8.25
* Oracle JInitiator, versions 1.1.8, 1.3.1
* Oracle Developer Suite, versions 9.0.2.3, 9.0.4, 9.0.4.1, 9.0.5, 10.1.2
* Oracle Express Server, version 6.3.4.0
Solution: Apply patches.
http://metalink.oracle.com/metalink/p...t?p_database_id=NOT&p_id=311088.1
Oracle reportedly forgot to address one of the DoS vulnerabilities in version 9iR2. Remove EXECUTE permissions on the CWM2_OLAP_AW_AWUTIL package for untrusted users.
Provided and/or discovered by: 1-4, 8-9) Alexander Kornbrust, Red Database Security.
5) Stephen Kost, Integrigy.
6) Esteban Martínez Fayó, Argeniss.
7) Aaron Newman, Application Security Inc.
The vendor also credits the following people:
* Gerhard Eschelbeck, Qualys Inc.
* Esteban Martínez Fayó, Application Security Inc.
* David Litchfield, NGSSoftware.
* Michael Murray, nCircle Network Security.
* Mike Sues, Rigel Kent Security.
Changelog: 2005-07-14: Added link to US-CERT vulnerability note.
2005-07-15: Added additional link to Red Database Security.
2005-07-18: Added CVE references.
2005-07-25: Added information about additional vulnerability, which the vendor by mistake didn't fix in Oracle Database Server 9iR2.
2005-08-04: Added information provided by Application Security Inc.
2005-10-07: Added details provided by Alexander Kornbrust.
2006-01-19: Added CVE references.
2006-02-07: Updated affected software.
Original Advisory: Oracle:
http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html
Red Database Security:
http://www.red-database-security.com/...eloper_passes_plaintext_password.html
http://www.red-database-security.com/...le_jdeveloper_plaintext_password.html
http://www.red-database-security.com/...cle_formsbuilder_temp_file_issue.html
http://www.red-database-security.com/...orms_unsecure_temp_file_handling.html
http://www.red-database-security.com/...pu_july_2005_silently_fixed_bugs.html
http://www.red-database-security.com/advisory/oracle_xmldb_css.html
http://www.red-database-security.com/advisory/oracle_isqlplus_css.html
http://www.red-database-security.com/advisory/oracle_forms_shutdown.html
http://www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html
Integrigy:
http://www.integrigy.com/alerts/OraCPU0705.htm
Argeniss:
http://www.argeniss.com/research/CWM2_OLAP_AW_AWUTILVuln.txt
Application Security Inc:
http://www.appsecinc.com/resources/alerts/oracle/2005-06.html
http://www.appsecinc.com/resources/alerts/oracle/2005-07.html
http://www.appsecinc.com/resources/alerts/oracle/2005-08.html
http://www.appsecinc.com/resources/alerts/oracle/2005-09.html
Other References: US-CERT VU#613562:
http://www.kb.cert.org/vuls/id/613562
|
|
|
|
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
|
|
|
53 Related Secunia Security Advisories, displaying 10
|
|
|
1. Oracle Products Multiple Vulnerabilities
|
|
2. Oracle Application Server Portal Authentication Bypass
|
|
3. Oracle Products Multiple Vulnerabilities
|
|
4. Oracle Products Multiple Vulnerabilities
|
|
5. Oracle Database PITRIG_DROPMETADATA Buffer Overflow Vulnerability
|
|
6. Oracle Products Multiple Vulnerabilities
|
|
7. Oracle JInitiator "beans.ocx" ActiveX Control Buffer Overflow Vulnerabilities
|
|
8. Oracle Products Multiple Vulnerabilities
|
|
9. Oracle Rapid Install Cross-Site Scripting Vulnerability
|
|
10. Oracle Products Multiple Vulnerabilities
|
Show all related advisories
|
|
|
Send Feedback to Secunia
|
|
If you have new information regarding this Secunia advisory or a product in our database, please send it to us using either our web form or email us at vuln@secunia.com.
Ideas, suggestions, and other feedback are most welcome.
|
|
|
|

|
 |
Secunia PSI Scan | Patch | Track Free Download
|
|
|
Secunia Poll
|
|
|
|
|
 |
|
|
Most Popular Advisories
|
|
|
|
|
|