Secunia

47 vulnerabilities have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to conduct cross-site scripting attacks, cause a DoS (Denial of Service), gain knowledge of sensitive information, or to manipulate data.

Details have been disclosed for the following vulnerabilities:

1) JDeveloper starts sqlplus using a plain text password as a parameter.

2) Database passwords are stored in plain text in the JDeveloper configuration files, "IDEConnections.xml", "XSQLConfig.xml", and "settings.xml" .

3) Temporary files created by Oracle Forms Builder in the local "temp" directory contain plain text username and password of the current database connection used by Forms Builder. These files are not deleted when Forms Builder exits.

4) Oracle Forms application creates a temporary file in the "/tmp" directory of the application server if the number of records retrieved from the database exceeds the parameter "buffered records". This temporary file is world-readable and contains an unencrypted copy of the retrieved database records. This potentially allows local users to gain knowledge of sensitive information.

5) Several unspecified SQL injection and parameter manipulation vulnerabilities in the Oracle E-Business Suite can be exploited to execute malicious SQL statements in the database with privileges of the application database account.

6) An unspecified error in the CWM2_OLAP_AW_AWUTIL package can be exploited by malicious users to cause a DoS.

7) Certain input passed to the init function in the ORASSO.WPG_SESSION package and the EventQueueDisplay function in the OWF_MGR.WF_EVENT_HTML package isn't properly verified. This can be exploited to inject and execute arbitrary SQL code with the privileges of the package owner.

8) Certain input passed to the web interface of Oracle XMLDB and Oracle iSQL*Plus isn't properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

9) The problem is that it is possible to shut down the TNS Listener via a specially crafted URL in Oracle Forms and iSQL*Plus.

The following supported products are affected by one or more of the vulnerabilities:
* Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.4
* Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6
* Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.1.5 FIPS
* Oracle8i Database Server Release 3, version 8.1.7.4
* Oracle8 Database Release 8.0.6, version 8.0.6.3
* Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2, 10.1.0.3
* Oracle Enterprise Manager 10g Database Control, versions 10.1.0.2, 10.1.0.3, 10.1.0.4
* Oracle Enterprise Manager Application Server Control, versions 9.0.4.0, 9.0.4.1
* Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1
* Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
* Oracle9i Application Server Release 1, version 1.0.2.2
* Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2
* Oracle E-Business Suite and Applications Release 11i, versions 11.5.1 through 11.5.10
* Oracle E-Business Suite and Applications Release 11.0
* Oracle Workflow, versions 11.5.1 through 11.5.9.5
* Oracle Forms and Reports, versions 4.5.10.22, 6.0.8.25
* Oracle JInitiator, versions 1.1.8, 1.3.1
* Oracle Developer Suite, versions 9.0.2.3, 9.0.4, 9.0.4.1, 9.0.5, 10.1.2
* Oracle Express Server, version 6.3.4.0

Solution
Apply patches.
Further details available in Customer Area

Provided and/or discovered by
1-4, 8-9) Alexander Kornbrust, Red Database Security.
5) Stephen Kost, Integrigy.
6) Esteban Martínez Fayó, Argeniss.
7) Aaron Newman, Application Security Inc.

The vendor also credits the following people:
* Gerhard Eschelbeck, Qualys Inc.
* Esteban Martínez Fayó, Application Security Inc.
* David Litchfield, NGSSoftware.
* Michael Murray, nCircle Network Security.
* Mike Sues, Rigel Kent Security.

Changelog
Further details available in Customer Area

Original Advisory
Oracle:
http://www.oracle.com/technology/deploy/security/pdf/cpujul2005.html

Red Database Security:
http://www.red-database-security.com/advisory/oracle_jdeveloper_passes_plaintext_password.html
http://www.red-database-security.com/advisory/oracle_jdeveloper_plaintext_password.html
http://www.red-database-security.com/advisory/oracle_formsbuilder_temp_file_issue.html
http://www.red-database-security.com/advisory/oracle_forms_unsecure_temp_file_handling.html
http://www.red-database-security.com/whitepaper/cpu_july_2005_silently_fixed_bugs.html
http://www.red-database-security.com/advisory/oracle_xmldb_css.html
http://www.red-database-security.com/advisory/oracle_isqlplus_css.html
http://www.red-database-security.com/advisory/oracle_forms_shutdown.html
http://www.red-database-security.com/advisory/oracle_isqlplus_shutdown.html

Integrigy:
http://www.integrigy.com/alerts/OraCPU0705.htm

Argeniss:
http://www.argeniss.com/research/CWM2_OLAP_AW_AWUTILVuln.txt

Application Security Inc:
http://www.appsecinc.com/resources/alerts/oracle/2005-06.html
http://www.appsecinc.com/resources/alerts/oracle/2005-07.html
http://www.appsecinc.com/resources/alerts/oracle/2005-08.html
http://www.appsecinc.com/resources/alerts/oracle/2005-09.html

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area