Secunia CSI7
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading
Highly critical

Oracle Products Multiple Vulnerabilities and Security Issues

-

Release Date:  2006-01-18    Last Update:  2006-08-07    Views:  35,955

Secunia Advisory SA18493

Where:

From remote

Impact:

Unknown, Manipulation of data, Exposure of system information, Exposure of sensitive information, System access

Solution Status:

Vendor Patch

CVE Reference(s):

Description


82 vulnerabilities and security issues have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to gain knowledge of certain information, overwrite arbitrary files, conduct SQL injection attacks and compromise a vulnerable system.

Details have been disclosed for the following vulnerabilities:

1) Input passed to various parameters in the procedures within the DBMS_DATAPUMP, DBMS_REGISTRY, DBMS_CDC_UTILITY, DBMS_CDC_PUBLISH, DBMS_METADATA_UTIL, DBMS_METADATA_INT, DBMS_METADATA, CTXSYS.DRILOAD, CTXSYS.DRIDML, CTXSYS.CTX_DOC, CTXSYS.CTX_QUERY, and CATINDEXMETHODS Oracle PL/SQL packages is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed to various parameters in the ATTACH_JOB, HAS_PRIVS, and OPEN_JOB procedures within the SYS.KUPV$FT package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities have been reported in Oracle 10g Release 1.

3) Input passed to various parameters in several procedures within the SYS.KUPV$FT_INT package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities have been reported in Oracle 10g Release 1.

4) Design errors in the Oracle Database causes the Oracle TDE (Transparent Data Encryption) wallet password to be logged in cleartext, and the masterkey for the TDE wallet to be stored unencrypted.

The security issues have been reported in Oracle Database 10g Release 2 version 10.2.0.1.

5) Some errors in the Reports component of the Oracle Application Server can be exploited to read parts of any files or overwrite any files via Oracle Reports.

For more information, see #2, #3, and #4 in:
SA16092

The vulnerability has been reported in versions 1.0.2.0 through 10.1.0.2.

6) Unspecified input is not properly sanitised in the "sys.dbms_metadata" package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

7) Input passed to the AUTH_ALTER_SESSION attribute in a TNS authentication message is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows execution of arbitrary SQL queries with SYS user privileges.

The vulnerability has been reported in Oracle 8i (8.1.7.x.x), Oracle 9i (9.2.0.7), Oracle 10g Release 1 (10.1.0.4.2), and Oracle 10g Release 2 (10.2.0.1.0).

8) Some boundary errors exist in the GENERATESCHEMA and GENERATESCHEMAS public procedures in the DBMS_XMLSCHEMA and DBMS_XMLSCHEMA_INT PL/SQL packages. This can be exploited by malicious users to execute arbitrary code on the database server via overly long parameters passed to the procedures.

The vulnerability has been reported in Oracle Database Server version 9i Release 2 and 10g Release 1.

The following supported products are affected by one or more of the 82 vulnerabilities:
* Oracle Database 10g Release 2, version 10.2.0.1
* Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4, 10.1.0.5
* Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7
* Oracle8i Database Release 3, version 8.1.7.4
* Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4
* Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1.0
* Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2
* Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2
* Oracle9i Collaboration Suite Release 2, version 9.0.4.2
* Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2
* Oracle E-Business Suite Release 11.0
* PeopleSoft Enterprise Portal, versions 8.4, 8.8, 8.9
* JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95.F1, SP23_L1


Solution:
Apply patches (see vendor advisory).

Provided and/or discovered by:
1-6) Alexander Kornbrust, Red Database Security.
7) Amichai Shulman
8) Esteban Martínez Fayo, Argeniss.

Original Advisory:
Oracle:
http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html

Red Database Security:
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html
http://www.red-database-security.com/advisory/oracle_tde_wallet_password.html
http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html
http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft.html
http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft_int.html
http://www.red-database-security.com/advisory/oracle_reports_overwrite_any_file.html
http://www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_metadata.html

Imperva:
http://www.imperva.com/application_defense_center/papers/oracle-dbms-01172006.html

Argeniss:
http://www.argeniss.com/research/ARGENISS-ADV-010601.txt

Deep Links:
Links available to Secunia VIM customers

Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Oracle Products Multiple Vulnerabilities and Security Issues

No posts yet

-

You must be logged in to post a comment.



 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2014 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability