Secunia SmallBusiness
Overview
Advisories
Research
Forums
Create Profile
Our Commitment
Database
Search
Advisories by Product
Advisories by Vendor
Terminology
Report Vulnerability
Insecure Library Loading

Secunia Advisory SA18493

Oracle Products Multiple Vulnerabilities and Security Issues
Secunia Advisory SA18493
Secunia VIM 4.0 - Free Trial
Release Date 2006-01-18
Last Update 2006-08-07
   
Popularity 34,936 views
Comments 0 comments

Criticality level Highly criticalHighly critical
Impact Unknown
Manipulation of data
Exposure of system information
Exposure of sensitive information
System access
Where From remote
Authentication level This information is available to Secunia VIM customers
   
Report reliability This information is available to Secunia VIM customers
Solution Status Vendor Patch
   
   
3rd party PoC/exploit Link available in Customer Area
Systems affected This information is available to Secunia VIM customers
Approve distribution This information is available to Secunia VIM customers
   
Software:
JD Edwards EnterpriseOne Tools 8.x
Oracle Application Server 10g
Oracle Collaboration Suite 10.x
Oracle Database 10.x
Oracle Database 8.x
Oracle Developer Suite 10g
Oracle E-Business Suite 11i
Oracle Enterprise Manager 10.x
Oracle PeopleSoft Enterprise Portal Solutions 8.x
Oracle9i Application Server
Oracle9i Collaboration Suite
Oracle9i Database Enterprise Edition
Oracle9i Database Standard Edition
Oracle9i Developer Suite

Secunia CVSS Score This information is available to Secunia VIM Customers
CVE Reference(s) CVE-2005-2371 CVSS score available to Secunia VIM customers
CVE-2005-2378 CVSS score available to Secunia VIM customers
CVE-2006-0256 CVSS score available to Secunia VIM customers
CVE-2006-0257 CVSS score available to Secunia VIM customers
CVE-2006-0258 CVSS score available to Secunia VIM customers
CVE-2006-0259 CVSS score available to Secunia VIM customers
CVE-2006-0260 CVSS score available to Secunia VIM customers
CVE-2006-0261 CVSS score available to Secunia VIM customers
CVE-2006-0262 CVSS score available to Secunia VIM customers
CVE-2006-0263 CVSS score available to Secunia VIM customers
CVE-2006-0264 CVSS score available to Secunia VIM customers
CVE-2006-0265 CVSS score available to Secunia VIM customers
CVE-2006-0266 CVSS score available to Secunia VIM customers
CVE-2006-0267 CVSS score available to Secunia VIM customers
CVE-2006-0268 CVSS score available to Secunia VIM customers
CVE-2006-0269 CVSS score available to Secunia VIM customers
CVE-2006-0270 CVSS score available to Secunia VIM customers
CVE-2006-0271 CVSS score available to Secunia VIM customers
CVE-2006-0272 CVSS score available to Secunia VIM customers
CVE-2006-0273 CVSS score available to Secunia VIM customers
CVE-2006-0274 CVSS score available to Secunia VIM customers
CVE-2006-0275 CVSS score available to Secunia VIM customers
CVE-2006-0276 CVSS score available to Secunia VIM customers
CVE-2006-0277 CVSS score available to Secunia VIM customers
CVE-2006-0278 CVSS score available to Secunia VIM customers
CVE-2006-0279 CVSS score available to Secunia VIM customers
CVE-2006-0280 CVSS score available to Secunia VIM customers
CVE-2006-0281 CVSS score available to Secunia VIM customers
CVE-2006-0282 CVSS score available to Secunia VIM customers
CVE-2006-0283 CVSS score available to Secunia VIM customers
CVE-2006-0284 CVSS score available to Secunia VIM customers
CVE-2006-0285 CVSS score available to Secunia VIM customers
CVE-2006-0286 CVSS score available to Secunia VIM customers
CVE-2006-0287 CVSS score available to Secunia VIM customers
CVE-2006-0288 CVSS score available to Secunia VIM customers
CVE-2006-0289 CVSS score available to Secunia VIM customers
CVE-2006-0290 CVSS score available to Secunia VIM customers
CVE-2006-0291 CVSS score available to Secunia VIM customers
CVE-2006-0547 CVSS score available to Secunia VIM customers
CVE-2006-0548 CVSS score available to Secunia VIM customers
CVE-2006-0549 CVSS score available to Secunia VIM customers
CVE-2006-0550 CVSS score available to Secunia VIM customers
CVE-2006-0551 CVSS score available to Secunia VIM customers
CVE-2006-0586 CVSS score available to Secunia VIM customers
CVE-2006-0552 CVSS score available to Secunia VIM customers
  

Description

82 vulnerabilities and security issues have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to gain knowledge of certain information, overwrite arbitrary files, conduct SQL injection attacks and compromise a vulnerable system.

Details have been disclosed for the following vulnerabilities:

1) Input passed to various parameters in the procedures within the DBMS_DATAPUMP, DBMS_REGISTRY, DBMS_CDC_UTILITY, DBMS_CDC_PUBLISH, DBMS_METADATA_UTIL, DBMS_METADATA_INT, DBMS_METADATA, CTXSYS.DRILOAD, CTXSYS.DRIDML, CTXSYS.CTX_DOC, CTXSYS.CTX_QUERY, and CATINDEXMETHODS Oracle PL/SQL packages is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed to various parameters in the ATTACH_JOB, HAS_PRIVS, and OPEN_JOB procedures within the SYS.KUPV$FT package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities have been reported in Oracle 10g Release 1.

3) Input passed to various parameters in several procedures within the SYS.KUPV$FT_INT package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities have been reported in Oracle 10g Release 1.

4) Design errors in the Oracle Database causes the Oracle TDE (Transparent Data Encryption) wallet password to be logged in cleartext, and the masterkey for the TDE wallet to be stored unencrypted.

The security issues have been reported in Oracle Database 10g Release 2 version 10.2.0.1.

5) Some errors in the Reports component of the Oracle Application Server can be exploited to read parts of any files or overwrite any files via Oracle Reports.

For more information, see #2, #3, and #4 in:
SA16092

The vulnerability has been reported in versions 1.0.2.0 through 10.1.0.2.

6) Unspecified input is not properly sanitised in the "sys.dbms_metadata" package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

7) Input passed to the AUTH_ALTER_SESSION attribute in a TNS authentication message is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows execution of arbitrary SQL queries with SYS user privileges.

The vulnerability has been reported in Oracle 8i (8.1.7.x.x), Oracle 9i (9.2.0.7), Oracle 10g Release 1 (10.1.0.4.2), and Oracle 10g Release 2 (10.2.0.1.0).

8) Some boundary errors exist in the GENERATESCHEMA and GENERATESCHEMAS public procedures in the DBMS_XMLSCHEMA and DBMS_XMLSCHEMA_INT PL/SQL packages. This can be exploited by malicious users to execute arbitrary code on the database server via overly long parameters passed to the procedures.

The vulnerability has been reported in Oracle Database Server version 9i Release 2 and 10g Release 1.

The following supported products are affected by one or more of the 82 vulnerabilities:
* Oracle Database 10g Release 2, version 10.2.0.1
* Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4, 10.1.0.5
* Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7
* Oracle8i Database Release 3, version 8.1.7.4
* Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4
* Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1.0
* Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2
* Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2
* Oracle9i Collaboration Suite Release 2, version 9.0.4.2
* Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2
* Oracle E-Business Suite Release 11.0
* PeopleSoft Enterprise Portal, versions 8.4, 8.8, 8.9
* JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95.F1, SP23_L1


Solution
Apply patches (see vendor advisory).

Provided and/or discovered by
1-6) Alexander Kornbrust, Red Database Security.
7) Amichai Shulman
8) Esteban Martínez Fayo, Argeniss.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Oracle:
http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html

Red Database Security:
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html
http://www.red-database-security.com/advisory/oracle_tde_wallet_password.html
http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html
http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft.html
http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft_int.html
http://www.red-database-security.com/advisory/oracle_reports_overwrite_any_file.html
http://www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_metadata.html

Imperva:
http://www.imperva.com/application_defense_center/papers/oracle-dbms-01172006.html

Argeniss:
http://www.argeniss.com/research/ARGENISS-ADV-010601.txt

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers


Do you have additional information related to this advisory?

Please provide information about patches, mitigating factors, new versions, exploits, faulty patches, links, and other relevant data by posting comments to this Advisory. You can also send this information to vuln@secunia.com

Subject: Oracle Products Multiple Vulnerabilities and Security Issues
 
No posts yet

-

You must be logged in to post a comment.




 Products Solutions Customers Partner Resources Company
 
 Corporate
Vulnerability Intelligence Manager (VIM)
Corporate Software Inspector (CSI)
Consumer
Personal Software Inspector (PSI)
Online Software Inspector (OSI)
 Industry
Compliance
Technology
Integration
 Customers
Testimonials
 VARS
MSSP
Technology Partners
References
 Factsheets
Reports
Webinars
Events
 About us
Careers
Memberships
Newsroom


 
© 2002-2013 Secunia ApS - Rued Langgaards Vej 8, 4th floor, DK-2300 Copenhagen, Denmark - +45 7020 5144
Terms & Conditions and Copyright - Privacy - Report Vulnerability