82 vulnerabilities and security issues have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to gain knowledge of certain information, overwrite arbitrary files, conduct SQL injection attacks and compromise a vulnerable system.

Details have been disclosed for the following vulnerabilities:

1) Input passed to various parameters in the procedures within the DBMS_DATAPUMP, DBMS_REGISTRY, DBMS_CDC_UTILITY, DBMS_CDC_PUBLISH, DBMS_METADATA_UTIL, DBMS_METADATA_INT, DBMS_METADATA, CTXSYS.DRILOAD, CTXSYS.DRIDML, CTXSYS.CTX_DOC, CTXSYS.CTX_QUERY, and CATINDEXMETHODS Oracle PL/SQL packages is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

2) Input passed to various parameters in the ATTACH_JOB, HAS_PRIVS, and OPEN_JOB procedures within the SYS.KUPV$FT package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities have been reported in Oracle 10g Release 1.

3) Input passed to various parameters in several procedures within the SYS.KUPV$FT_INT package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The vulnerabilities have been reported in Oracle 10g Release 1.

4) Design errors in the Oracle Database causes the Oracle TDE (Transparent Data Encryption) wallet password to be logged in cleartext, and the masterkey for the TDE wallet to be stored unencrypted.

The security issues have been reported in Oracle Database 10g Release 2 version 10.2.0.1.

5) Some errors in the Reports component of the Oracle Application Server can be exploited to read parts of any files or overwrite any files via Oracle Reports.

For more information, see #2, #3, and #4 in:
SA16092

The vulnerability has been reported in versions 1.0.2.0 through 10.1.0.2.

6) Unspecified input is not properly sanitised in the "sys.dbms_metadata" package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

7) Input passed to the AUTH_ALTER_SESSION attribute in a TNS authentication message is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation allows execution of arbitrary SQL queries with SYS user privileges.

The vulnerability has been reported in Oracle 8i (8.1.7.x.x), Oracle 9i (9.2.0.7), Oracle 10g Release 1 (10.1.0.4.2), and Oracle 10g Release 2 (10.2.0.1.0).

8) Some boundary errors exist in the GENERATESCHEMA and GENERATESCHEMAS public procedures in the DBMS_XMLSCHEMA and DBMS_XMLSCHEMA_INT PL/SQL packages. This can be exploited by malicious users to execute arbitrary code on the database server via overly long parameters passed to the procedures.

The vulnerability has been reported in Oracle Database Server version 9i Release 2 and 10g Release 1.

The following supported products are affected by one or more of the 82 vulnerabilities:
* Oracle Database 10g Release 2, version 10.2.0.1
* Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4, 10.1.0.5
* Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7
* Oracle8i Database Release 3, version 8.1.7.4
* Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4
* Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1.0
* Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2
* Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2
* Oracle9i Collaboration Suite Release 2, version 9.0.4.2
* Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2
* Oracle E-Business Suite Release 11.0
* PeopleSoft Enterprise Portal, versions 8.4, 8.8, 8.9
* JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95.F1, SP23_L1

Solution
Apply patches (see vendor advisory).

Provided and/or discovered by
1-6) Alexander Kornbrust, Red Database Security.
7) Amichai Shulman
8) Esteban Martínez Fayo, Argeniss.

Changelog
Further details available in Customer Area

Original Advisory
Oracle:
http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html

Red Database Security:
http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html
http://www.red-database-security.com/advisory/oracle_tde_wallet_password.html
http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html
http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft.html
http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft_int.html
http://www.red-database-security.com/advisory/oracle_reports_overwrite_any_file.html
http://www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_metadata.html

Imperva:
http://www.imperva.com/application_defense_center/papers/oracle-dbms-01172006.html

Argeniss:
http://www.argeniss.com/research/ARGENISS-ADV-010601.txt

Other references
Further details available in Customer Area

Deep Links
Links available in Customer Area