Some vulnerabilities have been reported in various Oracle products. Some have unknown impact while others can be exploited by malicious users to conduct SQL injection attacks, disclose system information, or manipulate certain data, and by malicious people to conduct cross-site scripting attacks, cause a DoS (Denial of Service), or to compromise a vulnerable system.

1) A vulnerability exists in Oracle Database due to an unspecified function allowing an authenticated user to create or rewrite arbitrary files with escalated privileges.

This vulnerability is reported in Oracle Database 10g R2 10.2.0.3.0 on 32-bit Linux and Windows platforms. Other versions may also be affected.

2) Input passed via a cookie in php/login.php in Oracle Corp.'s Secure Backup Administration Server is not properly sanitised before being used. This can be exploited to inject and execute arbitrary shell commands on an affected system.

3) Input passed via an unspecified parameter in php/common.php in Oracle Corp.'s Secure Backup Administration Server is not properly verified before being used. This can be exploited to inject and execute arbitrary shell commands on an affected system.

Vulnerabilities #2 and #3 are reported in Oracle Corp.'s Secure Backup version 10.2.0.2 for Linux and Secure Backup version 10.2.0.2 for Windows. Other versions may also be affected.

4) Input passed via an unspecified parameter in common.php in Oracle Corp.'s Secure Backup Administration Server is not properly sanitised before being used. This can be exploited to inject and execute arbitrary shell commands on an affected system.

This vulnerability is reported in Oracle Corp.'s Secure Backup version 10.1.0.3 for Linux. Other versions may also be affected.

5) Certain input is not properly sanitised before being used when executing the "MDSYS.SDO_TOPO_DROP_FTBL" trigger. This can be exploited manipulate SQL queries by injecting arbitrary SQL code.

Successful exploitation of this vulnerability allows performing certain actions as the MDSYS user, but requires "CREATE SESSION" privileges.

This vulnerability is reported in Oracle 10g R1 and R2 (10.1.0.5 and 10.2.0.2). Other versions may also be affected.

6) Input passed via the URL to BPELConsole/default/activities.jsp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in an administrator's browser session in context of an affected site.

This vulnerability is reported in Oracle Application Server (SOA) version 10.1.3.1.0. Other versions may also be affected.

7) A format string error in exists in Oracle TimesTen within the "evtdump" command when writing to an internal log file. This can potentially be exploited to execute arbitrary code via a specially crafted string passed via the "msg" parameter.

This vulnerability is reported in TimesTen prior to version 7.0.5.1.0.

8) Input passed via the "rbtool" parameter to login.php in Oracle Secure Backup Administration Server is not properly sanitised before being used in a call to "popen()" in "exec_qr()". This can be exploited to inject and execute arbitrary shell commands on an affected system.

This is related to vulnerability #1.

This vulnerability is reported in Oracle Secure Backup version 10.1.0.3 to 10.2.0.2.

9) A boundary error within "obndmp.exe" in Oracle Secure Backup when processing NDMP client authentication packets can be exploited to cause a buffer overflow and execute arbitrary code via a specially crafted packet sent to port 10000/TCP.

10 Three unspecified errors within "obndmp.exe" in Oracle Secure Backup when processing NDMP packets can be exploited to cause a DoS by sending specially crafted "connect open", "connect close", or "mover get state" packets to an affected system.

11) A null-pointer dereference error within "observiced.exe" in Oracle Secure Backup when processing private protocol data can be exploited to cause a crash by sending specially crafted data to port 400/TCP.

12) A security issue in Oracle E-Business Suite can be exploited by malicious users to disclose certain system information.

13) An unspecified error in the "ODCITABLESTART" procedure within the "SYS.OLAPIMPL_T" package in Oracle Database Server version 9iR2 can be exploited to cause a buffer overflow.

Successful exploitation may allow execution of arbitrary code.

14) Input passed via the "TARGET" parameter in /em/console/reports/admin of the web application in Oracle Enterprise Manager 10g Grid Control is not properly sanitised before being used. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

The remaining vulnerabilities are caused due to unspecified errors. No more information is currently available.

The vulnerabilities are reported in the following products and versions:
* Oracle Database 11g, version 11.1.0.6
* Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
* Oracle Database 10g, version 10.1.0.5
* Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
* Oracle Secure Backup version 10.2.0.2, 10.2.0.3
* Oracle Secure Backup version 10.1.0.1, 10.1.0.2, 10.1.0.3
* Oracle TimesTen In-Memory Database version 7.0.5.1.0, 7.0.5.2.0, 7.0.5.3.0, 7.0.5.4.0
* Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.3.0
* Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.2.0, 10.1.2.3.0
* Oracle Collaboration Suite 10g, version 10.1.2
* Oracle E-Business Suite Release 12, version 12.0.6
* Oracle E-Business Suite Release 11i, version 11.5.10.2
* Oracle Enterprise Manager Grid Control 10g Release 4, versions 10.2.0.4
* PeopleSoft Enterprise HRMS versions: 8.9 and 9.0
* JD Edwards Tools version 8.97

Solution
Apply the patches (see the vendor's advisory).

Provided and/or discovered by
The vendor credits:
* Deniz Cevik, Intellect
* Andy Davis, Information Risk Management Plc (IRM Plc)
* Franz Huell, Red Database Security
* Wasim Iqbal
* Alexander Kornbrust, Red Database Security
* Sasa Kos, ACROS Security
* Andy Sch., Centre for the Protection of National Infrastructure
* Daiki Fukumori [Secure Sky Technology], JPCERT/CC Vulnerability Handling Team
* Geoff Whittington, Assurent Secure Technologies

1) Code Audit Labs, reported via iDefense
2, 3, 4) An anonymous person, reported via iDefense
5) David Litchfield, NGS Software
6) Alexandr Polyakov, Digital Security Reasearch Group
7, 8) Joxean Koret
9 - 11) Xiaopeng Zhang and Zhenhua Liu, Fortinet, Inc.
12) Aditya K. Sood, SecNiche Security
13, 14) Esteban Martinez Fayo, Application Security, Inc.

Changelog
Further details available in Customer Area

Original Advisory
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=767
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=768
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=769

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-003/
http://www.zerodayinitiative.com/advisories/ZDI-09-004/

Joxean Koret:
http://joxeankoret.com/blog/?p=39
http://joxeankoret.com/blog/?p=41

Fortinet, Inc:
http://www.fortiguardcenter.com/advisory/FGA-2009-02.html

SecNiche Security:
http://www.secniche.org/orabs.html

Application Security, Inc:
http://www.appsecinc.com/resources/alerts/oracle/2009-02.shtml
http://www.appsecinc.com/resources/alerts/oracle/2009-01.shtml

Deep Links
Links available in Customer Area