Some vulnerabilities have been reported in various Oracle products. Some have unknown impacts, others can be exploited by malicious users to conduct SQL injection attacks, disclose sensitive information, or compormise a vulnerable system, and by malicious people to compromise a vulnerable system.

1) A format string error exists within the Oracle Process Manager and Notification (opmn) daemon, which can be exploited to execute arbitrary code via a specially crafted POST request to port 6000/TCP.

2) Input passed to the "DBMS_AQIN" package is not properly sanitised before being used. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

3) An error in the Application Express component included in Oracle Database can be exploited by unprivileged database users to disclose APEX password hashes in "LOWS_030000.WWV_FLOW_USER".

4) Input passed to the "DBMS_AQADM_SYS" package is not properly sanitised before being used. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

5) Input passed to the "ROLLBACKWORKSPACE" procedure within the "LT" PL/SQL package of the Oracle Workspace Manager component is not properly sanitised before being used. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

6) Two boundary errors exist within Oracle's Outside In Technology when processing Microsoft Excel spreadsheet files. This can be exploited to cause stack-based buffer overflows by sending specially crafted Microsoft Excel files to an application using the conversion engine.

7) Various integer overflow errors exist within Oracle's Outside In Technology when processing certain optional data streams in Microsoft Office files. This can be exploited to cause heap-based buffer overflows by e.g. sending specially crafted Microsoft Office documents to an application using the conversion engine.

8) An integer overflow error exists within Oracle's Outside In Technology when processing Microsoft Excel spreadsheet files. This can be exploited to cause heap-based buffer overflows by sending specially crafted Microsoft Excel files to an application using the conversion engine.

9) A boundary error exists within Oracle's Outside In Technology when processing certain records in Microsoft Excel spreadsheet files. This can be exploited to cause a stack-based buffer overflow by sending specially crafted Microsoft Excel files to an application using the conversion engine.

10) The application fails to properly track user passwords if 11g passwords are exclusively enabled. This can potentially result in the same password being used multiple times.

11) A boundary error exists in Oracle Database when processing the plan name parameter used in the "ALTER SYSTEM SET RESOURCE_MANAGER_PLAN" statement and in the "SYS.DBMS_RESOURCE_MANAGER.SWITCH_PLAN" procedure. This can be exploited to cause a buffer overflow and potentially execute arbitrary code.

Successful exploitation of this vulnerability requires "ALTER SYSTEM" privileges.

The remaining vulnerabilities are caused due to unspecified errors. No more information is currently available.

The vulnerabilities are reported in the following products and versions:
* Oracle Database 11g, version 11.1.0.6, 11.1.0.7
* Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
* Oracle Database 10g, version 10.1.0.5
* Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV
* Oracle Application Server 10g Release 2 (10.1.2), version 10.1.2.3.0
* Oracle Outside In SDK HTML Export 8.2.2, 8.3.0
* Oracle XML Publisher 5.6.2, 10.1.3.2, 10.1.3.2.1
* Oracle BI Publisher 10.1.3.3.0 10.1.3.3.1, 10.1.3.3.2, 10.1.3.3.3, 10.1.3.4
* Oracle E-Business Suite Release 12, version 12.0.6
* Oracle E-Business Suite Release 11i, version 11.5.10.2
* PeopleSoft Enterprise PeopleTools versions: 8.49
* PeopleSoft Enterprise HRMS versions: 8.9 and 9.0

Solution
Apply the patches (please see the vendor's advisory).

Provided and/or discovered by
1) Joxean Koret of TippingPoint
2, 3) Alexander Kornbrust of Red Database Security
4) Franz Hüll of Red Database Security
5, 11) Esteban Martinez Fayo of Application Security, Inc.
6, 7, 8, 9) Joshua J. Drake of iDefense
10) David Litchfield of NGS Software

The vendor also credits:
* Gerhard Eschelbeck of Qualys, Inc.
* Mike Janowski of Neohapsis, Inc.
* Joxean Koret
* Tanel Poder
* Sven Vetter of Trivadis
* Dennis Yurichev

Changelog
Further details available to Secunia VIM customers

Original Advisory
Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html

ZDI:
http://www.zerodayinitiative.com/advisories/ZDI-09-017/

Red Database Security:
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html

Application Security, Inc:
http://www.appsecinc.com/resources/alerts/oracle/2009-03.shtml
http://www.appsecinc.com/resources/alerts/oracle/2009-05.shtml

iDefense Labs:
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=798
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=799
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=800
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=801

David Litchfield:
http://archives.neohapsis.com/archives/fulldisclosure/2009-08/0355.html

Deep Links
Links available to Secunia VIM customers