Multiple vulnerabilities have been reported in Oracle Enterprise Manager, which can be exploited by malicious, local users to disclose sensitive information, by malicious users to disclose sensitive information, manipulate certain data, and conduct SQL injection attacks, and by malicious people to disclose sensitive information, manipulate certain data, conduct cross-site scripting and request forgery attacks, and cause a DoS (Denial of Service).

1) An unspecified error within the Scheduler subcomponent of the Content Management component can be exploited to disclose certain information, manipulate certain data, and cause a DoS via specially crafted HTTP requests.

2) The Database Control component allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain unspecified actions if a logged-in administrative user visits a malicious web site.

3) The Database Target Type Menus component allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain unspecified actions if a logged-in administrative user visits a malicious web site.

4) An unspecified error within the SQL Details UI & Explain Plan subcomponent of the SQL Performance Advisories/UIs component can be exploited to disclose certain information, manipulate certain data, and cause a DoS via specially crafted HTTP requests.

5) The Schema Management component allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain unspecified actions if a logged-in administrative user visits a malicious web site.

6) The Security Framework component allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain unspecified actions if a logged-in administrative user visits a malicious web site.

7) The Security Management component allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain unspecified actions if a logged-in administrative user visits a malicious web site.

8) The Streams, AQ & Replication Mgmt component allows users to perform certain actions via HTTP requests without performing any validity checks to verify the requests. This can be exploited to perform certain unspecified actions if a logged-in administrative user visits a malicious web site.

9) An unspecified error within the Authentication subcomponent of the Security Framework component can be exploited to disclose certain information and manipulate certain data via specially crafted HTTP requests.

10) An unspecified error within the CMDB Metadata & Instance APIs component can be exploited by authenticated users to disclose certain information and manipulate certain data.

11) An unspecified error within the EMCTL component can be exploited by authenticated users to disclose certain information and manipulate certain data via specially crafted HTTP requests.

12) An unspecified error within the Enterprise Config Management component can be exploited by authenticated users to disclose certain information and manipulate certain data.

13) Another unspecified error within the Enterprise Config Management component can be exploited by local users to disclose content of arbitrary files on the local system.

14) Input passed e.g. via the "datasource" parameter to em/console/database/instance/sitemap is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

15) Input passed via the filter attribute section to the searchSQL page in the Enterprise Manager Console is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code.

16) Input passed via the "value" parameter to em/console/pref/notifRuleInfo$mode is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

17) Input passed e.g. via the "datasource" parameter to em/console/database/instance/sitemap is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

18) Input passed e.g. via the "commentinput" parameter to em/console/database/monitoring/metricDetail$type is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

19) Certain input passed to the Enterprise Manager Console is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in a user's browser session in context of an affected site.

20) The application allows users to perform certain actions in the Enterprise Manager Console via HTTP requests without performing any validity checks to verify the requests. This can be exploited to e.g. execute arbitrary SQL statements by tricking a logged in user into visiting a malicious web site.

Solution
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by
2, 3, 5, 6, 7, 8, 14, 16, 17, 18) Esteban Martinez Fayo, Application Security
15, 19, 20) MWR InfoSecurity


It is currently unclear who reported the remaining vulnerabilities as the Oracle Critical Patch Update for July 2011 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.

Changelog
Further details available to Secunia VIM customers

Original Advisory
Oracle:
http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.html#AppendixEM

MWR InfoSecurity:
http://labs.mwrinfosecurity.com/files/Advisories/mwri-oracle_enterprise_manager-2010-01-25.pdf
http://labs.mwrinfosecurity.com/files/Advisories/mwri-oracle_em_sqlinjection-2010-02-01.pdf

Application Security:
http://archives.neohapsis.com/archives/fulldisclosure/2011-07/0332.html
http://archives.neohapsis.com/archives/fulldisclosure/2011-07/0333.html
http://www.teamshatter.com/topics/general/team-shatter-exclusive/oracle-enterprise-manager-vulnerable-to-cross-site-scripting-metricdetailtype-page/
http://www.teamshatter.com/topics/general/team-shatter-exclusive/oracle-enterprise-manager-vulnerable-to-cross-site-scripting-sitemap-page/

Other references
Further details available to Secunia VIM customers

Deep Links
Links available to Secunia VIM customers