HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2005-10
Multiple Vulnerabilities in different Components of Oracle Database

Original issue date: April 25, 2005
Update on: April 27, 2005 .

Systems Affected

  • Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3, 10.1.0.3.1, 10.1.0.4 (10.1.0.3.1 is supported for Oracle Application Server only)
  • Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6
  • Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5, 9.0.4 (9.0.1.5 FIPS) (all of which are supported for Oracle Application Server only)
  • Oracle8i Database Server Release 3, version 8.1.7.4
  • Oracle Application Server 10g Release 2 (10.1.2)
  • Oracle Application Server 10g (9.0.4), versions 9.0.4.0, 9.0.4.1
  • Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
  • Oracle9i Application Server Release 1, version 1.0.2.2
  • Oracle Collaboration Suite Release 2, versions 9.0.4.1, 9.0.4.2
  • Oracle E-Business Suite and Applications Release 11i, versions 11.5.0 through 11.5.10
  • Oracle E-Business Suite and Applications Release 11.0
  • Oracle Enterprise Manager Grid Control 10g, versions 10.1.0.2, 10.1.0.3
  • Oracle Enterprise Manager versions 9.0.4.0, 9.0.4.1
  • PeopleSoft EnterpriseOne Applications, versions 8.9 SP2 and 8.93
  • PeopleSoft OneWorldXe/ERP8 Applications, versions SP22 and higher

Overview

Multiple Vulnerabilities exists in Oracle Database Server which could allow a remote user to manipulate information, and conduct DoS attack.

Impact

A remote attacker can obtain database information, modify database information, and cause denial of service conditions.

Description

Several vulnerabilities exists in Oracle Database Server. A remote user can exploit these vulnerabilities to disclose sensitive information, gain escalated privileges, conduct PL/SQL injection attacks, manipulate information, or cause a DoS. The Change Data Capture, Data Pump, Intermedia, Authentication, Database SSL Library, Internet Directory, Spatial, XML Database, XDK, HTML database, and Oracle HTTP Server components contain unspecified flaws. These vulnerabilities may affect the confidentiality, integrity, and availability of the database.

Details of some of these vulnerabilities are as follows:

The dbms_cdc_ipublish package is not properly validate the input passed to the "CHANGE_SET_NAME" parameter of the "CREATE_SCN_CHANGE_SET" procedure and can exploited by SQL injection. For exploitation of this vulnerability user requires execute permissions on.

The dbms_cdc_subscribe and dbms_cdc_isubscribe packages is not properly validate the input passed to the "SUBSCRIPTION_NAME" parameter used in various procedures and can be exploited to manipulate SQL queries by injecting arbitrary SQL code.Successful exploitation requires execute permissions on the dbms_cdc_subscribe or dbms_cdc_isubscribe package.

The dbms_metadata package is not properly validate the input passed to the "OBJECT_TYPE" parameter used in various procedures,and can be exploited to manipulate SQL queries by injecting arbitrary SQL code.Successful exploitation requires execute permissions on the dbms_metadata package.

The dbms_cdc_ipublish packagenot validate the input passed to the "CHANGE_SOURCE_NAME" parameter of the "ALTER_MANUALLOG_CHANGE_SOURCE" procedure and can be exploited to manipulate SQL queries by injecting arbitrary SQL code.Successful exploitation requires execute permissions on the dbms_cdc_ipublish package.

An error within the Oracle interMedia system can be exploited to consume all available CPU resources via a specially crafted file.

Solution

Apply appropriate patches as described in April 2005 Critical Patch Update, described at:

http://www.oracle.com/technology/deploy/security/
pdf/cpuapr2005.pdf

Vendor Information

Oracle Corporation
Critical Patch Update - April 2005

References

SecurityTracker Alert ID:  1013693
http://securitytracker.com/id?1013693

Secunia Advisory:SA14935
http://secunia.com/advisories/14935/

CVE Reference
CAN-2005-1197

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91 11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003