HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2006-22
Multiple Vulnerabilities in Oracle Database and Other Products

Original issue date: July 20, 2006

Severity Rating: High

Systems Affected

  • Oracle Oracle8 8.0.6 .3, 8.0.6
  • Oracle Oracle9i Standard Edition 9.2 .7 and prior
  • Oracle Oracle9i Standard Edition 8.1.7
  • Oracle Oracle9i Personal Edition 9.2 .7 and prior
  • Oracle Oracle9i Personal Edition 8.1.7
  • Oracle Oracle9i Enterprise Edition 9.2 .7 and prior
  • Oracle Oracle9i Application Server 9.2 .0.7 and prior
  • Oracle Oracle10g Standard Edition 10.2 .2 and prior
  • Oracle Oracle10g Standard Edition 9.0.4 .0
  • Oracle Oracle10g Personal Edition 10.2 .2 and prior
  • Oracle Oracle10g Enterprise Edition 10.2 .2 and prior
  • Oracle Oracle10g Application Server 10.1.3 .0.0 and prior
  • Oracle Oracle10g Application Server 9.0.4 .2 and prior
  • Oracle Enterprise Manager Grid Control 10g 10.2 .1
  • Oracle E-Business Suite 11i 11.5.10 CU2 and prior
  • Oracle Workflow 11.5.9 .5, 11.5.1
  • Oracle E-Business Suite 11i 11.5.8 and prior
  • Oracle Developer Suite 9.0.4 .2
  • Oracle Collaboration Suite Release 2 9.0.4 .2, 1 10.1.2
  • Oracle Application Server Portal 10.1.4 .0.0 and prior
  • Oracle JD Edwards EnterpriseOne 8.95 _F1 and prior
  • PeopleSoft Enterprise Portal 8.8 , 8.4

Overview

Multiple vulnerabilities have been reported in various Oracle products which can exploited by remote or local attackers to bypass certain security restrictions

Description

Vulnerabilities have been reported in various Oracle products due to error in oracle components like Oracle ODBC Driver or Oracle XML Gateway . T he attackers could exploit these vulnerabilities with the help of SQL Injection to obtain sensitive information or execute arbitrary SQL Code. The attackers could also cause a denial of service, read and overwrite arbitrary data or bypass certain security restrictions.

These vulnerabilities could be exploited from remotely or locally. It may be noted, that Proof of Concept exploit code is available on Internet.

Solution

Apply Critical Patch Update(July 2006):
http://www.oracle.com/technology/deploy/security/critical-patch-
updates/cpujul2006.html

Vendor Information

Oracle Corporation
Oracle has corrected this issue in Oracle Diagnostics Support Pack for July 2006. This update is available in Oracle Metalink 372927.1

References

Oracle Corporation
http://www.oracle.com/technology/deploy/security/critical-patch-
updates/cpujul2006.html http://www.oracle.com/technology/deploy/security/alerts.htm

Oracle Metalink
http://metalink.oracle.com/metalink/plsql/showdoc?
db=Not&id=209768.1

FrSIRT
http://www.frsirt.com/english/advisories/2006/2863

securityfocus
http://www.securityfocus.com/bid/19054

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003