HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-06
Multiple Vulnerabilities in Oracle Products

Original issue date: January 18, 2007

Severity Rating: Medium

Systems Affected

  • Oracle8i Database Release 3 version 8.1.7.4
  • Oracle9i Database Release 1 version 9.0.1.5
  • Oracle9i Database Release 1 version 9.0.1.5 FIPS
  • Oracle9i Database Release 1 version 9.0.1.4
  • Oracle9i Database Release 2 version 9.2.0.5
  • Oracle9i Database Release 2 version 9.2.0.6
  • Oracle9i Database Release 2 version 9.2.0.7
  • Oracle9i Database Release 2 version 9.2.0.8
  • Oracle9i Application Server Release 2 version 9.0.2.3
  • Oracle9i Application Server Release 1 version 1.0.2.2
  • Oracle Database 10g Release 1 version 10.1.0.x
  • Oracle Database 10g Release 2 version 10.2.0.x
  • Oracle Application Server 10g Release 1 (9.0.4) version 9.0.4.1
  • Oracle Application Server 10g (9.0.4) version 9.0.4.x
  • Oracle Application Server 10g Release 2 versions 10.1.2.0.x
  • Oracle Application Server 10g Release 2 version 10.1.2.1.x
  • Oracle Application Server 10g Release 3 version 10.1.3.0.x
  • Oracle Identity Management 10g version 10.1.4.0.1
  • Oracle Enterprise Manager 10g Grid Control Release 1 version 10.1.0.3
  • Oracle Enterprise Manager 10g Grid Control Release 1 version 10.1.0.4
  • Oracle Enterprise Manager 10g Grid Control Release 1 version 10.1.0.5
  • Oracle Enterprise Manager 10g Grid Control Release 2 version 10.2.0.1
  • Oracle E-Business Suite Release 11.0
  • Oracle E-Business Suite Release 11i versions 11.5.7 through 11.5.10 CU2
  • Oracle PeopleSoft Enterprise PeopleTools version 8.22
  • Oracle PeopleSoft Enterprise PeopleTools version 8.47
  • Oracle PeopleSoft Enterprise PeopleTools version 8.48
  • Oracle Developer Suite, version 6i
  • Oracle Developer Suite, version 9.0.4.3
  • Oracle Developer Suite, version 10.1.2.0.2

Overview

Multiple vulnerabilities have been reported in various Oracle products which could be exploited by local/remote attackers to bypass certain security restrictions.

Description

Multiple vulnerabilities have been identified in various Oracle products, which could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, execute arbitrary data, disclose sensitive information, conduct SQL injection and cross site scripting attacks, or bypass security restrictions.

1. The first vulnerability is due to an input validation error in Oracle XML DB, which could be exploited to execute arbitrary HTML and script code in a user's browser session of an affected site.

2. The second issue is due to an input validation error in the "DBMS_AQ_INV" package which could be exploited by local/remote attackers to inject and execute arbitrary SQL queries.

3. The third issue is due to a buffer overflow error in the Oracle Notification Service (ONS) which could be exploited through a specially crafted packet sent to the service with default port 6200/TCP).

4. The fourth issue is due to an input validation error in the "EmChartBean " component of the Oracle Application Server which could be exploited by remote attackers to execute arbitrary files via directory traversal attacks.

Other unspecified vulnerabilities have also been identified in various components.

Solution

Apply appropriate Oracle Critical Patch Update (January 2007) :
http://www.oracle.com/technology/deploy/security/critical-patch
-updates/cpujan2007.html

Vendor Information

Oracle Corporation
http://www.oracle.com/

Oracle Meta link:
http://www.oracle.com/technology/deploy/security/alerts.htm

Oracle has corrected this issue in Oracle Diagnostics Support Pack for January 2007. This update is available in Oracle Metalink 403335.1

References

FrSIRT- ADV-2007-0210
http://www.frsirt.com/english/advisories/2007/0210

Secunia-advisories/23794
http://secunia.com/advisories/23794/  

Red-database-security
http://www.red-database-security.com/advisory/oracle_xmldb
_css2.html
http://www.red-database-security.com/advisory/oracle_sql_injection
_dbms_aq_inv.html
http://www.red-database-security.com/advisory/oracle_buffer
_overflow_ons.html

Symantec
http://www.symantec.com/enterprise/research/SYMSA-2007-001.txt


Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003