HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-20
Multiple Vulnerabilities in Oracle Products

Original issue date: April 19, 2007

Severity Rating: High

Systems Affected

  • Oracle8 Database Release 8.0.6, version 8.0.6.3
  • Oracle9i Database Release 2, versions 9.2.0.7, 9.2.0.8
  • Oracle9i Database Release 2, version 9.2.0.5
  • Oracle9i Database Release 1, versions 9.0.1.4
  • Oracle9i Database Release 1, versions 9.0.1.5, 9.0.1.5 FIPS
  • Oracle9i Application Server Release 1, version 1.0.2.2
  • Oracle Application Server 10g (9.0.4), version 9.0.4.3
  • Oracle Database 10g Release 1, version 10.1.0.3
  • Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5
  • Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3
  • Oracle Database 10g Release 1, version 10.1.0.4.2
  • Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.0.1 - 10.1.2.0.2, 10.1.2.1.0, 10.1.2.2.0
  • Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.0.0, 10.1.3.1.0, 10.1.3.2.0
  • Oracle Secure Enterprise Search 10g Release 1, version 10.1.6
  • Oracle10g Collaboration Suite Release 1, version 10.1.2
  • Oracle E-Business Suite Release 11i, versions 11.5.7 - 11.5.10 CU2
  • Oracle E-Business Suite Release 12, version 12.0.0
  • Oracle Enterprise Manager 9i Release 2, versions 9.2.0.7, 9.2.0.8
  • Oracle Enterprise Manager 9i, version 9.0.1.5
  • Oracle PeopleSoft Enterprise PeopleTools versions 8.22, 8.47, 8.48
  • Oracle PeopleSoft Enterprise Human Capital Management version 8.9
  • Oracle Developer Suite, versions 6i, 9.0.4.2
  • Oracle Workflow, versions 11.5.1 through 11.5.9.5
  • JD Edwards EnterpriseOne Tools version 8.96
  • JD Edwards OneWorld Tools SP23

Overview

Multiple vulnerabilities have been reported in various Oracle products which could be exploited by local/remote attackers to bypass certain security restrictions.

Description

Multiple vulnerabilities have been identified in various Oracle products e.g. Oracle Database, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite and Applications, Oracle Enterprise Manager, and Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne.

These vulnerabilities due to errors in various oracle components e.g. Advanced Queuing, Authentication, Advanced Replication, Administration Front End, Core RDBMS, Change Data Capture (CDC),Expression Filter, Oracle Agent, Oracle COREid Access, Oracle Discoverer, Oracle Instant Client, Oracle Portal, Rules Manager, Ultra Search, Oracle Streams, Oracle Text, Oracle Wireless, Oracle Workflow Cartridge and Upgrade/Downgrade.

Vulnerabilities could be exploited by remote or local attackers to cause a denial of service, conduct SQL injection, cross site scripting attacks , execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information or bypass security restrictions .

Solution

Apply appropriate Oracle Critical Patch Update (April 2007)
http://www.oracle.com/technology/deploy/security/critical-patch-
updates/cpuapr2007.html

Vendor Information

Oracle Corporation
http://www.oracle.com/

Oracle Meta link
http://www.oracle.com/technology/deploy/security/alerts.htm

Oracle has corrected this issue in Oracle Diagnostics Support Pack for January 2007. This update is available in Oracle Metalink 360464.1


References

FrSIRT
http://www.frsirt.com/english/advisories/2007/1426

Securityfocus
http://www.securityfocus.com/bid/23403/

Nist
http://www.nist.org/news.php?extend.224

Integrigy
http://www.integrigy.com/oracle-security-
blog/archive/2007/04/10/cpu-april-2007-prerelease


Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003