CERT-In Advisory
CIAD-2006-0038
Multiple Remote SQL Injection and Security Bypass Vulnerabilities in Oracle Products
Original Issue Date: October 18, 2006
Severity Rating: High
Systems Affected
- Oracle Database 10g Release 2 version 10.2.0.2 and prior
- Oracle Database 10g Release 1 version 10.1.0.5 and prior
- Oracle9i Database Release 2 version 9.2.0.7 and prior
- Oracle8i Database Release 3 version 8.1.7.4
- Oracle Application Express versions 1.5 through 2.0
- Oracle Application Server 10g Release 3 version 10.1.3.0.0
and prior
- Oracle Application Server 10g Release 1 9.0.4 version
9.0.4.3 and prior
- Oracle Collaboration Suite 10g Release 1 version 10.1.2.0
- Oracle9i Collaboration Suite Release 2 version 9.0.4.2
- Oracle E-Business Suite Release 11i versions 11.5.7 through
11.5.10 CU2
- Oracle E-Business Suite Release 11.0
- Oracle Pharmaceutical Applications versions 4.5.0 through
4.5.1
- Oracle PeopleSoft Enterprise PeopleTools version 8.48 and
prior
- Oracle PeopleSoft Enterprise Portal Solutions and Enterprise
Portal version 8.9 and prior
- JD Edwards EnterpriseOne Tools version 8.96 and prior
- JD Edwards OneWorld Tools SP23
- Oracle Developer Suite versions 6i 9.0.4.3 and prior
- Oracle Developer Suite versions 6i 10.1.2.2 and prior
- Oracle9i Database Release 1 version 9.0.1.5 and prior
- Oracle9i Database Release 1 version 9.0.1.5 FIPS
- Oracle9i Application Server Release 2 version 9.0.2.3
- Oracle9i Application Server Release 2 version 9.0.3.1
- Oracle9i Application Server Release 1 version 1.0.2.2
- Oracle Database 10g Release 1 version 10.1.0.3
- Oracle9i Database Release 2 version 9.2.0.5
- Oracle Application Server 10g Release 1 9.0.4 version
9.0.4.1
Overview
Multiple vulnerabilities have been reported in various Oracle products which could be exploited by local/remote attackers to bypass certain security restrictions cause denial of service attack.
Description
Multiple vulnerabilities have been reported in various Oracle products due to an error occurred in various oracle components like XMLDB, Oracle Forms or Oracle Application Object Library.
This could be exploited by local/remote attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information, conduct SQL injection attacks, or bypass security restrictions.
Solution
Apply appropriate patches as released by Oracle:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html
Vendor Information
Oracle Corporation
http://www.oracle.com/
References
Oracle Metalink
https://metalink.oracle.com/metalink/plsql/f?p=200:101:3926128841333779016
http://www.oracle.com/technology/deploy/security/alerts.htm
FrSIRT- ADV-2006-4065
http://www.frsirt.com/english/advisories/2006/4065
SecurityFocus
http://www.securityfocus.com/bid/20588 20
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|