Accessibility Options |  Sitemap |  Contact Us
   
 
 
 
HOME space ABOUTCERTIn space KNOWLEDGEBASE space TRAINING space ADVISORIES space VULNOTES space space Facebook space x space insta space youtube space Linkedin
WLine
DigitalIndia
WLine
csk
WLine
Full Member FIRST
Line
Operational Member TFCSIRT
Line
Accredited Member APCERT
Line
Global Research Partner APWG
Line
Associate Partner Charter
Line
CNA
WLine
 Directions by CERT-In under  Section 70B, Information  Technology Act 2000
WLine
 Guidelines on Information  Security Practices for  Government Entities
WLine
 Technical Guidelines on NEW
 SBOM, QBOM & CBOM, AIBOM
 and HBOM Version 2.0
WLine
 Cyber Security GuidelinesNEW
 for Smart City Infrastructure
About CERT-in
Line
point point Client's /Citizen's Charter
Line
point point Roles & Functions
Line
point point Advisory Committee
Line
point point Act/Rules/Regulations
Line
point point Internal Complaint Committee         (ICC) 
Line
point point RFC2350 
line
point point Press  
Line
point point Tender 
Line
point point Subscribe Mailing List
Line
point point Contact Us
Line
Line
Reporting
point
 Incident Reporting
point
Line
point
 Vulnerability Reporting
point
Line
point
 Feedback
point
Line
KnowledgeBase
Line
point Point Guidelines
Line
point Point Presentations
Line
point Point White Papers 
Line
point Point Annual Report 
Line
Line
Line
line
Line
line
line
Advisories
Line
VulnerabilityNotes
Line
RelatedLinks
Line
point Point World CERTs
Line
point point Antivirus Resources
line
point point FAQ
line
line
Line
Line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
line
spacer
Home - AdvisoriesPrint
point

CERT-In Advisory CIAD-2015-0061

Multiple Vulnerabilities in Oracle Databases

Original Issue Date: November 02, 2015

Severity Rating: High

Software Affected

  • Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2
  • Oracle Database Mobile Server, version(s) 10.3.0.3, 11.3.0.2, 12.1.0.0
  • Oracle MySQL Enterprise Monitor, version(s) 2.3.20 and prior, 3.0.22 and prior
  • Oracle MySQL Server, version(s) 5.5.45 and prior, 5.6.26 and prior

Overview

Multiple vulnerabilities have been reported in Oracle Databases- Oracle Database Server and Oracle MySQL Server. Some of these vulnerabilities could be exploited by authenticated local or remote attackers while some of these vulnerabilities do not need authentication for their exploitation.

Successful exploitation of these vulnerabilities can cause Disclosure or Modification of user and system information, Denial-of-Service(DoS) attack and arbitrary code execution.

Description

1. Oracle Database Server Disclosure  of Information vulnerability ( CVE-2015-4857   CVE-2015-4894   )

These vulnerabilities exist in "RDBMS" component of Oracle Database Server and "Mobile Server" component of Oracle Database Mobile/Lite Server. A remote attacker could exploit these vulnerabilities by obtaining elevated privileges and launching authenticated network attacks via Oracle Net.
Successful exploitation of these vulnerabilities can result in unauthorized update, insert, delete or read access to component(s) accessible data.

2. Oracle MySQL Server Disclosure  of Information vulnerability ( CVE-2015-1793   CVE-2015-4826   CVE-2015-4830   CVE-2015-4864   )

These vulnerabilities exist in "MySQL Server" component of Oracle MySQL. A remote attacker could exploit these vulnerabilities by launching network attacks via multiple protocols. Exploitation of some of these vulnerabilities need authentication while others do not.
Successful exploitation of these vulnerabilities can result in unauthorized update, insert, delete or read access to component(s) accessible data.

3. Oracle Database Server Denial-of-Service vulnerability ( CVE-2015-4888   CVE-2015-4894   )

These vulnerabilities exist  in " Java VM" component of Oracle Database Server and "Mobile Server" component of Oracle Database Mobile/Lite Server. A remote attacker could exploit these vulnerabilities by  obtaining elevated privileges and launching authenticated network attacks via Oracle Net. 
Successful exploitation of these vulnerabilities can result in unauthorized ability to cause a partial Denial-of-Service (DoS) of the target component.

4. Oracle MySQL Server Denial-of-Service vulnerability

These vulnerabilities exist  in "MySQL Enterprise Monitor" component and  "MySQL Server" component of Oracle MySQL. A local attacker could exploit these vulnerabilities by launching authenticated attacks via logging into the Operating System. A remote attacker could exploit these vulnerabilities by launching network attacks via HTTPS/MySQL/Memcached protocols. Exploitation of some of these vulnerabilities need authentication while others do not.
Successful exploitation of these vulnerabilities can result in unauthorized ability to cause a partial  or complete Denial-of-Service (DoS) of the target component.

 5. Oracle Database Server Arbitrary Code Execution vulnerability ( CVE-2015-4794   CVE-2015-4796   CVE-2015-4863   CVE-2015-4873   CVE-2015-4900   )

These vulnerabilities exist  in "Java VM", "Portable Clusterware", "Database Scheduler" and "XDB-XML Database" components of Oracle Database Server. A remote attacker could exploit these vulnerabilities by launching network attacks via Oracle Net and multiple other protocols. Exploitation of some of these vulnerabilities need authentication while others do not.
Successful exploitation of these vulnerabilities can result in  unauthorized takeover of the component leading to arbitrary code execution within the component or Operating System takeover including arbitrary code execution.

 6. Oracle MySQL Server Arbitrary Code Execution vulnerability ( CVE-2015-3144   CVE-2015-4819   CVE-2015-4879   )

These vulnerabilities exist in "MySQL Enterprise Monitor" component and "MySQL Server" component of Oracle MySQL. A local attacker could exploit these vulnerabilities by launching authenticated attacks via logging into the Operating System. A remote attacker could exploit these vulnerabilities by obtaining elevated privileges and launching authenticated network attacks via HTTP and multiple other protocols.
Successful exploitation of these vulnerabilities can result in  unauthorized takeover of the component leading to arbitrary code execution within the component.

Solution

Apply appropriate patches as mentioned in Oracle Security Bulletin October 2015  
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

Vendor Information

Oracle
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html

References

Oracle
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixDB
http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html#AppendixMSQL

Security Tracker
http://securitytracker.com/id/1033883
http://securitytracker.com/id/1033894

CVE Name
CVE-2015-4857
CVE-2015-4894
CVE-2015-1793
CVE-2015-4826
CVE-2015-4830
CVE-2015-4864
CVE-2015-4888
CVE-2015-4794
CVE-2015-4796
CVE-2015-4863
CVE-2015-4873
CVE-2015-4900
CVE-2015-3144
CVE-2015-4819
CVE-2015-4879
CVE-2015-0286
CVE-2015-4730
CVE-2015-4766
CVE-2015-4791
CVE-2015-4792
CVE-2015-4800
CVE-2015-4802
CVE-2015-4807
CVE-2015-4815
CVE-2015-4816
CVE-2015-4833
CVE-2015-4836
CVE-2015-4858
CVE-2015-4861
CVE-2015-4862
CVE-2015-4866
CVE-2015-4870
CVE-2015-4890
CVE-2015-4895
CVE-2015-4904
CVE-2015-4905
CVE-2015-4910
CVE-2015-4913

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India

 
Indian Computer Emergency Response Team - CERT-In, Ministry of Electronics and Information Technology, Government of India.
Website Policies |  Terms of Use |  Help Last Updated On August 01, 2025