HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2006-38
Multiple Remote SQL Injection and Security Bypass
Vulnerabilities in Oracle Products

Original issue date: October 18, 2006

Severity Rating: High

Systems Affected

  • Oracle Database 10g Release 2 version 10.2.0.2 and prior
  • Oracle Database 10g Release 1 version 10.1.0.5 and prior
  • Oracle9i Database Release 2 version 9.2.0.7 and prior
  • Oracle8i Database Release 3 version 8.1.7.4
  • Oracle Application Express versions 1.5 through 2.0
  • Oracle Application Server 10g Release 3 version 10.1.3.0.0
    and prior
  • Oracle Application Server 10g Release 1 (9.0.4) version
    9.0.4.3 and prior
  • Oracle Collaboration Suite 10g Release 1 version 10.1.2.0
  • Oracle9i Collaboration Suite Release 2 version 9.0.4.2
  • Oracle E-Business Suite Release 11i versions 11.5.7 through
    11.5.10 CU2
  • Oracle E-Business Suite Release 11.0
  • Oracle Pharmaceutical Applications versions 4.5.0 through
    4.5.1
  • Oracle PeopleSoft Enterprise PeopleTools version 8.48 and
    prior
  • Oracle PeopleSoft Enterprise Portal Solutions and Enterprise
    Portal version 8.9 and prior
  • JD Edwards EnterpriseOne Tools version 8.96 and prior
  • JD Edwards OneWorld Tools SP23
  • Oracle Developer Suite versions 6i 9.0.4.3 and prior
  • Oracle Developer Suite versions 6i 10.1.2.2 and prior
  • Oracle9i Database Release 1 version 9.0.1.5 and prior
  • Oracle9i Database Release 1 version 9.0.1.5 FIPS
  • Oracle9i Application Server Release 2 version 9.0.2.3
  • Oracle9i Application Server Release 2 version 9.0.3.1
  • Oracle9i Application Server Release 1 version 1.0.2.2
  • Oracle Database 10g Release 1 version 10.1.0.3
  • Oracle9i Database Release 2 version 9.2.0.5
  • Oracle Application Server 10g Release 1 (9.0.4) version
    9.0.4.1

Overview

Multiple vulnerabilities have been reported in various Oracle products which could be exploited by local/remote attackers to bypass certain security restrictions cause denial of service attack.

Description

Multiple vulnerabilities have been reported in various Oracle products due to an error occurred in various oracle components like XMLDB, Oracle Forms or Oracle Application Object Library.

This could be exploited by local/remote attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information, conduct SQL injection attacks, or bypass security restrictions.

Solution

Apply appropriate patches as released by Oracle: http://www.oracle.com/technology/deploy/security/critical-patch-
updates/cpuoct2006.html

Vendor Information

Oracle Corporation
http://www.oracle.com

Oracle has corrected this issue in Oracle Diagnostics Support Pack for October 2006. This update is available in Oracle Metalink 391558.1

References

Oracle Metalink
https://metalink.oracle.com/metalink/plsql/f?p=
200:101:3926128841333779016 http://www.oracle.com/technology/deploy/security/alerts.htm

FrSIRT- ADV-2006-4065
http://www.frsirt.com/english/advisories/2006/4065

SecurityFocus
http://www.securityfocus.com/bid/20588

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003