Thaiadmin

Oracle Products Multiple Remote Command Execution and SQL Injection Vulnerate

0 สมาชิก และ 1 บุคคลทั่วไป กำลังดูหัวข้อนี้

ออนไลน์ ColVIpTeCh

  • Union Relationship Leader
  • *****
  • 7,407
  • 169
  • เพศ: ชาย
  • ท่านพอใจเรายินดี ผิดพลาดสิ่งใดขออภัย จากใจจริง ^_^
    • กลุ่มผู้ดูแลระบบแห่งประเทศไทย - ColVlpTeCh
Oracle Products Multiple Remote Command Execution and SQL Injection Vulnerate
« เมื่อ: 18 เมษายน 2007, 23:02:38 »
High Risk : Oracle Products Multiple Remote Command Execution and SQL Injection Vulnerabilities
 
CVE ID : GENERIC-MAP-NOMATCH
Rated as : High Risk
Remotely Exploitable : Yes
Locally Exploitable : Yes
Release Date : 2007-04-17

 
Technical Description

Multiple vulnerabilities have been identified in various Oracle products, which could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information, conduct SQL injection and cross site scripting attacks, or bypass security restrictions. These issues are caused by errors in various components (e.g. Core RDBMS, Rules Manager, Expression Filter, Advanced Queuing, Authentication, Oracle Streams, Upgrade/Downgrade, Oracle Agent, Change Data Capture (CDC), Oracle Workflow Cartridge, Ultra Search, Advanced Replication, Oracle Instant Client, Oracle Text, Administration Front End, Oracle Discoverer, Oracle COREid Access, Oracle Wireless, and Oracle Portal).

Affected Products

Oracle Database 10g Release 2 version 10.2.0.1
Oracle Database 10g Release 2 version 10.2.0.2
Oracle Database 10g Release 2 version 10.2.0.3
Oracle Database 10g Release 1 version 10.1.0.4
Oracle Database 10g Release 1 version 10.1.0.5
Oracle9i Database Release 2 version 9.2.0.5
Oracle9i Database Release 2 version 9.2.0.7
Oracle9i Database Release 2 version 9.2.0.8
Oracle9i Database Release 1 version 9.0.1.5
Oracle9i Database Release 1 version 9.0.1.5 FIPS
Oracle Secure Enterprise Search 10g Release 1 version 10.1.6
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.0.0
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.1.0
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.2.0
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.0.1
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.0.2
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.1.0
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.2.0
Oracle Application Server 10g (9.0.4) version 9.0.4.3
Oracle10g Collaboration Suite Release 1 version 10.1.2
Oracle E-Business Suite Release 11i versions 11.5.7 through 11.5.10 CU2
Oracle E-Business Suite Release 12 version 12.0.0
Oracle Enterprise Manager 9i Release 2 version 9.2.0.7
Oracle Enterprise Manager 9i Release 2 version 9.2.0.8
Oracle Enterprise Manager 9i version 9.0.1.5
Oracle PeopleSoft Enterprise PeopleTools version 8.22
Oracle PeopleSoft Enterprise PeopleTools version 8.47
Oracle PeopleSoft Enterprise PeopleTools version 8.48
Oracle PeopleSoft Enterprise Human Capital Management version 8.9
JD Edwards EnterpriseOne Tools version 8.96
JD Edwards OneWorld Tools SP23

Solution

Apply Oracle Critical Patch Update (April 2007) :
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html

References

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html

Credits

Vulnerabilities reported by Vicente Aguilera Diaz (Internet Security Auditors), Gerhard Eschelbeck (Qualys), Esteban Martinez Fayo (Application Security), Joxean Koret, Alexander Kornbrust (Red Database Security), David Litchfield and Paul M. Wright (Next Generation Security Software), noderat ratty, and TippingPoint Zero Day Initiative.
- ขออภัย หากมิได้ตอบข้อความส่วนตัว
- ขอความร่วมมือและโปรดใช้ Thank You ในทุกๆ ข้อความที่ท่านต้องการขอบคุณ
^
^
งด SPAM mail ทุกชนิด - protect@mict.mail.go.th
^