Published: 2008-05-25T03:38+00:00    Last Updated: 2008-12-28T07:59+00:00

TRJVN-2008-01
Oracle Updates for Multiple Vulnerabilities - April 2008

Overview

Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

Event Information


Date (UTC)Description
2008-04-15 22:13 Oracle
Oracle Critical Patch Update Advisory - April 2008
2008-04-15 20:30 US-CERT
Oracle Releases Critical Patch Update for April 2008
US-CERT Current Activity
Oracle has released their Critical Patch Update for April 2008 to address 41 vulnerabilities across several products.
2008-04-13 00:18 SANS Internet Storm Center
Oracle April Patch Advance Information Posted
Oracle has posted it's advance information for it's Critical Patch Update for April 2008, to be released on Tuesday, April 15, 2008.
2008-01-18 iDefense
690: Oracle Application Express Privilege Escalation Vulnerability
Privilege Escalation Vulnerability (CVE-2008-1811)
Vulnerability Reported
The vulnerability exists in "run_ddl" function within the "wwv_execute_immediate" package. This package is included in the "flows_030000" schema. This function allows attackers to execute SQL commands as any database user, such as SYS.
2007-09-24 Application Security Inc.
Team SHATTER Security Alert Oracle 2008-01: Oracle Database SQL Injection in SYS.DBMS_CDC_UTILITY.LOCK_CHANGE_SET (DB02)
Oracle Database Vuln# DB02
Vulnerability Reported
The PL/SQL package DBMS_CDC_UTILITY owned by SYS has an instance of SQL Injection. A malicious user can call a vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of the SYS user.
2007-08-24 Application Security Inc.
Team SHATTER Security Alert Oracle 2008-02: Oracle Database Buffer Overflow in Oracle SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11)
Oracle Database Vuln# DB11
Vulnerability Reported
Oracle Database Server provides the SYS.KUPF$FILE_INT package. This package contains the procedure GET_FULL_FILENAME which is vulnerable to buffer overflow attacks.
2007-06-06 Red-Database-Security
SQL Injection in package SDO_UTIL [DB05]
Oracle Database Vuln# DB05
Vulnerability Reported
The package SDO_UTIL is vulnerable against SQL injection.
2007-06-06 Red-Database-Security
SQL Injection in package SDO_IDX [DB07]
Oracle Database Vuln# DB07
Vulnerability Reported
The package SDO_IDX (part of Oracle Spatial) is vulnerable against SQL injection.
2007-06-06 Red-Database-Security
SQL Injection in package SDO_GEOM [DB06]
Oracle Database Vuln# DB06
Vulnerability Reported
The package SDO_GEOM (part of Oracle Spatial) is vulnerable against SQL injection.
2007-05-27 Imperva, Inc.
Oracle DBMS - Access Control Bypass with Direct Path Export
Oracle Database Vuln# DB12
Vulnerability Reported
The TNS protocol includes a special message used for direct path export. The message (0x5B) allows extraction of table data without using SQL query.
2007-04-04 Red-Database-Security
Hardcoded Password and Password Reset of OUTLN User [DB13]
Oracle Database Vuln# DB13
Vulnerability Reported
During the creation of a materialized view the package DBMS_STATS_INTERNAL is called and resets the password of the user OUTLN to OUTLN and grants DBA privileges to this user.
2007-01-29 Zero Day Initiative (ZDI)
ZDI-08-088: Oracle E-Business Suite Business Intelligence SQL Injection Vulnerability
Vulnerability Reported
2005-02-22 Application Security Inc.
Team SHATTER Security Alert Oracle 2008-03: Oracle Database Buffer Overflow in Oracle SYS.DBMS_AQJMS_INTERNAL (DB15)
Oracle Database Vuln# DB15
Vulnerability Reported
Oracle Database Server provides the SYS.DBMS_AQJMS_INTERNAL package. This package contains the procedures AQ$_REGISTER and AQ$_UNREGISTER which are vulnerable to buffer overflow attacks.


Other Information