Published: 2008-07-20T06:36+00:00
Last Updated: 2009-01-22T00:54+00:00
TRJVN-2008-03
Oracle Updates for Multiple Vulnerabilities - July 2008
Overview
Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.
Event Information
| Date (UTC) | Description |
| 2008-07-19 15:08 |
Bugtraq Oracle Database Local Untrusted Library Path Vulnerability Vulnerability Proof Of Concept (CVE-2008-2613) #Cid: 30177-joxeankoret-2.txt |
| 2008-07-19 |
Bugtraq Oracle Internet Directory 10.1.4 Remote Preauth DoS Exploit Vulnerability Proof Of Concept (CVE-2008-2595) #Cid: 30177-joxeankoret.py |
| 2008-07-16 21:38 |
Symantec ThreatCON (2) => (1) On July 15, 2008, Oracle released 45 security updates for a number of products. Administrators of Oracle products are advised to review the advisory and apply the relevant updates. |
| 2008-07-16 12:00 |
Hewlett-Packard HPSBMA02133: SSRT061201 rev.9 - HP Oracle for OpenView (OfO) Critical Patch Update Oracle has issued a Critical Patch Update which contains solutions for a number of potential security vulnerabilities. These vulnerabilities may be exploited locally or remotely to compromise the confidentiality, availability or integrity of Oracle for OpenView (OfO). |
| 2008-07-15 20:45 |
SANS Internet Storm Center Oracle (and BEA, Hyperion and TimesTen) critical patch update July 15th, 2008 (Version: 2) Today, July 15th, Oracle has released its quarterly critical patch update. The highest CVSS score of all vulnerabilities patched is 6.8 (6.5 is the maximum for the Oracle Database itself). |
| 2008-07-15 20:38 |
US-CERT Oracle Releases Critical Patch Update for July 2008 US-CERT Current Activity Oracle has released their Critical Patch Update for July 2008 to address 45 vulnerabilities across several products. |
| 2008-07-15 20:01 |
Oracle Oracle Critical Patch Update Advisory - July 2008 |
| 2008-01-25 |
iDefense Oracle Database Local Untrusted Library Path Vulnerability Vulnerability Reported Local exploitation of an untrusted library path vulnerability in Oracle Corp.'s Oracle Database product allows attackers to gain elevated privileges. |
| 2008-01-03 |
Application Security Inc. Team SHATTER Security Alert Oracle 2008-04: SQL Injection in Oracle Application Server (WWEXP_API_ENGINE) Oracle Application Server Vulnerability Reported Oracle Application Server installs the PL/SQL package WWEXP_API_ENGINE owned by PORTAL in the backend Oracle database server. The 'ACTION' procedure of this package has an instance of SQL Injection that allows attackers to create anonymous PL/SQL programs and execute any kind of PL/SQL statements. The statements are executed with the privileges of the PORTAL user, that has DBA privileges. |
| 2007-12-27 |
Application Security Inc. Team SHATTER Security Alert Oracle 2008-07: Cross-site scripting in Oracle Enterprise Manager (REFRESHCHOICE Parameter) Oracle Enterprise Manager Database Control Vulnerability Reported The "REFRESHCHOICE" parameter used in web pages of Oracle Enterprise Manager are vulnerable to cross-site scripting attacks. User supplied input to these parameters is returned without proper sanitization, allowing a malicious attacker to inject arbitrary scripting code. |
| 2007-12-18 |
iDefense Oracle Database DBMS_AQELM Package Buffer Overflow Vulnerability Vulnerability Reported Remote exploitation of a buffer overflow vulnerability in the DBMS_AQELM package in Oracle Corp.'s Oracle Database product allows attackers to execute arbitrary code with the privileges of the database user. |
| 2007-10-09 |
NGSSoftware #NISR15072008: PLSQL Injection in Oracle Application Server Oracle Database Vuln# DB23 Vulnerability Reported Oracle has just released a fix for a flaw that, when exploited, allows an unauthenticated attacker on the Internet to gain full control of a backend Oracle database server via the front end web server. |
| 2007-09-24 |
Application Security Inc. Team SHATTER Security Alert Oracle 2008-05: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN) Oracle Database Server Vulnerability Reported The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user. |
| 2007-08-24 |
Application Security Inc. Team SHATTER Security Alert Oracle 2008-06: Cross-site scripting in Oracle Enterprise Manager (REFRESHHOME Parameter) Oracle Enterprise Manager Database Control Vulnerability Reported The "REFRESHHOME" parameter used in web pages of Oracle Enterprise Manager are vulnerable to cross-site scripting attacks. User supplied input to these parameters is returned without proper sanitization, allowing a malicious attacker to inject arbitrary scripting code. |
| 2007-05-11 |
iDefense Oracle Internet Directory Pre-Authentication LDAP DoS Vulnerability Vulnerability Reported Remote exploitation of a pre-authentication input validation vulnerability in Oracle Corp.'s Oracle Internet Directory allows an attacker to conduct a denial of service attack on a vulnerable host. |