Published: 2008-07-20T06:36+00:00    Last Updated: 2009-01-22T00:54+00:00

TRJVN-2008-03
Oracle Updates for Multiple Vulnerabilities - July 2008

Overview

Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

Event Information


Date (UTC)Description
2008-07-19 15:08 Bugtraq
Oracle Database Local Untrusted Library Path Vulnerability
Vulnerability Proof Of Concept (CVE-2008-2613)
#Cid: 30177-joxeankoret-2.txt
2008-07-19 Bugtraq
Oracle Internet Directory 10.1.4 Remote Preauth DoS Exploit
Vulnerability Proof Of Concept (CVE-2008-2595)
#Cid: 30177-joxeankoret.py
2008-07-16 21:38 Symantec
ThreatCON (2) => (1)
On July 15, 2008, Oracle released 45 security updates for a number of products. Administrators of Oracle products are advised to review the advisory and apply the relevant updates.
2008-07-16 12:00 Hewlett-Packard
HPSBMA02133: SSRT061201 rev.9 - HP Oracle for OpenView (OfO) Critical Patch Update
Oracle has issued a Critical Patch Update which contains solutions for a number of potential security vulnerabilities. These vulnerabilities may be exploited locally or remotely to compromise the confidentiality, availability or integrity of Oracle for OpenView (OfO).
2008-07-15 20:45 SANS Internet Storm Center
Oracle (and BEA, Hyperion and TimesTen) critical patch update July 15th, 2008 (Version: 2)
Today, July 15th, Oracle has released its quarterly critical patch update. The highest CVSS score of all vulnerabilities patched is 6.8 (6.5 is the maximum for the Oracle Database itself).
2008-07-15 20:38 US-CERT
Oracle Releases Critical Patch Update for July 2008
US-CERT Current Activity
Oracle has released their Critical Patch Update for July 2008 to address 45 vulnerabilities across several products.
2008-07-15 20:01 Oracle
Oracle Critical Patch Update Advisory - July 2008
2008-01-25 iDefense
Oracle Database Local Untrusted Library Path Vulnerability
Vulnerability Reported
Local exploitation of an untrusted library path vulnerability in Oracle Corp.'s Oracle Database product allows attackers to gain elevated privileges.
2008-01-03 Application Security Inc.
Team SHATTER Security Alert Oracle 2008-04: SQL Injection in Oracle Application Server (WWEXP_API_ENGINE)
Oracle Application Server
Vulnerability Reported
Oracle Application Server installs the PL/SQL package WWEXP_API_ENGINE owned by PORTAL in the backend Oracle database server. The 'ACTION' procedure of this package has an instance of SQL Injection that allows attackers to create anonymous PL/SQL programs and execute any kind of PL/SQL statements. The statements are executed with the privileges of the PORTAL user, that has DBA privileges.
2007-12-27 Application Security Inc.
Team SHATTER Security Alert Oracle 2008-07: Cross-site scripting in Oracle Enterprise Manager (REFRESHCHOICE Parameter)
Oracle Enterprise Manager Database Control
Vulnerability Reported
The "REFRESHCHOICE" parameter used in web pages of Oracle Enterprise Manager are vulnerable to cross-site scripting attacks. User supplied input to these parameters is returned without proper sanitization, allowing a malicious attacker to inject arbitrary scripting code.
2007-12-18 iDefense
Oracle Database DBMS_AQELM Package Buffer Overflow Vulnerability
Vulnerability Reported
Remote exploitation of a buffer overflow vulnerability in the DBMS_AQELM package in Oracle Corp.'s Oracle Database product allows attackers to execute arbitrary code with the privileges of the database user.
2007-10-09 NGSSoftware
#NISR15072008: PLSQL Injection in Oracle Application Server
Oracle Database Vuln# DB23
Vulnerability Reported
Oracle has just released a fix for a flaw that, when exploited, allows an unauthenticated attacker on the Internet to gain full control of a backend Oracle database server via the front end web server.
2007-09-24 Application Security Inc.
Team SHATTER Security Alert Oracle 2008-05: SQL Injection in Oracle Database (DBMS_DEFER_SYS.DELETE_TRAN)
Oracle Database Server
Vulnerability Reported
The PL/SQL package DBMS_DEFER_SYS owned by SYS has an instance of SQL Injection in the DELETE_TRAN procedure. A malicious user can call the vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of SYS user.
2007-08-24 Application Security Inc.
Team SHATTER Security Alert Oracle 2008-06: Cross-site scripting in Oracle Enterprise Manager (REFRESHHOME Parameter)
Oracle Enterprise Manager Database Control
Vulnerability Reported
The "REFRESHHOME" parameter used in web pages of Oracle Enterprise Manager are vulnerable to cross-site scripting attacks. User supplied input to these parameters is returned without proper sanitization, allowing a malicious attacker to inject arbitrary scripting code.
2007-05-11 iDefense
Oracle Internet Directory Pre-Authentication LDAP DoS Vulnerability
Vulnerability Reported
Remote exploitation of a pre-authentication input validation vulnerability in Oracle Corp.'s Oracle Internet Directory allows an attacker to conduct a denial of service attack on a vulnerable host.