Oracle patches 82 critical flaws

Attackers could exploit the latest Oracle vulnerabilities to access sensitive information, overwrite files or launch SQL injection attacks in numerous applications, including PeopleSoft and JD Edwards.

Oracle Corp. handed database administrators a heavy patch load Tuesday for 82 critical flaws affecting a range of products. Attackers could exploit the security holes to access sensitive information, overwrite files or launch SQL injection attacks.

The Redwood Shores, Calif.-based vendor released few details on what the flaws are, but several third-party researchers who discovered some of the vulnerabilities have released information on their own. That's one reason Cupertino, Calif.-based AV giant Symantec Corp. Tuesday raised its Threatcon to Level 2 on a 1-to-4 scale.

More Oracle security news

Admins grapple with the latest Oracle patch puzzle

Oracle unloads critical patch pile

"The DeepSight Threat Analyst Team is elevating the ThreatCon to Level 2" because of the patch release, Symantec said in an e-mail advisory. "This critical patch update addresses 82 issues across multiple Oracle products. Although Oracle has not released technical details regarding these issues to the public, technical information regarding several of the vulnerabilities has already been posted to public mailing lists. This additional information may reduce the amount of time that an attacker will require to isolate and exploit these vulnerabilities."

An advisory from Danish vulnerability clearinghouse Secunia revealed some of the early details:

  • Input passed to various parameters in the procedures within the DBMS_DATAPUMP, DBMS_REGISTRY, DBMS_CDC_UTILITY, DBMS_CDC_PUBLISH, DBMS_METADATA_UTIL, and DBMS_METADATA_INT Oracle PL/SQL packages is not properly sanitized before being used in a SQL query. Attackers could exploit this to manipulate SQL queries by injecting arbitrary SQL code. The flaws affect Oracle 10g Release 1 (10.1).
  • Input passed to various parameters in the ATTACH_JOB, HAS_PRIVS, and OPEN_JOB procedures within the SYS.KUPV$FT package is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This also affects Oracle 10g Release 1.
  • Input passed to various parameters in several procedures within the SYS.KUPV$FT_INT package is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This affects Oracle 10g Release 1.
  • Design errors in the Oracle Database cause the Oracle TDE (Transparent Data Encryption) wallet password to be logged in clear text, and the master key for the TDE wallet to be stored unencrypted. This affects Oracle Database 10g Release 2 (10.2.0.1).
  • Some errors in the reports component of the Oracle Application Server can be exploited to read parts of any files or overwrite any files via Oracle Reports. This affects versions 1.0.2.0 through 10.1.0.2.
  • Input passed to the AUTH_ALTER_SESSION attribute in a TNS authentication message is not properly sanitized before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows execution of arbitrary SQL queries with SYS user privileges. This affects Oracle 8i (8.1.7.x.x), Oracle 9i (9.2.0.7), Oracle 10g Release 1 (10.1.0.4.2), and Oracle 10g Release 2 (10.2.0.1.0).

In total, the various flaws affect the following products:

  • Oracle Database 10g Release 2, version 10.2.0.1
  • Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4, 10.1.0.5
  • Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7
  • Oracle8i Database Release 3, version 8.1.7.4
  • Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4
  • Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1.0
  • Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2
  • Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2
  • Oracle9i Collaboration Suite Release 2, version 9.0.4.2
  • Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2
  • Oracle E-Business Suite Release 11.0
  • PeopleSoft Enterprise Portal, versions 8.4, 8.8, 8.9
  • JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95.F1, SP23_L1

Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step assessed the flaws and fixes in his: blog Tuesday:

"This seems like a good mixed bag of fixes, quite a lot in total and this time it seems possible to isolate the areas affected in more cases due to the more explicit naming of some packages, programs and commands," he said.

Dig deeper on Database Security Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close