Oracle Corp. handed database administrators a heavy patch load Tuesday for 82 critical flaws affecting a range of products. Attackers could exploit the security holes to access sensitive information, overwrite files
The Redwood Shores, Calif.-based vendor released few details on what the flaws are, but several third-party researchers who discovered some of the vulnerabilities have released information on their own. That's one reason Cupertino, Calif.-based AV giant Symantec Corp. Tuesday raised its Threatcon to Level 2 on a 1-to-4 scale.
"The DeepSight Threat Analyst Team is elevating the ThreatCon to Level 2" because of the patch release, Symantec said in an e-mail advisory. "This critical patch update addresses 82 issues across multiple Oracle products. Although Oracle has not released technical details regarding these issues to the public, technical information regarding several of the vulnerabilities has already been posted to public mailing lists. This additional information may reduce the amount of time that an attacker will require to isolate and exploit these vulnerabilities."
An advisory from Danish vulnerability clearinghouse Secunia revealed some of the early details:
- Input passed to various parameters in the procedures within the DBMS_DATAPUMP, DBMS_REGISTRY, DBMS_CDC_UTILITY, DBMS_CDC_PUBLISH, DBMS_METADATA_UTIL, and DBMS_METADATA_INT Oracle PL/SQL packages is not properly sanitized before being used in a SQL query. Attackers could exploit this to manipulate SQL queries by injecting arbitrary SQL code. The flaws affect Oracle 10g Release 1 (10.1).
- Input passed to various parameters in the ATTACH_JOB, HAS_PRIVS, and OPEN_JOB procedures within the SYS.KUPV$FT package is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This also affects Oracle 10g Release 1.
- Input passed to various parameters in several procedures within the SYS.KUPV$FT_INT package is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This affects Oracle 10g Release 1.
- Design errors in the Oracle Database cause the Oracle TDE (Transparent Data Encryption) wallet password to be logged in clear text, and the master key for the TDE wallet to be stored unencrypted. This affects Oracle Database 10g Release 2 (10.2.0.1).
- Some errors in the reports component of the Oracle Application Server can be exploited to read parts of any files or overwrite any files via Oracle Reports. This affects versions 184.108.40.206 through 10.1.0.2.
- Input passed to the AUTH_ALTER_SESSION attribute in a TNS authentication message is not properly sanitized before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows execution of arbitrary SQL queries with SYS user privileges. This affects Oracle 8i (8.1.7.x.x), Oracle 9i (220.127.116.11), Oracle 10g Release 1 (10.1.0.4.2), and Oracle 10g Release 2 (10.2.0.1.0).
In total, the various flaws affect the following products:
- Oracle Database 10g Release 2, version 10.2.0.1
- Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4, 10.1.0.5
- Oracle9i Database Release 2, versions 18.104.22.168, 22.214.171.124
- Oracle8i Database Release 3, version 126.96.36.199
- Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4
- Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1.0
- Oracle Application Server 10g Release 1 (9.0.4), versions 188.8.131.52, 184.108.40.206
- Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2
- Oracle9i Collaboration Suite Release 2, version 220.127.116.11
- Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2
- Oracle E-Business Suite Release 11.0
- PeopleSoft Enterprise Portal, versions 8.4, 8.8, 8.9
- JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95.F1, SP23_L1
Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step assessed the flaws and fixes in his: blog Tuesday:
"This seems like a good mixed bag of fixes, quite a lot in total and this time it seems possible to isolate the areas affected in more cases due to the more explicit naming of some packages, programs and commands," he said.