UPDATED: Multiple high-risk Oracle flaws |
 |
By Shawna McAlearney, News Editor
18 Jan 2005 | SearchSecurity.com |
|
|
For the first installment in its quarterly patching cycle, Oracle Corp. yesterday released a patch set to fix 23 flaws -- a number of them high-risk -- in its database products. The company also received kudos for an informative risk matrix that is a new addition to its advisories.
"The advisory is a comprehensive document and contains much better information than previous advisories from Oracle," independent security researcher Pete Finnigan wrote in his blog, PeteFinnegan.com. "The key addition in this advisory is the new risk matrix that details each bug to some degree and also the risk." Each flaw is numbered, the component identified and the privileges necessary for the bug to be exploited are listed. Also, earliest and latest versions are listed as well as whether a workaround is possible.
|
| The breakdown, part 1 |
* A networking component boundary error can be exploited to crash the database via a specially crafted connect string.
* An unspecified error in the LOB Access component can disclose sensitive information.
* An unspecified spatial component error can disclose information, manipulate data or cause a DoS.
* An unspecified forms component error can cause a DoS.
* An unspecified diagnostic component error can disclose information, manipulate data or cause a DoS.
* An unspecified UTL_FILE component error can manipulate information.
* An unspecified calendar component error can disclose information, manipulate data or cause a DoS when a malicious image is viewed. |
|
|
|
|
"I hope that in particular the risk matrix will really help customers make decisions about applying the patches quickly and confidently," Finnigan added.
Security vulnerability aggregator Secunia reported a total of 23 flaws in Oracle's products that will allow remote manipulation of data, exposure of sensitive information, privilege escalation and denial of service. See sidebar.
Finnigan was named as the discoverer of a traversal directory flaw: "A problem with being able to use directory objects incorrectly within the database."
Directory objects used in the Oracle database contain the location of a specific operating system directory, according to Finnigan's advisory. Directory objects can be accessed in various ways. Any existing directory object that can be accessed presents a potential risk. Read privileges on a directory object are required to exploit this issue.
A number of the flaws were announced by Next Generation Security Software [NGSS]. The Surrey, U.K.-based company said all versions of the Oracle Database 10g and Oracle 9i Database Server are vulnerable to the flaws it discovered, which include a buffer overflow vulnerability and PL/SQL injection vulnerabilities that allow low-privileged users to gain DBA privileges. The latter flaws can be exploited via the Web through the Oracle Application Server, NGSS said.
Details on the flaws are sketchy at this point. NGSS said it will withhold information on the flaws until April 18, allowing Oracle database users three months to test and apply patches.
Other flaws were reported to Oracle by Alex Kornbrust of Red Database Security and Stephen Kost.
"This Critical Patch Update is a cumulative update containing fixes for multiple security vulnerabilities," according to Oracle's advisory. "In addition, it also contains non-security fixes that are required [because of interdependencies] by those security fixes."
Affected products include Oracle Database 10g Release 1, Oracle9i Database Server Release 1 and Release 2, Oracle8i Database Server Release 3, Oracle8 Database Release 8.0.6, Oracle Application Server 10g, Oracle Application Server 10g Release 2, Oracle9i Application Server Release 1 and Release 2, Oracle Collaboration Suite Release 2, and Oracle E-Business Suite and Applications Release 11i and Release 11.0. For specific versions, please see the Oracle advisory.
|
| The breakdown, part 2 |
* An unspecified XDB component error can disclose or manipulate information.
* Two unspecified XDB component errors can disclose or manipulate information.
* An unspecified dataguard component error can disclose or manipulate information.
* An unspecified log miner component error can disclose or manipulate information.
* An unspecified OLAP component error can disclose or manipulate information.
* An unspecified data mining component error can disclose or manipulate information.
* An unspecified advanced queuing component error can disclose or manipulate information.
* An unspecified change data capture component error can disclose or manipulate information.
* An unspecified change data capture component error can disclose or manipulate information.
* An unspecified database core component error can disclose or manipulate information.
* An unspecified OHS component error can disclose or manipulate information.
* An unspecified report server component error can disclose or manipulate information.
* An unspecified mod_plsql component error can disclose or manipulate information.
* Two unspecified errors in Oracle E-Business Suite can disclose or manipulate information. |
|
|
|
|
Oracle has released a patch set to address these vulnerabilities. NGSS said Oracle database administrators are urged to download, test and install the patch set as soon as possible.
|
|
|
|
