Oracle patches 82 critical flaws

By Bill Brenner, Senior News Writer 18 Jan 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Oracle Corp. handed database administrators a heavy patch load Tuesday for 82 critical flaws affecting a range of products. Attackers could exploit the security holes to access sensitive information, overwrite files or launch SQL injection attacks.

The Redwood Shores, Calif.-based vendor released few details on what the flaws are, but several third-party researchers who discovered some of the vulnerabilities have released information on their own. That's one reason Cupertino, Calif.-based AV giant Symantec Corp. Tuesday raised its Threatcon to Level 2 on a 1-to-4 scale.

More Oracle security news Admins grapple with the latest Oracle patch puzzle Oracle unloads critical patch pile

"The DeepSight Threat Analyst Team is elevating the ThreatCon to Level 2" because of the patch release, Symantec said in an e-mail advisory. "This critical patch update addresses 82 issues across multiple Oracle products. Although Oracle has not released technical details regarding these issues to the public, technical information regarding several of the vulnerabilities has already been posted to public mailing lists. This additional information may reduce the amount of time that an attacker will require to isolate and exploit these vulnerabilities."

An advisory from Danish vulnerability clearinghouse Secunia revealed some of the early details:

• Input passed to various parameters in the procedures within the DBMS_DATAPUMP, DBMS_REGISTRY, DBMS_CDC_UTILITY, DBMS_CDC_PUBLISH, DBMS_METADATA_UTIL, and DBMS_METADATA_INT Oracle PL/SQL packages is not properly sanitized before being used in a SQL query. Attackers could exploit this to manipulate SQL queries by injecting arbitrary SQL code. The flaws affect Oracle 10g Release 1 (10.1).
• Input passed to various parameters in the ATTACH_JOB, HAS_PRIVS, and OPEN_JOB procedures within the SYS.KUPV$FT package is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This also affects Oracle 10g Release 1.
• Input passed to various parameters in several procedures within the SYS.KUPV$FT_INT package is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This affects Oracle 10g Release 1.
• Design errors in the Oracle Database cause the Oracle TDE (Transparent Data Encryption) wallet password to be logged in clear text, and the master key for the TDE wallet to be stored unencrypted. This affects Oracle Database 10g Release 2 (10.2.0.1).
• Some errors in the reports component of the Oracle Application Server can be exploited to read parts of any files or overwrite any files via Oracle Reports. This affects versions 1.0.2.0 through 10.1.0.2.
• Input passed to the AUTH_ALTER_SESSION attribute in a TNS authentication message is not properly sanitized before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows execution of arbitrary SQL queries with SYS user privileges. This affects Oracle 8i (8.1.7.x.x), Oracle 9i (9.2.0.7), Oracle 10g Release 1 (10.1.0.4.2), and Oracle 10g Release 2 (10.2.0.1.0).

In total, the various flaws affect the following products:

• Oracle Database 10g Release 2, version 10.2.0.1
• Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4, 10.1.0.5
• Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7
• Oracle8i Database Release 3, version 8.1.7.4
• Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4
• Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1.0
• Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2
• Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2
• Oracle9i Collaboration Suite Release 2, version 9.0.4.2
• Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2
• Oracle E-Business Suite Release 11.0
• PeopleSoft Enterprise Portal, versions 8.4, 8.8, 8.9
• JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95.F1, SP23_L1

Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step assessed the flaws and fixes in his: blog Tuesday:

"This seems like a good mixed bag of fixes, quite a lot in total and this time it seems possible to isolate the areas affected in more cases due to the more explicit naming of some packages, programs and commands," he said.

Tags: Database Security Management,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management What is the best database patch management process? Unpatched vulnerability discovered in Microsoft SQL Server SQL injection continues to trouble firms, lead to breaches Oracle issues quarterly patches, fixes database flaws Database monitoring, encryption vital in tight economy, Forrester says Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Imperva assigns security risk levels to databases How to create configuration management plans to install DLP Information security book excerpts and reviews Database Security Management Research Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe warns of critical update for Reader, Acrobat 9.1.3 9 Ways to Improve Application Security After an Incident Developers Need Help with Security Errors Buffer overflow tutorial: How to find vulnerabilities, prevent attacks SQL injection protection: A guide on how to prevent and stop attacks Experts rebuke programmers who use SQL injection as feature SANS: Application threats, website flaws pose biggest security threats Mozilla helps Adobe push out faster patches SSH key compromise shuts down Apache website IBM finds sharp spike in malicious content on trusted sites Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Application Security Preventing SQL injection attacks: A network admin's perspective Cisco acquires SaaS security vendor ScanSafe Web application firewall use goes beyond compliance, company finds Gumblar Trojan drive-by exploits spike following Adobe update Some Facebook applications lead to Russian attack sites Barracuda acquires Purewire expanding Web security reach An enterprise strategy for Web application security threats Scanning with N-Stalker offers basic Web application security assessment Attackers target PDF, DirectShow flaws with malicious banner ads New Bahama botnet evades search engines, fuels click fraud

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary