Oracle patches 82 critical flaws

By Bill Brenner, Senior News Writer 18 Jan 2006 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Oracle Corp. handed database administrators a heavy patch load Tuesday for 82 critical flaws affecting a range of products. Attackers could exploit the security holes to access sensitive information, overwrite files or launch SQL injection attacks.

The Redwood Shores, Calif.-based vendor released few details on what the flaws are, but several third-party researchers who discovered some of the vulnerabilities have released information on their own. That's one reason Cupertino, Calif.-based AV giant Symantec Corp. Tuesday raised its Threatcon to Level 2 on a 1-to-4 scale.

More Oracle security news Admins grapple with the latest Oracle patch puzzle Oracle unloads critical patch pile

"The DeepSight Threat Analyst Team is elevating the ThreatCon to Level 2" because of the patch release, Symantec said in an e-mail advisory. "This critical patch update addresses 82 issues across multiple Oracle products. Although Oracle has not released technical details regarding these issues to the public, technical information regarding several of the vulnerabilities has already been posted to public mailing lists. This additional information may reduce the amount of time that an attacker will require to isolate and exploit these vulnerabilities."

An advisory from Danish vulnerability clearinghouse Secunia revealed some of the early details:

• Input passed to various parameters in the procedures within the DBMS_DATAPUMP, DBMS_REGISTRY, DBMS_CDC_UTILITY, DBMS_CDC_PUBLISH, DBMS_METADATA_UTIL, and DBMS_METADATA_INT Oracle PL/SQL packages is not properly sanitized before being used in a SQL query. Attackers could exploit this to manipulate SQL queries by injecting arbitrary SQL code. The flaws affect Oracle 10g Release 1 (10.1).
• Input passed to various parameters in the ATTACH_JOB, HAS_PRIVS, and OPEN_JOB procedures within the SYS.KUPV$FT package is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This also affects Oracle 10g Release 1.
• Input passed to various parameters in several procedures within the SYS.KUPV$FT_INT package is not properly sanitized before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. This affects Oracle 10g Release 1.
• Design errors in the Oracle Database cause the Oracle TDE (Transparent Data Encryption) wallet password to be logged in clear text, and the master key for the TDE wallet to be stored unencrypted. This affects Oracle Database 10g Release 2 (10.2.0.1).
• Some errors in the reports component of the Oracle Application Server can be exploited to read parts of any files or overwrite any files via Oracle Reports. This affects versions 1.0.2.0 through 10.1.0.2.
• Input passed to the AUTH_ALTER_SESSION attribute in a TNS authentication message is not properly sanitized before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows execution of arbitrary SQL queries with SYS user privileges. This affects Oracle 8i (8.1.7.x.x), Oracle 9i (9.2.0.7), Oracle 10g Release 1 (10.1.0.4.2), and Oracle 10g Release 2 (10.2.0.1.0).

In total, the various flaws affect the following products:

• Oracle Database 10g Release 2, version 10.2.0.1
• Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4, 10.1.0.5
• Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7
• Oracle8i Database Release 3, version 8.1.7.4
• Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4
• Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1.0
• Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2
• Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2
• Oracle9i Collaboration Suite Release 2, version 9.0.4.2
• Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2
• Oracle E-Business Suite Release 11.0
• PeopleSoft Enterprise Portal, versions 8.4, 8.8, 8.9
• JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95.F1, SP23_L1

Pete Finnigan, an Oracle expert and author of Oracle Security Step By Step assessed the flaws and fixes in his: blog Tuesday:

"This seems like a good mixed bag of fixes, quite a lot in total and this time it seems possible to isolate the areas affected in more cases due to the more explicit naming of some packages, programs and commands," he said.

Tags: Database Security Management,  Application Attacks (Buffer Overflows, Cross-Site Scripting),  Web Application Security,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Database Security Management Oracle to buy Sun Microsystems for $7.4 billion Oracle issues 43 updates, fixes serious database flaws Information security book excerpts and reviews Kaspersky website hacked multiple times, expert says Kaspersky website hacked, customer activation codes exposed SQL injection attacks targeting Flash, JavaScript errors Fuzzing tool helps Oracle DBAs defend against SQL injection Oracle extends Audit Vault third-party database compatibility When should a database application be placed in a DMZ? Oracle patches dangerous WebLogic, Secure Backup vulnerabilities Database Security Management Research Application Attacks (Buffer Overflows, Cross-Site Scripting) Adobe ColdFusion websites being compromised PCI management: The case for Web application firewalls Month of Twitter Bugs project to document Twitter flaws Adobe issues first quarterly patch release fixing 13 flaws Balancing security and performance: Protecting layer 7 on the network Adobe issues Reader update fixing zero-day flaw The Pipe Dream of No More Free Bugs Security Squad: Federal cybersecurity defenses Oracle issues 43 updates, fixes serious database flaws Attackers target new Microsoft PowerPoint zero-day flaw Application Attacks (Buffer Overflows, Cross-Site Scripting) Research Web Application Security nCircle statistics show rising Web application vulnerabilities Twitter bugs, DNSSEC and broswer security Month of Twitter Bugs project to document Twitter flaws Are Web application penetration tests still important? IT pros can detect, prevent website vulnerabilities, thwart attacks PCI compliance requirement 6: Systems and applications Trust eroding as social engineering attacks climb in 2009, says Kaspersky expert US-CERT warns of Gumblar, Martuz drive-by exploits XSS bugs, information leakage top list of website vulnerabilities How to find and stop automated SQL injection attacks

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary data encryption/decryption IC  (SearchSecurity.com) International Data Encryption Algorithm  (SearchSecurity.com) link encryption  (SearchSecurity.com) MD2  (SearchSecurity.com) MD4  (SearchSecurity.com) MD5  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary