Secunia Security Advisory - 85 vulnerabilities have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to conduct PL/SQL injection attacks, cross-site scripting attacks, or potentially to compromise a vulnerable system.
72a3b20eec34746d386aee0da769fd7f1f5d1afb2408242105b8cbb3abba6a06
TITLE:
Oracle Products 85 Unspecified Vulnerabilities
SECUNIA ADVISORY ID:
SA17250
VERIFY ADVISORY:
http://secunia.com/advisories/17250/
CRITICAL:
Moderately critical
IMPACT:
Unknown, Cross Site Scripting, Manipulation of data, System access
WHERE:
>From remote
SOFTWARE:
PeopleSoft EnterpriseOne Applications 8.x
http://secunia.com/product/4915/
PeopleSoft Enterprise Customer Relationship Management (CRM) 8.x
http://secunia.com/product/5941/
Oracle9i Database Standard Edition
http://secunia.com/product/358/
Oracle9i Database Enterprise Edition
http://secunia.com/product/359/
Oracle9i Application Server
http://secunia.com/product/443/
Oracle Enterprise Manager 9.x
http://secunia.com/product/2564/
Oracle Enterprise Manager 10.x
http://secunia.com/product/2565/
JD Edwards EnterpriseOne 8.x
http://secunia.com/product/5940/
JD Edwards OneWorld 8.x
http://secunia.com/product/2948/
Oracle Application Server 10g
http://secunia.com/product/3190/
Oracle Collaboration Suite Release 1
http://secunia.com/product/2450/
Oracle Collaboration Suite Release 2
http://secunia.com/product/2451/
Oracle Database 8.x
http://secunia.com/product/360/
Oracle Database Server 10g
http://secunia.com/product/3387/
Oracle Developer Suite 10g
http://secunia.com/product/5410/
Oracle E-Business Suite 11i
http://secunia.com/product/442/
DESCRIPTION:
85 vulnerabilities have been reported in various Oracle products.
Some have an unknown impact, and others can be exploited to conduct
PL/SQL injection attacks, cross-site scripting attacks, or
potentially to compromise a vulnerable system.
Details have been disclosed for the following vulnerabilities:
1) A buffer overflow vulnerability and seventeen PL/SQL injection
vulnerabilities exists in Oracle Database 10g and Oracle9i Database
Server.
2) Some input passed to "test.jsp" of the Oracle Reports Server isn't
properly sanitised before being returned to the user. This can be
exploited to execute arbitrary HTML and script code in a user's
browser session in context of an affected site.
The following supported products are affected by one or more of the
vulnerabilities:
* Oracle Database Server 10g Release 1, versions 10.1.0.3, 10.1.0.4
* Oracle9i Database Server Release 2, versions 9.2.0.5, 9.2.0.6,
9.2.0.7
* Oracle8i Database Server Release 3, version 8.1.7.4
* Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3,
10.1.0.4
* Oracle Application Server 10g Release 2, versions 10.1.2.0.0,
10.1.2.0.1, 10.1.2.0.2
* Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1,
9.0.4.2
* Oracle Collaboration Suite 10g Release 1, version 10.1.1
* Oracle9i Collaboration Suite Release 2, version 9.0.4.2
* Oracle E-Business Suite Release 11i, versions 11.5.1 through
11.5.10 and 11.5.10 CU2
* Oracle E-Business Suite Release 11.0
* Oracle Clinical, versions 4.5.0 and 4.5.1
* PeopleSoft Enterprise Tools, versions 8.1 through 8.46.03
* PeopleSoft CRM, versions 8.81 through 8.9
* JD Edwards EnterpriseOne, OneWorld XE, versions 8.95_B1, 8.94_Q1,
SP23_K1
* Oracle Database Server 10g Release 1, version 10.1.0.4.2
* Oracle Developer Suite, versions 9.0.2.1, 9.0.4.1, 9.0.4.2,
10.1.2.0
* Oracle Enterprise Manager Application Server Control, versions
9.0.4.1, 9.0.4.2
* Oracle Enterprise Manager 10g Database Control, versions 10.1.0.3,
10.1.0.4
* Oracle Workflow, versions 11.5.1 through 11.5.9.5
* Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5,
9.0.1.5 FIPS
* Oracle8 Database Server Release 8.0.6, version 8.0.6.3
* Oracle9i Application Server Release 2, versions 9.0.2.3, 9.0.3.1
* Oracle9i Application Server Release 1, version 1.0.2.2
SOLUTION:
Apply patches.
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=333954.1
PROVIDED AND/OR DISCOVERED BY:
1) David Litchfield, NGSSoftware.
2) Paolo
The vendor also credits the following people:
* Brian Carr
* Sacha Faust, S.P.I. Dynamics, Inc.
* Esteban MartÃnez Fayo, Application Security, Inc.
* Alexander Kornbrust, Red Database Security
* Steven Kost, Integrigy Corporation
* noderat ratty, Keigo Yamazaki, Little eArth Corporation Co., Ltd.
ORIGINAL ADVISORY:
Oracle:
http://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html
----------------------------------------------------------------------
About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.
Subscribe:
http://secunia.com/secunia_security_advisories/
Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/
Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.
----------------------------------------------------------------------