Date: 19 July 2007
References: ESB-2007.0563
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2007.0087 -- AUSCERT ALERT
[Win][UNIX/Linux]
Oracle Critical Patch Update - 45 vulnerabilities in Oracle
and Peoplesoft products
23 July 2007
===========================================================================
AusCERT Alert Summary
---------------------
Product: Oracle Database - versions 10g release2 10.2.0.3 and prior
Oracle Application Express (formerly HTML DB) - versions 1.5 to 2.2
Oracle Secure Enterprise Search 10g versions 10.1.6 and 10.1.8
Oracle Application Server - versions 10g release3 10.1.3.3.0 and prior
Oracle 10g Collaboration Suite 10.1.2
Oracle E-Business Suite - 12.0.1 and prior
PeopleSoft Enterprise PeopleTools 8.22, 8.47, 8.48 and 8.49
PeopleSoft Enterprise Human Capital Management 8.9 and 9.0
PeopleSoft Enterprise Customer Relationship Management 8.9 and 9.0
Operating System: Windows
UNIX variants (UNIX, Linux)
Impact: Execute Arbitrary Code/Commands
Inappropriate Access
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CVE-2007-3870 CVE-2007-3869 CVE-2007-3868
CVE-2007-3867 CVE-2007-3866 CVE-2007-3865
CVE-2007-3864 CVE-2007-3863 CVE-2007-3862
CVE-2007-3861 CVE-2007-3860 CVE-2007-3859
CVE-2007-3858 CVE-2007-3857 CVE-2007-3856
CVE-2007-3855 CVE-2007-3854 CVE-2007-3853
CVE-2007-0272 CVE-2007-0270
Member content until: Thursday, August 16 2007
Revision History: July 23 2007: Additional CVE identifiers assigned
July 19 2007: Initial Release
OVERVIEW:
Oracle has released a Critical Patch Update for July 2007 which
fixes 45 security vulnerabilities. [1]
Two vulnerabilities in Oracle Single Sign On may be exploited by a
remote unauthenticated attacker, compromising integrity. Several
other vulnerabilities allow database users to execute arbitrary code.
Vulnerabilities affect the following components:
- 17 for Oracle Database
- 2 for Oracle Single Sign On
- 1 for Oracle Internet Directory
- 1 for Oracle Application Express (formerly Oracle HTML DB)
- 2 for JDeveloper
- 1 for Oracle Collaboration Suite
- 14 for Oracle E-Business Suite applications
- 7 for PeopleSoft applications
IMPACT:
Full details of each of the 45 vulnerabilities and their impacts
have not yet been made public.
The Oracle advisory [1] gives broad indication only of the impact
of each vulnerability, with information on the access permissions
required by an attacker to exploit them.
MITIGATION:
Oracle has released patches fixing these vulnerabilities. [1]
DETAILS:
Details have been publicly disclosed for 5 of the 45 vulnerabilities:
DB02: Package DBMS_PRVTAQIS has a SQL injection vulnerability. [2]
DB03: Package SYS.DBMS_DRS (used by Oracle Data Guard) contains a
buffer overflow vulnerability in the GET_PROPERTY function. This
allows an existing user with EXECUTE privilege on this module to
execute arbitrary code. [3]
DB12: Package MDSYS.MD (used by the Oracle Spatial component) has
several procedures that contain buffer overflow vulnerabilities.
Because EXECUTE privilege on this package is granted to PUBLIC by
default, these will allow any database user to execute
arbitrary code. [4]
DB17: By creating specially crafted views an existing database user
may perform unauthorized updates, deletes and inserts, bypassing
access control. [5]
APEX01: In Oracle APEX versions prior to 3.0.1, the function
wwv_flow_security.CHECK_DB_PASSWORD is vulnerable to SQL injection
when handling a password change for an existing user. [6]
REFERENCES:
[1] Oracle Critical Patch Update - July 2007
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2007.html
[2] Red-Database-Security advisory DB02 - SQL Injection in DBMS_PRVTAQIS
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_prvtaqis.html
[3] Team SHATTER Security Alert - Buffer overflow in DBMS_DRS.GET_PROPERTY
http://www.appsecinc.com/resources/alerts/oracle/2007-04.shtml
[4] Team SHATTER Security Alert - Buffer overflow and DoS in MDSYS.MD
http://www.appsecinc.com/resources/alerts/oracle/2007-05.shtml
[5] Red-Database-Security advisory DB17 - Insert / Update / Delete Data via Views
http://www.red-database-security.com/advisory/oracle_view_vulnerability.html
[6] Red-Database-Security advisory APEX01 - SQL Injection in CHECK_DB_PASSWORD
http://www.red-database-security.com/advisory/oracle_apex_sql_injection_check_db_password.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRqQwJyh9+71yA2DNAQKChAQAh76pMDrsD9phBjYn1d15E3c+4OLgq5Hn
abUwUlsxoFveNvOUFLnQHB/l/nBffl55OYXf5JjmSCrNKqg3t/h/pHD5+A9E87TE
fjR49j9xXvxzA8vEp6HbbNh/xMq35k60YIE6FAb0P4wJAJgMPYdewie169cVTDtv
CLsC0mfMSUs=
=nqkc
-----END PGP SIGNATURE-----
|