Status Tracking Note TRTA07-108A

Oracle Releases Patches for Multiple Vulnerabilities

Overview

Oracle has released patches to address numerous vulnerabilities in different Oracle products. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.
Event Information

Date (UTC)Description
2007-04-18 22:09 US-CERT
TA07-108A: Oracle Releases Patches for Multiple Vulnerabilities
Via US-CERT Mailing List
Oracle has released patches to address numerous vulnerabilities in different Oracle products. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.
2007-04-18 18:20 Application Security Inc.
Buffer overflow vulnerabilities in package DBMS_SNAP_INTERNAL
Oracle Database Vuln# DB10
2007-04-18 15:57 Oracle
Oracle Critical Patch Update - April 2007
2007-04-18 15:02 NGSSoftware
Database Security Brief: The Oracle Critical Patch Update for April 2007
This brief discusses the database flaws and EM01 which relates to the Intelligent Agent.
DB01 Authentication Bypass on Oracle running on Windows XP
DB02 Race Condition in the RLMGR_TRUNCATE_MAINT trigger
DB03 NULL DACL on Oracle Process in Windows
DB04 PL/SQL Injection in DBMS_AQADM_SYS
DB05 AUTH_ALTER_SESSION After Logon Trigger Bypass
DB06 SQL Injection Flaw in DBMS_APPLY_USER_AGENT
DB07 SQL Injection Flaw in DBMS_UPGRADE_INTERNAL
EM01 Authentication Bypass in Intelligent Agent
DB08 Buffer Overflow in DBMS_CDC_IPUBLISH
DB09 SQL Injection in DBMS_CDC_PUBLISH
DB10 Buffer Overflow in DBMS_SNAP_INTERNAL
DB11 Flaw in genezi utility
DB12 Flaw in ctxsrv server daemon (command line)
DB13 Flaw in mig utility
2006-12-14 Zero Day Initiative (ZDI)
ZDI-07-016: Oracle E-Business Suite Arbitrary Node Deletion Vulnerability
(CVE-2007-2170)
This vulnerability allows remote attackers to delete any existing Document Management node on vulnerable installations of Oracle E-Business Suite. Authentication is not required to exploit this vulnerability.
Vulnerability confirmed
2006-12-14 Zero Day Initiative (ZDI)
ZDI-07-017: Oracle E-Business Suite Arbitrary Document Download Vulnerability
(CVE-2007-0714)
This vulnerability allows remote attackers to download any existing document in the APPS.FND_DOCUMENTS table on vulnerable installations of Oracle E-Business Suite. Authentication is not required to exploit this vulnerability.
Vulnerability confirmed
2006-06-07 Red-Database-Security
Bypass Oracle Logon Trigger (7826485) [DB05]
Vulnerability Reported
It is possible to bypass the Oracle database logon trigger. This can cause severe security problems.
2005-11-01 Red-Database-Security
SQL Injection in package SYS.DBMS_UPGRADE_INTERNAL (6980753) [DB07]
Vulnerability Reported
The package DBMS_UPGRADE_INTERNAL contains SQL injection vulnerabilities.
2005-04-05 Red-Database-Security
Cross-Site-Scripting Vulnerability in Oracle Secure Enterprise Search - SES01
Vulnerability Reported
Oracle Secure Enterprise Search 10g, a standalone product from Oracle, enables a secure, high quality, easy-to-use search across all enterprise information assets.
2003-10-28 Red-Database-Security
Shutdown unprotected Oracle TNS Listener via Oracle Discoverer Servlet (6085705) [AS01]
Vulnerability Reported
The Oracle Discoverer Servlet contains a field for the database/tns alias. It is possible to send TNS STOP commands via this field and to shutdown unprotected Oracle TNS Listener.


Date first published (UTC): 2007-04-19T23:45+00:00
Date last updated (UTC): 2007-04-19T23:45+00:00