Status Tracking Note TRTA07-108A

Oracle Releases Patches for Multiple Vulnerabilities

Oracle has released patches to address numerous vulnerabilities in different Oracle products. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

Event Information

Date (UTC)	Description
2007-04-18 22:09	US-CERT TA07-108A: Oracle Releases Patches for Multiple Vulnerabilities Via US-CERT Mailing List Oracle has released patches to address numerous vulnerabilities in different Oracle products. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.
2007-04-18 18:20	Application Security Inc. Buffer overflow vulnerabilities in package DBMS_SNAP_INTERNAL Oracle Database Vuln# DB10
2007-04-18 15:57	Oracle Oracle Critical Patch Update - April 2007
2007-04-18 15:02	NGSSoftware Database Security Brief: The Oracle Critical Patch Update for April 2007 This brief discusses the database flaws and EM01 which relates to the Intelligent Agent. DB01 Authentication Bypass on Oracle running on Windows XP DB02 Race Condition in the RLMGR_TRUNCATE_MAINT trigger DB03 NULL DACL on Oracle Process in Windows DB04 PL/SQL Injection in DBMS_AQADM_SYS DB05 AUTH_ALTER_SESSION After Logon Trigger Bypass DB06 SQL Injection Flaw in DBMS_APPLY_USER_AGENT DB07 SQL Injection Flaw in DBMS_UPGRADE_INTERNAL EM01 Authentication Bypass in Intelligent Agent DB08 Buffer Overflow in DBMS_CDC_IPUBLISH DB09 SQL Injection in DBMS_CDC_PUBLISH DB10 Buffer Overflow in DBMS_SNAP_INTERNAL DB11 Flaw in genezi utility DB12 Flaw in ctxsrv server daemon (command line) DB13 Flaw in mig utility
2006-12-14	Zero Day Initiative (ZDI) ZDI-07-016: Oracle E-Business Suite Arbitrary Node Deletion Vulnerability (CVE-2007-2170) This vulnerability allows remote attackers to delete any existing Document Management node on vulnerable installations of Oracle E-Business Suite. Authentication is not required to exploit this vulnerability. Vulnerability confirmed
2006-12-14	Zero Day Initiative (ZDI) ZDI-07-017: Oracle E-Business Suite Arbitrary Document Download Vulnerability (CVE-2007-0714) This vulnerability allows remote attackers to download any existing document in the APPS.FND_DOCUMENTS table on vulnerable installations of Oracle E-Business Suite. Authentication is not required to exploit this vulnerability. Vulnerability confirmed
2006-06-07	Red-Database-Security Bypass Oracle Logon Trigger (7826485) [DB05] Vulnerability Reported It is possible to bypass the Oracle database logon trigger. This can cause severe security problems.
2005-11-01	Red-Database-Security SQL Injection in package SYS.DBMS_UPGRADE_INTERNAL (6980753) [DB07] Vulnerability Reported The package DBMS_UPGRADE_INTERNAL contains SQL injection vulnerabilities.
2005-04-05	Red-Database-Security Cross-Site-Scripting Vulnerability in Oracle Secure Enterprise Search - SES01 Vulnerability Reported Oracle Secure Enterprise Search 10g, a standalone product from Oracle, enables a secure, high quality, easy-to-use search across all enterprise information assets.
2003-10-28	Red-Database-Security Shutdown unprotected Oracle TNS Listener via Oracle Discoverer Servlet (6085705) [AS01] Vulnerability Reported The Oracle Discoverer Servlet contains a field for the database/tns alias. It is possible to send TNS STOP commands via this field and to shutdown unprotected Oracle TNS Listener.


Date first published (UTC):	2007-04-19T23:45+00:00
Date last updated (UTC):	2007-04-19T23:45+00:00