Status Tracking Note TRTA07-200A

Oracle Releases Patches for Multiple Vulnerabilities

Overview

Oracle has released patches to address numerous vulnerabilities in different Oracle products. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.
Event Information


Date (UTC)Description
2007-07-21 09:53 Bugtraq
Oracle bad Views - Exploit released
Vulnerabilities in Oracle Database (CVE-2007-3855) Proof Of Concept
#Cid: bunkerview.sql
2007-07-19 20:40 US-CERT
TA07-200A: Oracle Releases Patches for Multiple Vulnerabilities
Via US-CERT Mailing List
Oracle has released patches to address numerous vulnerabilities in different Oracle products. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.
2007-07-18 21:52 Application Security Inc.
Oracle Database Buffer overflow vulnerabilities in procedure DBMS_DRS.GET_PROPERTY (DB03)
Oracle Database Vuln# DB03
Oracle Database Server provides the DBMS_DRS package that includes procedures used in Oracle Data Guard. This package contains the function GET_PROPERTY which is vulnerable to buffer overflow attacks.
2007-07-18 21:50 Application Security Inc.
Oracle Database Buffer overflows and Denial of service vulnerabilities in public procedures of MDSYS.MD (DB12)
Oracle Database Vuln# DB12
Oracle Database Server provides the MDSYS.MD package that is used in the Oracle Spatial component. These packages contain many public procedures that are vulnerable to buffer overflow and denial of service attacks.
2007-07-18 17:32 US-CERT
Oracle Releases July Critical Patch Update
Oracle has released their July Critical Patch Update (CPU) to address vulnerabilities across all products, some of which have a maximum severity rating of High. This CPU contains eighteen security fixes for Oracle Database; one for Oracle Application Express; four for Oracle Application Server; five for Oracle Collaboration Suite; fourteen for Oracle E-Business Suite; and seven for Oracle PeopleSoft Enterprise.
2007-07-17 20:21 Oracle
Oracle Critical Patch Update - July 2007
2007-05-07 Red-Database-Security
SQL Injection Vulnerability in Oracle CHECK_DB_PASSWORD
Vulnerability Reported
The function wwv_flow_security.check_db_password contains a SQL injection vulnerability. Oracle is using the ALTER USER command to change the password of a database user without doing an input validation of the password (=typical Oracle PL/SQL programming fault).
2006-10-24 Red-Database-Security
Insert / Update / Delete Data via Views [DB17]
Oracle Database Vuln# DB17
Vulnerability Reported
Updates, deletes and inserts are possible via specially crafted views without having the right privileges. This vulnerability is not identical with similar vulnerabilities fixed with April 2006 CPU and October 2006 CPU.
2005-11-01 Red-Database-Security
SQL Injection in package DBMS_PRVTAQIS [DB02]
Oracle Database Vuln# DB02
Vulnerability Reported
The package DBMS_PRVTAQIS contains a SQL injection vulnerability.


Date first published (UTC): 2007-07-22T23:11+00:00
Date last updated (UTC): 2007-07-22T23:11+00:00