Oracle Updates for Multiple Vulnerabilities - April 2008
http://jvnrss.ise.chuo-u.ac.jp/jtg/trn/en/TRJVN-2008-01.html
JVNRSS based Status Tracking Notes: Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.JVNRSS Feasibility Study Teamjvn@jvn.jpTRJVN-2008-012008-05-25T04:36+00:002008-05-25T03:38+00:002008-05-25T04:36+00:00Oracle Critical Patch Update Advisory - April 2008
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html
Oraclehttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html2008-04-15T22:13+00:002008-04-15T22:13+00:002008-04-15T22:13+00:00Oracle Releases Critical Patch Update for April 2008
http://www.us-cert.gov/current/archive/2008/04/15/archive.html#oracle_releases_critical_patch_update2
US-CERT Current Activity
Oracle has released their Critical Patch Update for April 2008 to address 41 vulnerabilities across several products.
US-CERThttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html2008-04-15T16:30-04:002008-04-15T16:30-04:002008-04-15T16:30-04:00Oracle April Patch Advance Information Posted
http://isc.sans.org/diary.html?storyid=4283
Oracle has posted it's advance information for it's Critical Patch Update for April 2008, to be released on Tuesday, April 15, 2008.
SANS Internet Storm Centerhttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html2008-04-13T00:18+00:002008-04-13T00:18+00:002008-04-13T00:18+00:00Oracle Application Express Privilege Escalation Vulnerability
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=690
Privilege Escalation Vulnerability (CVE-2008-1811)
Vulnerability Reported
The vulnerability exists in "run_ddl" function within the "wwv_execute_immediate" package. This package is included in the "flows_030000" schema. This function allows attackers to execute SQL commands as any database user, such as SYS.
iDefense690http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.htmlhttp://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-18112008-01-182008-01-182008-01-18Oracle Database SQL Injection in SYS.DBMS_CDC_UTILITY.LOCK_CHANGE_SET (DB02)
http://www.appsecinc.com/resources/alerts/oracle/2008-01.shtml
Oracle Database Vuln# DB02
Vulnerability Reported
The PL/SQL package DBMS_CDC_UTILITY owned by SYS has an instance of SQL Injection. A malicious user can call a vulnerable procedure of this package with specially crafted parameters and execute SQL statements with the elevated privileges of the SYS user.
Application Security Inc.Team SHATTER Security Alert Oracle 2008-01http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html2007-09-242007-09-242007-09-24Oracle Database Buffer Overflow in Oracle SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11)
http://www.appsecinc.com/resources/alerts/oracle/2008-02.shtml
Oracle Database Vuln# DB11
Vulnerability Reported
Oracle Database Server provides the SYS.KUPF$FILE_INT package. This package contains the procedure GET_FULL_FILENAME which is vulnerable to buffer overflow attacks.
Application Security Inc.Team SHATTER Security Alert Oracle 2008-02http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html2007-08-242007-08-242007-08-24SQL Injection in package SDO_GEOM [DB06]
http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_geom.html
Oracle Database Vuln# DB06
Vulnerability Reported
The package SDO_GEOM (part of Oracle Spatial) is vulnerable against SQL injection.
Red-Database-Securityhttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html2007-06-062007-06-062007-06-06SQL Injection in package SDO_UTIL [DB05]
http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_util.html
Oracle Database Vuln# DB05
Vulnerability Reported
The package SDO_UTIL is vulnerable against SQL injection.
Red-Database-Securityhttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html2007-06-062007-06-062007-06-06SQL Injection in package SDO_IDX [DB07]
http://www.red-database-security.com/advisory/oracle_sql_injection_sdo_idx.html
Oracle Database Vuln# DB07
Vulnerability Reported
The package SDO_IDX (part of Oracle Spatial) is vulnerable against SQL injection.
Red-Database-Securityhttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html2007-06-062007-06-062007-06-06Hardcoded Password and Password Reset of OUTLN User [DB13]
http://www.red-database-security.com/advisory/oracle_outln_password_change.html
Oracle Database Vuln# DB13
Vulnerability Reported
During the creation of a materialized view the package DBMS_STATS_INTERNAL is called and resets the password of the user OUTLN to OUTLN and grants DBA privileges to this user.
Red-Database-Securityhttp://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html2007-04-042007-04-042007-04-04Oracle Database Buffer Overflow in Oracle SYS.DBMS_AQJMS_INTERNAL (DB15)
http://www.appsecinc.com/resources/alerts/oracle/2008-03.shtml
Oracle Database Vuln# DB15
Vulnerability Reported
Oracle Database Server provides the SYS.DBMS_AQJMS_INTERNAL package. This package contains the procedures AQ$_REGISTER and AQ$_UNREGISTER which are vulnerable to buffer overflow attacks.
Application Security Inc.Team SHATTER Security Alert Oracle 2008-03http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html2005-02-222005-02-222005-02-2239ud0I0Wq/0kE4/gM74RAoTyIT4=5dEQciNscnmxKgkEcpvhfAoYFN4=c3uXN+Iu89xAKeK08TszpqWjW2vGHxiImV0I1A4B+spjMupRu4amR88C8wZTDi6t0Y3o+2NGYdpE0JGf/Cgs3Yu5fRi7LBpYHYqnXTJaMRYe4oVvUH0/fCW+Y4IEk1NGNcw/DrZjFghaDIXROjV41pngJgZFUMl+43Wp72YRJpk=MIIE1DCCA7ygAwIBAgIQfBHY/s5/LRzGChqXgtjCKTANBgkqhkiG9w0BAQUFADCB3TELMAkGA1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMTswOQYDVQQLEzJUZXJtcyBvZiB1c2UgYXQgaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYSAoYykwNTEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTcwNQYDVQQDEy5WZXJpU2lnbiBDbGFzcyAxIEluZGl2aWR1YWwgU3Vic2NyaWJlciBDQSAtIEcyMB4XDTA3MDcwNTAwMDAwMFoXDTA4MDcwNDIzNTk1OVowggEhMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMVUGVyc29uYSBOb3QgVmFsaWRhdGVkMTQwMgYDVQQLEytEaWdpdGFsIElEIENsYXNzIDEgLSBNaWNyb3NvZnQgRnVsbCBTZXJ2aWNlMSYwJAYDVQQDFB1KVk5SU1MgRmVhc2liaWxpdHkgU3R1ZHkgVGVhbTEfMB0GCSqGSIb3DQEJARYQanZucnNzQGlwYS5nby5qcDCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsCjiweXb23sjKQajfCS8WiHjax1ppkfkjhN/SwBp/LOOXlpZpzW/lHtKSnWJLPOZzLxIJUWARTZ+T2y2wCzDnKU9TOkNx56u7iBhhATVRyPby22uRY0Pf+1uu8vnSZPvAR50FI9o2COo9xCqfXZWU/RNWSrsrxJd2XL4Y6sYzL0CAwEAAaOBzDCByTAJBgNVHRMEAjAAMEQGA1UdIAQ9MDswOQYLYIZIAYb4RQEHFwMwKjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JwYTALBgNVHQ8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwQGCCsGAQUFBwMCMEoGA1UdHwRDMEEwP6A9oDuGOWh0dHA6Ly9JbmRDMURpZ2l0YWxJRC1jcmwudmVyaXNpZ24uY29tL0luZEMxRGlnaXRhbElELmNybDANBgkqhkiG9w0BAQUFAAOCAQEAHbEsHsaKt3O4OUlcec2BOe+MAP4eGW5X494WdegnLEW4tlAxZvctmLeGr0VRXMtF1JumpTLQcdQvUFp15N2+RDa1PrMFrkrCz9BdextE/7mykda0DzsAvbroqHbsu3tZOhnE7T61ZxtBuXOC0jChphl96yDn8NxvebCwcApB46oeKSbAFT21HRIWGiCo1QaMvB390MzFfOFfft1oHivREyIjgXNyAUSTunj/rQhodTnQRVdRuVwa5KSUErWOnNFM2uuXaF/vJqVRX2QR6zr+S+JGbw3ykc/7zkixEBbkSv3wOTh7BmsXRzRvLcaD92ifxOqFxWHQxIqMSxsbJ6WyPQ==