Oracle Products Multiple Remote Command Execution and SQL Injection Vulnerabilities


Description   Multiple vulnerabilities have been identified in various Oracle products, which could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information, conduct SQL injection and cross site scripting attacks, or bypass security restrictions. These issues are caused by errors in various components (e.g. Core RDBMS, Rules Manager, Expression Filter, Advanced Queuing, Authentication, Oracle Streams, Upgrade/Downgrade, Oracle Agent, Change Data Capture (CDC), Oracle Workflow Cartridge, Ultra Search, Advanced Replication, Oracle Instant Client, Oracle Text, Administration Front End, Oracle Discoverer, Oracle COREid Access, Oracle Wireless, and Oracle Portal).
     
Vulnerable Products   Vulnerable Software:
Oracle Database 10g Release 2 version 10.2.0.1Oracle Database 10g Release 2 version 10.2.0.2Oracle Database 10g Release 2 version 10.2.0.3Oracle Database 10g Release 1 version 10.1.0.4Oracle Database 10g Release 1 version 10.1.0.5Oracle9i Database Release 2 version 9.2.0.5Oracle9i Database Release 2 version 9.2.0.7Oracle9i Database Release 2 version 9.2.0.8Oracle9i Database Release 1 version 9.0.1.5Oracle9i Database Release 1 version 9.0.1.5 FIPSOracle Secure Enterprise Search 10g Release 1 version 10.1.6Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.0.0Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.1.0Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.2.0Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.0.1Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.0.2Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.1.0Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.2.0Oracle Application Server 10g (9.0.4) version 9.0.4.3Oracle10g Collaboration Suite Release 1 version 10.1.2Oracle E-Business Suite Release 11i versions 11.5.7 through 11.5.10 CU2Oracle E-Business Suite Release 12 version 12.0.0Oracle Enterprise Manager 9i Release 2 version 9.2.0.7Oracle Enterprise Manager 9i Release 2 version 9.2.0.8Oracle Enterprise Manager 9i version 9.0.1.5Oracle PeopleSoft Enterprise PeopleTools version 8.22Oracle PeopleSoft Enterprise PeopleTools version 8.47Oracle PeopleSoft Enterprise PeopleTools version 8.48Oracle PeopleSoft Enterprise Human Capital Management version 8.9JD Edwards EnterpriseOne Tools version 8.96JD Edwards OneWorld Tools SP23
     
Solution   Apply Oracle Critical Patch Update (April 2007) : http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html
     
CVE   CVE-2007-2170
CVE-2007-2135
CVE-2007-2134
CVE-2007-2133
CVE-2007-2132
CVE-2007-2131
CVE-2007-2130
CVE-2007-2129
CVE-2007-2128
CVE-2007-2127
CVE-2007-2126
CVE-2007-2125
CVE-2007-2124
CVE-2007-2123
CVE-2007-2122
CVE-2007-2121
CVE-2007-2120
CVE-2007-2119
CVE-2007-2118
CVE-2007-2117
CVE-2007-2116
CVE-2007-2115
CVE-2007-2114
CVE-2007-2113
CVE-2007-2112
CVE-2007-2111
CVE-2007-2110
CVE-2007-2109
CVE-2007-2108
     
References   http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2007.html
http://www.ngssoftware.com/research/papers/NGSSoftware-OracleCPUAPR2007.pdf
http://www.red-database-security.com/advisory/oracle_discoverer_servlet.html
http://www.red-database-security.com/advisory/oracle_css_ses.html
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_upgrade_internal.html
http://www.red-database-security.com/advisory/bypass_oracle_logon_trigger.html
http://www.appsecinc.com/resources/alerts/oracle/2007-07.shtml
http://www.zerodayinitiative.com/advisories/ZDI-07-016.html
http://www.zerodayinitiative.com/advisories/ZDI-07-017.html
     
Vulnerability Manager Detection   Yes (since ASQ v3.5.0)
     
IPS Protection  
ASQ Engine alarm Available Since
XSS - Prevention - GET : suspicious 'iframe' tag found in URL
3.2.0
XSS - Prevention - POST : suspicious tag with event found in data
3.2.0
SQL injection Prevention - GET : suspicious OR statement in URL
3.2.0
XSS - Prevention - GET : suspicious tag with event found in URL
3.2.0
SQL injection Prevention - POST : suspicious SELECT statement in data
3.2.0
XSS - Prevention - GET : javascript code in flash clickTAG parameter
3.2.0
XSS - Prevention - POST : suspicious 'object' tag found in data
3.2.0
XSS - Prevention - GET : suspicious 'applet' tag found in URL
3.2.0
SQL injection Prevention - GET : suspicious combination of 'OR' or 'AND' statements in URL
3.2.0
SQL injection Prevention - POST : possible version probing in data
3.2.0
SQL injection Prevention - GET : suspicious CREATE statement in URL
3.2.0
SQL injection Prevention - GET : suspicious OPENROWSET statement in URL
3.2.0
XSS - Prevention - POST : suspicious 'applet' tag found in data
3.2.0
SQL injection Prevention - POST : suspicious OPENQUERY statement in data
3.2.0
SQL injection Prevention - POST : suspicious CREATE statement in data
3.2.0
XSS - Prevention - POST : 'location' javascript object found in data
3.2.0
SQL injection Prevention - POST : suspicious UPDATE statement in data
3.2.0
XSS - Phishing : suspicious 'div' tag found in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' attribute found in URL
3.2.0
XSS - Prevention - POST : javascript code found in data
3.2.0
XSS - Prevention - POST : suspicious 'iframe' tag found in data
3.2.0
SQL injection Prevention - POST : suspicious UNION statement in data
3.2.0
SQL injection Prevention - GET : suspicious OPENQUERY statement in URL
3.2.0
XSS - Prevention - POST : code allowing cookie access found in data
3.2.0
SQL injection Prevention - GET : suspicious shutdown statement in URL
3.2.0
SQL injection Prevention - GET : suspicious UNION SELECT statement in URL
3.2.0
SQL injection Prevention - POST : suspicious DROP statement in data
3.2.0
SQL injection Prevention - GET : possible database version probing
3.2.0
SQL injection Prevention - POST : suspicious INSERT statement in data
3.2.0
SQL injection Prevention - POST : suspicious OR statement in data
3.2.0
XSS - Phishing : suspicious 'a' tag found in URL
3.2.0
XSS - Prevention - GET : cookie access attempt using script language found in URL
3.2.0
SQL injection Prevention - GET : suspicious UPDATE SET statement in URL
3.2.0
XSS - Prevention - GET : suspicious 'embed' tag found in URL
3.2.0
SQL injection Prevention - POST : suspicious EXEC statement in data
3.2.0
XSS - Prevention - GET : suspicious 'object' tag found in URL
3.2.0
SQL injection Prevention - GET : suspicious SELECT statement in URL
3.2.0
XSS - Phishing : suspicious 'form' tag found in URL
3.2.0
SQL injection Prevention - GET : suspicious INSERT statement in URL
3.2.0
XSS - Prevention - POST : suspicious 'embed' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' tag found in data
3.2.0
XSS - Prevention - GET : javascript code found in URL
3.2.0
SQL injection Prevention - GET : suspicious DROP statement in URL
3.2.0
SQL injection Prevention - POST : suspicious OPENROWSET statement in data
3.2.0
SQL injection Prevention - GET : suspicious EXEC statement in URL
3.2.0
XSS - Prevention - GET : 'script' tag in flash clickTAG parameter
3.2.0
XSS - Prevention - POST : suspicious 'div' tag found in data
3.2.0
XSS - Prevention - GET : evasion attempt using tag characters encoding in URL
3.2.0
XSS - Prevention - GET : suspicious 'style' tag found in URL
3.2.0
XSS - Phishing : suspicious 'link' tag found in URL
3.2.0
XSS - Prevention - GET : 'script' tag found in URL
3.2.0
XSS - Prevention - POST : 'script' tag found in data
3.2.0
XSS - Prevention - POST : suspicious 'style' attribute found in data
3.2.0
XSS - Prevention - GET : 'location' javascript object found in URL
3.2.0
SQL injection Prevention - POST : suspicious HAVING statement in data
3.2.0
XSS - Prevention - GET : suspicious 'div' tag found in URL
3.2.0
     


 
 
 
 
 Risk level 
High 

 Vulnerability First Public Report Date 
2007-04-17 

 Target Type 
Server 

 Possible exploit 
Local & Remote