Oracle Products Multiple Remote Command Execution and SQL Injection Vulnerabilities


Description   Multiple vulnerabilities have been identified in various Oracle products, which could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information, conduct SQL injection and cross site scripting attacks, or bypass security restrictions.
The first issue is due to an input validation error in Oracle Database when handling certain parameters via XML DB, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.
The second issue is due to an input validation error in the "DBMS_AQ_INV" package, which could be exploited by malicious people to inject and execute arbitrary SQL queries.
The third vulnerability is due to a buffer overflow error in the Oracle Notification Service (ONS) when processing malformed requests sent to port 6200/TCP, which could be exploited by remote unauthenticated attackers to execute arbitrary commands.
The fourth issue is due to an input validation error in Oracle Application Server when processing requests via the "EmChartBean" component, which could be exploited by remote unauthenticated attackers to access and read the contents of arbitrary files via directory traversal attacks.
The fifth vulnerability is due to an input validation error in Oracle Reports Web Cartridge (RWCGI60) when processing the "genuser" parameter script, which could be exploited by attackers to cause arbitrary scripting code to be executed by the user's browser in the security context of an affected Web site.
Other unspecified vulnerabilities have also been identified in various components.
     
Vulnerable Products   Vulnerable Software:
Oracle Database 10g Release 2 version 10.2.0.1Oracle Database 10g Release 2 version 10.2.0.2Oracle Database 10g Release 2 version 10.2.0.3Oracle Database 10g Release 1 version 10.1.0.3Oracle Database 10g Release 1 version 10.1.0.4Oracle Database 10g Release 1 version 10.1.0.5Oracle Identity Management 10g version 10.1.4.0.1Oracle Application Server 10g Release 3 version 10.1.3.0.0Oracle Application Server 10g Release 3 version 10.1.3.1.0Oracle Application Server 10g Release 2 versions 10.1.2.0.0 through 10.1.2.0.2Oracle Application Server 10g Release 2 version 10.1.2.1.0Oracle Application Server 10g Release 2 version 10.1.2.2.0Oracle Application Server 10g (9.0.4) version 9.0.4.2Oracle Application Server 10g (9.0.4) version 9.0.4.3Oracle Application Server 10g Release 1 (9.0.4) version 9.0.4.1Oracle E-Business Suite Release 11i versions 11.5.7 through 11.5.10 CU2Oracle E-Business Suite Release 11.0Oracle Enterprise Manager 10g Grid Control Release 2 version 10.2.0.1Oracle Enterprise Manager 10g Grid Control Release 1 version 10.1.0.4Oracle Enterprise Manager 10g Grid Control Release 1 version 10.1.0.5Oracle Enterprise Manager 10g Grid Control Release 1 version 10.1.0.3Oracle PeopleSoft Enterprise PeopleTools version 8.22Oracle PeopleSoft Enterprise PeopleTools version 8.47Oracle PeopleSoft Enterprise PeopleTools version 8.48Oracle Developer Suite, version 9.0.4.3Oracle Developer Suite, version 10.1.2.0.2Oracle Developer Suite, version 6iOracle8i Database Release 3 version 8.1.7.4Oracle9i Database Release 2 version 9.2.0.7Oracle9i Database Release 2 version 9.2.0.8Oracle9i Database Release 1 version 9.0.1.5Oracle9i Database Release 1 version 9.0.1.5 FIPSOracle9i Database Release 1 version 9.0.1.4Oracle9i Application Server Release 2 version 9.0.2.3Oracle9i Application Server Release 1 version 1.0.2.2Oracle9i Database Release 2 version 9.2.0.5Oracle9i Database Release 2 version 9.2.0.6
     
Solution   Apply Oracle Critical Patch Update (January 2007) : http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
     
CVE   CVE-2007-0297
CVE-2007-0296
CVE-2007-0295
CVE-2007-0294
CVE-2007-0293
CVE-2007-0292
CVE-2007-0291
CVE-2007-0290
CVE-2007-0289
CVE-2007-0288
CVE-2007-0287
CVE-2007-0286
CVE-2007-0285
CVE-2007-0284
CVE-2007-0283
CVE-2007-0282
CVE-2007-0281
CVE-2007-0280
CVE-2007-0279
CVE-2007-0278
CVE-2007-0277
CVE-2007-0276
CVE-2007-0275
CVE-2007-0274
CVE-2007-0273
CVE-2007-0272
CVE-2007-0271
CVE-2007-0270
CVE-2007-0269
CVE-2007-0268
CVE-2007-0222
     
References   http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
http://www.red-database-security.com/advisory/oracle_xmldb_css2.html
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aq_inv.html
http://www.red-database-security.com/advisory/oracle_buffer_overflow_ons.html
http://www.symantec.com/enterprise/research/SYMSA-2007-001.txt
     
Vulnerability Manager Detection   Yes (since ASQ v3.5.0)
     
IPS Protection  
ASQ Engine alarm Available Since
Misc : Directory traversal - parameter starting with ../
3.2.0
Directory traversal using ..\..
3.2.0
Directory traversal
3.2.0
     


 
 
 
 
 Risk level 
Critical 

 Vulnerability First Public Report Date 
2007-01-17 

 Target Type 
Server 

 Possible exploit 
Local & Remote