[VulnWatch] Integrigy Security Alert - Multiple SQL Injection Vulnerabilities in Oracle E-Business Suite

From: Integrigy Security (alerts_at_integrigy.com)
Date: 06/04/04

  • Next message: Derek Soeder: "[VulnWatch] EEYE: RealPlayer embd3260.dll Error Response Heap Overflow"
    To: <vulnwatch@vulnwatch.org>
    Date: Fri, 4 Jun 2004 12:59:04 -0500


    Integrigy Security Alert
    Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities
    June 3, 2004
    Multiple SQL injection vulnerabilities exist in the Oracle E-Business Suite
    11i and Oracle Applications 11.0. These vulnerabilities can be remotely
    exploited simply using a browser and sending a specially crafted URL to the
    web server. A mandatory patch from Oracle is required to solve these
    security issues.
    Product: Oracle E-Business Suite
    Versions: 11.0.x, 11.5.1 - 11.5.8
    Platforms: All platforms
    Risk Level: Critical
    Integrigy has discovered multiple SQL injection vulnerabilities in almost
    all supported versions of Oracle Applications (11.0 and 11i). Because
    Oracle Applications 11i installs code for all product modules, all Oracle
    Applications 11i customers are vulnerable to these SQL injection issues.
    A SQL injection vulnerability allows an attacker to execute SQL statements
    or database functions by inserting SQL code fragments into input fields of a
    web page. Due to the design of Oracle Applications, a SQL injection attack
    can easily and effectively compromise the entire database and application.
    Customers with Internet facing application servers are most vulnerable since
    these vulnerabilities can be exploited remotely using a browser. Since
    attacks can be specially crafted for Oracle Applications and an attack may
    only be a single HTTP Get or Post, successful attacks can be easily designed
    that will evade most intrusion detection and prevention systems.
    Oracle has released a patch for Oracle Applications 11.0 and the Oracle
    E-Business Suite 11i to correct these vulnerabilities.
    The following Oracle patches must be applied --
          Version Patch
          ------- -----
          11i 3644626 (11.5.1 - 11.5.8)
          11.0 3648066 (all versions)
    The patch availability matrix is available in Oracle Metalink Note ID
    Oracle Applications 11i customers that have applied both the Report Manager
    Mini-pack B (11i.FRM.B) or greater AND Marketing Suite Family Pack B
    (11i.MKT_PF.B) do NOT need to apply a patch for these vulnerabilities -
    these patch levels are included in 11.5.9.
    All Oracle Applications customers should consider this vulnerability
    extremely high risk and apply the above patch at the earliest possible
    opportunity. Customers with Internet facing application servers should
    apply the patch immediately.
    Appropriate testing and backups should be always performed before applying
    any patches.
    Additional Information:
      Metalink Note ID 274356.1 (Oracle Security Alert)
      Metalink Note ID 274375.1 (Patch Availability Matrix)
    For more information or questions regarding this security alert, please
    contact us at alerts@integrigy.com.
    Integrigy has included checks for these vulnerabilities in AppSentry, a
    vulnerability scanner for Oracle Applications, and AppDefend, an application
    intrusion prevention system for Oracle Applications.
    This vulnerability was discovered by Stephen Kost of Integrigy Corporation.
    About Integrigy Corporation (www.integrigy.com)
    Integrigy Corporation is a leader in application security for large
    enterprise, mission critical applications. Our application vulnerability
    assessment tool, AppSentry, assists companies in securing their largest and
    most important applications. Integrigy Consulting offers security assessment
    services for leading ERP and CRM applications.
    For more information, visit www.integrigy.com.

  • Next message: Derek Soeder: "[VulnWatch] EEYE: RealPlayer embd3260.dll Error Response Heap Overflow"