[VulnWatch] Integrigy Security Advisory - High Risk Security Issues in the Oracle Database and Oracle Applications

From: Integrigy Security (alerts_at_integrigy.com)
Date: 01/20/05

  • Next message: iDefense Customer Service: "[VulnWatch] iDEFENSE Security Advisory 01.20.05: 3Com OfficeConnect Wireless 11g AP Information Disclosure Vulnerability"
    To: <vulnwatch@vulnwatch.org>
    Date: Wed, 19 Jan 2005 22:09:58 -0600
    
    

    Integrigy Security Advisory
    ______________________________________________________________________
     
    High Risk Security Issues in the Oracle Database and Oracle Applications
    Oracle Critical Patch Update - January 2005
    January 19, 2005
    ______________________________________________________________________
     
    Summary:
     
    Oracle has released the its first Critical Patch Update (January 2005) and
    fixes 23 vulnerabilities in the Oracle Database, Oracle Application Server,
    and Oracle E-Business Suite - Integrigy discovered 5 of these
    vulnerabilities. The vulnerabilities in the Oracle Database and Oracle
    E-Business Suite should be considered high risk and organizations should
    work to apply the necessary patches at the earliest possible opportunity.

    Integrigy Discovered Vulnerabilities:
     
    Product: Oracle E-Business Suite
    Versions: 11.0.x, 11.5.1 - 11.5.9
    Platforms: All platforms
    Risk Level: High
    Number: 2

    Product: Oracle Database
    Versions: 8.1.7.x, 9.0.1.x, 9.2.0.x, and 10.1.0.x
    Platforms: All platforms
    Risk Level: High
    Number: 1

    Product: Oracle Application Server
    Versions: 1.0.2.2.x
    Platforms: All platforms
    Risk Level: Medium
    Number: 2
    _____________________________________________________________________
     
    Description:
     
    Oracle Corporation released the first Critical Patch Update (CPU) on January
    18, 2005. The CPU is a collection of security related patches for the
    Oracle Database, Oracle Application Server, Oracle Collaboration Suite, and
    Oracle E-Business Suite. There are 23 vulnerabilities addressed in the CPU
    ranging from buffer overflows to SQL injection to denial of service (DoS)
    issues. Most of the vulnerabilities are high risk and should be addressed
    quickly by organizations.

    Oracle Database Vulnerabilities:

    Multiple vulnerabilities exist in the Oracle Spatial package MDSYS.MD2 that
    can be exploited by an attacker to gain escalated privileges on the server.

    Oracle Application Server Vulnerabilities:

    A denial of service vulnerability exists in the Oracle Forms Server.

    The Oracle Reports Server administrative functions can be exploited to
    obtain the database password used by the server. Integrigy released a
    security alert in November 2002
    (www.integrigy.com/alerts/ReportsServer_APPS_Disclosure.htm) to notify
    Oracle Applications clients of the issue and to provide a work-around. The
    Oracle patch removes the password from being displayed. However, Integrigy
    still recommends clients install the work-around in order to block access to
    all the administrative functions.

    Oracle E-Business Suite Vulnerabilities:

    Two SQL injection vulnerabilities exist in the Oracle E-Business Suite.
     
    Solution:
     
    All Oracle customers should consider these vulnerabilities high risk and
    apply the Oracle patches at the earliest possible opportunity. Customers
    with Internet facing application servers should consider applying these
    patches as soon as possible. See Oracle Metalink Note 293953.1 for patch
    information and instructions.
     
    In order to assist our clients, Integrigy has developed a detailed analysis
    of the security release and its impact on Oracle Applications. The analysis
    provides additional information on the vulnerabilities and patches released
    in the Critical Patch Update as it relates to the Oracle E-Business Suite
    (Oracle Applications 11i). The objective of the analysis is to assist IT
    managers and Applications DBAs in assessing the impact on their Oracle
    Applications 11i implementations and the risks associated with the
    vulnerabilities, especially since the CPU addresses a large number of
    vulnerabilities and impacts all layers of the Oracle Applications technology
    stack. The analysis can be downloaded from Integrigy's website at
    www.integrigy.com/info/SecurityAnalysis-CPU0105.pdf.
    ______________________________________________________________________
     
    For more information or questions regarding this security alert, please
    contact us at alerts@integrigy.com.
     
    Integrigy has included checks for many of these vulnerabilities in
    AppSentry, a vulnerability scanner for Oracle Applications, and AppDefend,
    an application intrusion prevention system for Oracle Applications.
     
    Credit:
     
    The vulnerabilities referenced in this advisory were discovered by Stephen
    Kost of Integrigy Corporation.
    ______________________________________________________________________
     
    About Integrigy Corporation (www.integrigy.com)
     
    Integrigy Corporation is a leader in application security for large
    enterprise, mission critical applications. Our application vulnerability
    assessment tool, AppSentry, assists companies in securing their largest and
    most important applications. AppDefend is an intrusion prevention system for
    Oracle Applications and blocks common types of attacks against application
    servers. Integrigy Consulting offers security assessment services for
    leading ERP and CRM applications.
     
    For more information, visit www.integrigy.com.


  • Next message: iDefense Customer Service: "[VulnWatch] iDEFENSE Security Advisory 01.20.05: 3Com OfficeConnect Wireless 11g AP Information Disclosure Vulnerability"

    Relevant Pages