TITLE: Oracle Products Multiple Vulnerabilities and Security Issues SECUNIA ADVISORY ID: SA18493 VERIFY ADVISORY: http://secunia.com/advisories/18493/ CRITICAL: Moderately critical IMPACT: Unknown, Manipulation of data, Exposure of system information, Exposure of sensitive information WHERE: >From remote SOFTWARE: PeopleSoft Enterprise Portal 8.x http://secunia.com/product/6864/ Oracle9i Developer Suite http://secunia.com/product/5411/ Oracle9i Database Standard Edition http://secunia.com/product/358/ Oracle9i Database Enterprise Edition http://secunia.com/product/359/ Oracle9i Application Server http://secunia.com/product/443/ Oracle Enterprise Manager 10.x http://secunia.com/product/2565/ Oracle E-Business Suite 11i http://secunia.com/product/442/ Oracle Developer Suite 10g http://secunia.com/product/5410/ Oracle Database Server 10g http://secunia.com/product/3387/ Oracle Database 8.x http://secunia.com/product/360/ Oracle Collaboration Suite Release 2 http://secunia.com/product/2451/ Oracle Collaboration Suite Release 1 http://secunia.com/product/2450/ Oracle Application Server 10g http://secunia.com/product/3190/ JD Edwards EnterpriseOne 8.x http://secunia.com/product/5940/ DESCRIPTION: 82 vulnerabilities and security issues have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to gain knowledge of certain information, overwrite arbitrary files, and to conduct SQL injection attacks. Details have been disclosed for the following vulnerabilities: 1) Input passed to various parameters in the procedures within the DBMS_DATAPUMP, DBMS_REGISTRY, DBMS_CDC_UTILITY, DBMS_CDC_PUBLISH, DBMS_METADATA_UTIL, and DBMS_METADATA_INT Oracle PL/SQL packages is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. 2) Input passed to various parameters in the ATTACH_JOB, HAS_PRIVS, and OPEN_JOB procedures within the SYS.KUPV$FT package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerabilities have been reported in Oracle 10g Release 1. 3) Input passed to various parameters in several procedures within the SYS.KUPV$FT_INT package is not properly sanitised before being used in a SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. The vulnerabilities have been reported in Oracle 10g Release 1. 4) Design errors in the Oracle Database causes the Oracle TDE (Transparent Data Encryption) wallet password to be logged in cleartext, and the masterkey for the TDE wallet to be stored unencrypted. The security issues have been reported in Oracle Database 10g Release 2 version 10.2.0.1. 5) Some errors in the Reports component of the Oracle Application Server can be exploited to read parts of any files or overwrite any files via Oracle Reports. For more information see #2, #3, and #4 in: SA16092 The vulnerability has been reported in versions 1.0.2.0 through 10.1.0.2. 6) Input passed to the AUTH_ALTER_SESSION attribute in a TNS authentication message is not properly sanitised before being used in an SQL query. This can be exploited to manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation allows execution of arbitrary SQL queries with SYS user privileges. The vulnerability has been reported in Oracle 8i (8.1.7.x.x), Oracle 9i (9.2.0.7), Oracle 10g Release 1 (10.1.0.4.2), and Oracle 10g Release 2 (10.2.0.1.0). The following supported products are affected by one or more of the 82 vulnerabilities: * Oracle Database 10g Release 2, version 10.2.0.1 * Oracle Database 10g Release 1, versions 10.1.0.3, 10.1.0.4, 10.1.0.5 * Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7 * Oracle8i Database Release 3, version 8.1.7.4 * Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4 * Oracle Application Server 10g Release 2, versions 10.1.2.0.0, 10.1.2.0.1, 10.1.2.0.2, 10.1.2.1.0 * Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2 * Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2 * Oracle9i Collaboration Suite Release 2, version 9.0.4.2 * Oracle E-Business Suite Release 11i, versions 11.5.1 through 11.5.10 CU2 * Oracle E-Business Suite Release 11.0 * PeopleSoft Enterprise Portal, versions 8.4, 8.8, 8.9 * JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95.F1, SP23_L1 SOLUTION: Apply patches (see vendor advisory). PROVIDED AND/OR DISCOVERED BY: 1-5) Alexander Kornbrust, Red Database Security. 6) Amichai Shulman ORIGINAL ADVISORY: Oracle: http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html Red Database Security: http://www.red-database-security.com/advisory/oracle_cpu_jan_2006.html http://www.red-database-security.com/advisory/oracle_tde_wallet_password.html http://www.red-database-security.com/advisory/oracle_tde_unencrypted_sga.html http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft.html http://www.red-database-security.com/advisory/oracle_sql_injection_kupv$ft_int.html http://www.red-database-security.com/advisory/oracle_reports_overwrite_any_file.html http://www.red-database-security.com/advisory/oracle_reports_read_any_xml_file.html Imperva: http://lists.grok.org.uk/pipermail/full-disclosure/2006-January/041464.html OTHER REFERENCES: SA16092: http://secunia.com/advisories/16092/ ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------