TITLE: Oracle Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA19712 VERIFY ADVISORY: http://secunia.com/advisories/19712/ CRITICAL: Highly critical IMPACT: Unknown, Manipulation of data WHERE: >From remote SOFTWARE: Oracle9i Developer Suite http://secunia.com/product/5411/ Oracle9i Database Standard Edition http://secunia.com/product/358/ Oracle9i Database Enterprise Edition http://secunia.com/product/359/ Oracle9i Collaboration Suite http://secunia.com/product/2451/ Oracle9i Application Server http://secunia.com/product/443/ Oracle Workflow 11.x http://secunia.com/product/9412/ Oracle Pharmaceutical Applications 4.x http://secunia.com/product/9410/ Oracle PeopleSoft Enterprise Tools 8.x http://secunia.com/product/9411/ Oracle Enterprise Manager 10.x http://secunia.com/product/2565/ Oracle E-Business Suite 11i http://secunia.com/product/442/ Oracle Database 8.x http://secunia.com/product/360/ Oracle Database 10g http://secunia.com/product/3387/ Oracle Collaboration Suite 10.x http://secunia.com/product/2450/ Oracle Application Server 10g http://secunia.com/product/3190/ JD Edwards OneWorld 8.x http://secunia.com/product/2948/ JD Edwards EnterpriseOne 8.x http://secunia.com/product/5940/ DESCRIPTION: Multiple vulnerabilities have been reported in various Oracle products. Some have an unknown impact, and others can be exploited to conduct SQL injection attacks. Details have been disclosed for the following vulnerabilities: 1) An input validation error in the Log Miner component ("dbms_logmnr_session" package) can be exploited to manipulate SQL queries by injecting arbitrary SQL code. SOLUTION: Apply patches (see vendor advisory). PROVIDED AND/OR DISCOVERED BY: 1) Alexander Kornbrust, Red Database Security. The vendor furthermore credits the following: * Esteban Martinez Fayo, Application Security. * David Litchfield, NGSSoftware. * noderat ratty ORIGINAL ADVISORY: Oracle: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html Alexander Kornbrust: http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_logmnr_session.html http://www.red-database-security.com/advisory/oracle_cpu_apr_2006.html ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------