---------------------------------------------------------------------- Did you know that a change in our assessment rating, exploit code availability, or if an updated patch is released by the vendor, is not part of this mailing-list? Click here to learn more: http://secunia.com/advisories/business_solutions/ ---------------------------------------------------------------------- TITLE: Oracle Products Multiple Vulnerabilities SECUNIA ADVISORY ID: SA33525 VERIFY ADVISORY: http://secunia.com/advisories/33525/ CRITICAL: Highly critical IMPACT: Unknown, Cross Site Scripting, Manipulation of data, Privilege escalation, System access WHERE: >From remote REVISION: 1.1 originally posted 2009-01-14 SOFTWARE: Oracle9i Database Standard Edition http://secunia.com/advisories/product/358/ Oracle9i Database Enterprise Edition http://secunia.com/advisories/product/359/ Oracle Times-Ten In-Memory Database 7.x http://secunia.com/advisories/product/19313/ Oracle Enterprise Manager 10.x http://secunia.com/advisories/product/2565/ Oracle E-Business Suite 12.x http://secunia.com/advisories/product/13979/ Oracle E-Business Suite 11i http://secunia.com/advisories/product/442/ Oracle Database 11.x http://secunia.com/advisories/product/18050/ Oracle Database 10.x http://secunia.com/advisories/product/3387/ Oracle Collaboration Suite 10.x http://secunia.com/advisories/product/2450/ Oracle Application Server 10g http://secunia.com/advisories/product/3190/ JD Edwards OneWorld Tools 8.x http://secunia.com/advisories/product/2948/ JD Edwards EnterpriseOne Tools 8.x http://secunia.com/advisories/product/5940/ Oracle Secure Backup 10.x http://secunia.com/advisories/product/20975/ Oracle PeopleSoft Enterprise Human Resource Management System 8.x http://secunia.com/advisories/product/20976/ Oracle PeopleSoft Enterprise Human Resource Management System 9.x http://secunia.com/advisories/product/20977/ DESCRIPTION: Some vulnerabilities have been reported in various Oracle products. Some have unknown impact while others can be exploited by malicious users to conduct SQL injection attacks or manipulate certain data, and by malicious people to conduct cross-site scripting attacks or to compromise a vulnerable system. 1) A vulnerability exists in Oracle Database due to an unspecified function allowing an authenticated user to create or rewrite arbitrary files with escalated privileges. This vulnerability is reported in Oracle Database 10g R2 10.2.0.3.0 on 32-bit Linux and Windows platforms. Other versions may also be affected. 2) Input passed via a cookie in php/login.php in Oracle Corp.'s Secure Backup Administration Server is not properly sanitised before being used. This can be exploited to inject and execute arbitrary shell commands on an affected system. 3) Input passed via an unspecified parameter in php/common.php in Oracle Corp.'s Secure Backup Administration Server is not properly verified before being used. This can be exploited to inject and execute arbitrary shell commands on an affected system. Vulnerabilities #2 and #3 are reported in Oracle Corp.'s Secure Backup version 10.2.0.2 for Linux and Secure Backup version 10.2.0.2 for Windows. Other versions may also be affected. 4) Input passed via an unspecified parameter in common.php in Oracle Corp.'s Secure Backup Administration Server is not properly sanitised before being used. This can be exploited to inject and execute arbitrary shell commands on an affected system. This vulnerability is reported in Oracle Corp.'s Secure Backup version 10.1.0.3 for Linux. Other versions may also be affected. 5) Certain input is not properly sanitised before being used when executing the "MDSYS.SDO_TOPO_DROP_FTBL" trigger. This can be exploited manipulate SQL queries by injecting arbitrary SQL code. Successful exploitation of this vulnerability allows performing certain actions as the MDSYS user, but requires "CREATE SESSION" privileges. This vulnerability is reported in Oracle 10g R1 and R2 (10.1.0.5 and 10.2.0.2). Other versions may also be affected. 6) Input passed via the URL to BPELConsole/default/activities.jsp is not properly sanitised before being returned to the user. This can be exploited to execute arbitrary HTML and script code in an administrator's browser session in context of an affected site. This vulnerability is reported in Oracle Application Server (SOA) version 10.1.3.1.0. Other versions may also be affected. The remaining vulnerabilities are caused due to unspecified errors. No more information is currently available. The vulnerabilities are reported in the following products and versions: * Oracle Database 11g, version 11.1.0.6 * Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4 * Oracle Database 10g, version 10.1.0.5 * Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV * Oracle Secure Backup version 10.2.0.2, 10.2.0.3 * Oracle Secure Backup version 10.1.0.1, 10.1.0.2, 10.1.0.3 * Oracle TimesTen In-Memory Database version 7.0.5.1.0, 7.0.5.2.0, 7.0.5.3.0, 7.0.5.4.0 * Oracle Application Server 10g Release 3 (10.1.3), versions 10.1.3.3.0 * Oracle Application Server 10g Release 2 (10.1.2), versions 10.1.2.2.0, 10.1.2.3.0 * Oracle Collaboration Suite 10g, version 10.1.2 * Oracle E-Business Suite Release 12, version 12.0.6 * Oracle E-Business Suite Release 11i, version 11.5.10.2 * Oracle Enterprise Manager Grid Control 10g Release 4, versions 10.2.0.4 * PeopleSoft Enterprise HRMS versions: 8.9 and 9.0 * JD Edwards Tools version 8.97 SOLUTION: Apply the patches (see the vendor's advisory). PROVIDED AND/OR DISCOVERED BY: The vendor credits: * Deniz Cevik, Intellect * Andy Davis, Information Risk Management Plc (IRM Plc) * Esteban Martinez Fayo, Application Security, Inc. * Franz Huell, Red Database Security * Wasim Iqbal * Joxean Koret * Joxean Koret, TippingPoint (3com) * Alexander Kornbrust, Red Database Security * Sasa Kos, ACROS Security * Zhenhua Liu, Fortinet, Inc. * Andy Sch., Centre for the Protection of National Infrastructure * Daiki Fukumori [Secure Sky Technology], JPCERT/CC Vulnerability Handling Team * Geoff Whittington, Assurent Secure Technologies * Xiaopeng Zhang, Fortinet, Inc. 1) Code Audit Labs, iDefense 2, 3, 4) An anonymous person, reported via iDefense 5) David Litchfield, NGS Software 6) Alexandr Polyakov, Digital Security Reasearch Group CHANGELOG: 2009-01-14: Updated "Description" to include vulnerability #5 and #6. ORIGINAL ADVISORY: Oracle: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html iDefense Labs: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=767 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=768 http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=769 ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/advisories/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/advisories/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ----------------------------------------------------------------------