Good morning. If your day has just gone into the crapper I apologize. Multiple vulnerbilities have been released for a slew of Oracle products. The worst of the lot results in data manipulation from a remote user. I would say that qualifies as bad.
Secunia: “Description:
Multiple vulnerabilities have been reported in various Oracle products. Some of these vulnerabilities have unknown impacts while others can be exploited to cause a DoS (Denial of Service), conduct SQL injection attacks, and potentially compromise the system.
Details are available for the following vulnerabilities:
1) Various input processed by the following packages is not properly sanitised before being used in SQL queries. This can be exploited to manipulate SQL queries by injecting arbitary SQL code:
* DBMS_XDBZ
* SDO_DROP_USER_BEFORE
* MD2
* DBMS_CDC_IMPDP
* DBMS_CDC_IPUBLISH
* DBMS_CDC_ISUBSCRIBE
* DBMS_SQLTUNE
* SDO_GEOR_INT
* XDB_PITRIG_PKG
* SDO_DROP_USER
* SDO_CS
2) Boundary errors in the RELATE functions of the MD2 and SDO_GEOM packages, the GEOM_OPERATION function of the SDO_3GL package, and the TRANSFORM_LAYER function of the SDO_CS package may be exploited to cause a buffer overflow.
Solution:
Apply patches (see the vendor’s advisory).
Provided and/or discovered by:
The vendor credits:
* Johannes Fahrenkrug
* Sacha Faust, SPI Dynamics, Inc.
* Esteban Martinez Fayo, Application Security, Inc.
* Alexander Kornbrust, Red Database Security GmbH
* David Litchfield, NGSSoftware.
* Andrew Maksimenko, COMEC-92.
Original Advisory:
Oracle:
http://www.oracle.com/technology/depl…ritical-patch-updates/cpuoct2006.html
David Litchfield:
http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf ”
[tags]Oracle, David Litchfield, Remote Access, Data Manipulation, Databases[/tags]
