Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Oracle Database Bugs Let Remote Users Access and Modify Data and Cause Denial of Service Conditions and Let Local Users Gain Elevated Privileges
|
|
SecurityTracker Alert ID: 1020499
|
|
SecurityTracker URL: http://securitytracker.com/id?1020499
|
|
CVE Reference: CVE-2008-2587
, CVE-2008-2590
, CVE-2008-2591
, CVE-2008-2592
, CVE-2008-2600
, CVE-2008-2602
, CVE-2008-2603
, CVE-2008-2604
, CVE-2008-2605
, CVE-2008-2607
, CVE-2008-2608
, CVE-2008-2611
, CVE-2008-2613
(Links to External Site)
|
Date: Jul 16 2008
|
Impact: Denial of service via network, Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, User access via local system
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: Oracle Security Advisory
|
Version(s): 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.6; and prior versions
|
Description: Several vulnerabilities were reported in Oracle Database. A local user can obtain elevated privileges on the target system. A remote
user can access and modify data on the target system. A remote user can cause denial of service conditions.
A remote user can exploit several unspecified vulnerabilities to affect the confidentiality and integrity of data on the target system.
A
remote user can cause unspecified "partial" denial of service conditions.
A local user can gain elevated privileges on the target
operating system.
No details were provided.
The following versions are affected:
- Oracle Database 11g, version 11.1.0.6
-
Oracle Database 10g Release 2, versions 10.2.0.2, 10.2.0.3, 10.2.0.4
- Oracle Database 10g, version 10.1.0.5
- Oracle Database
9i Release 2, versions 9.2.0.8, 9.2.0.8DV
The Advanced Queuing [CVE-2008-2607], Database Scheduler [CVE-2008-2613], Advanced
Replication [CVE-2008-2592, CVE-2008-2587], Authentication [CVE-2008-2604, CVE-2008-2605], Oracle Database [CVE-2008-2591], Oracle
Spatial [CVE-2008-2600], Data Pump [CVE-2008-2602, CVE-2008-2608], and Core RDBMS [CVE-2008-2611] components are affected.
Enterprise
Manager is also affected [CVE-2008-2590, CVE-2008-2603].
The following researchers reported these and other Oracle vulnerabilities:
Flavio
Casetta of Yocoya; Esteban Martinez Fayo of Application Security, Inc.; Johannes Greil of SEC Consult; guyp of Sentrigo; Joxean
Koret; Alexander Kornbrust of Red Database Security; Stephen Kost of Integrigy; Dave Lewis; David Litchfield of NGS Software; Hirofumi
Oka of JPCERT/CC Vulnerability Handling Team; Tanel Poder; Alexandr Polyakov of Digital Security; Andrea Purificato; and Dave Wichers
of Aspect Security.
|
Impact: A remote user can access and modify data on the target system.
A remote user can cause denial of service conditions.
A local user can obtain elevated privileges on the target system.
|
Solution: The vendor has issued a fix, described in their July 2008 Critical Patch Update advisory.
The Oracle advisory is available at:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
|
Vendor URL: www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html (Links to External Site)
|
Cause: Not specified
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (2003), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
Go to the Top of This SecurityTracker Archive Page
|
