Oracle Database Bugs Let Remote Authenticated Users Take Fully Control of the Database or System and Remote Users Cause Denial of Service Conditions - SecurityTracker

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Database) > Oracle Database

Vendors: Oracle

Oracle Database Bugs Let Remote Authenticated Users Take Fully Control of the Database or System and Remote Users Cause Denial of Service Conditions

SecurityTracker Alert ID: 1022560

SecurityTracker URL: http://securitytracker.com/id/1022560

CVE Reference: CVE-2009-0987, CVE-2009-1015, CVE-2009-1019, CVE-2009-1020, CVE-2009-1021, CVE-2009-1963, CVE-2009-1966, CVE-2009-1967, CVE-2009-1968, CVE-2009-1969, CVE-2009-1970, CVE-2009-1973 (Links to External Site)

Date: Jul 15 2009

Impact: Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7; and prior versions

Description: Several vulnerabilities were reported in Oracle Database. A remote authenticated user can take full control of the target system. A remote user can take full control of the target database. A remote user can cause denial of service conditions.

A remote authenticated user can exploit an unspecified vulnerability to fully affect the confidentiality and integrity of the target system [CVE-2009-1020] on Windows based systems. On Linux and UNIX based systems, only the database layer is affected.

A remote user can affect the confidentiality and integrity of the database on the target system [CVE-2009-1019].

A remote authenticated user can fully affect the availability of the target database [CVE-2009-1963]. Only Database Server 11.1.0.6 is affected by this flaw.

A remote authenticated user can partially affect the confidentiality and integrity of the target database.

A remote user can partially affect the availability of the target system.

No additional details were provided.

The following versions are affected:

- Oracle Database 11g, version 11.1.0.6, 11.1.0.7
- Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
- Oracle Database 10g, version 10.1.0.5
- Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV

The Network Foundation [CVE-2009-1020, CVE-2009-1963], Network Authentication [CVE-2009-1019], Advanced Replication [CVE-2009-1021], Config Management [CVE-2009-1966, CVE-2009-1967], Upgrade [CVE-2009-0987], Virtual Private Database [CVE-2009-1973], Listener [CVE-2009-1970], Secure Enterprise Search [CVE-2009-1968], Core RDBMS [CVE-2009-1015], and Auditing [CVE-2009-1969] components are affected.

The following researchers reported these and other Oracle vulnerabilities:

Anonymous of TippingPoint (3com); Esteban Martinez Fayo of Application Security, Inc.; Kowsik Guruswamy of Mu Security; Joxean Koret; Alexander Kornbrust of Red Database Security; David Litchfield of NGS Software; Oleg P. of HSC Security Portal; Alexandr Polyakov of Digital Security; noderat ratty; and Dennis Yurichev.

Impact: A remote authenticated user can affect the confidentiality and integrity of the target system.

A remote user can affect the confidentiality and integrity of the target database.

A remote authenticated user can affect the availability of the target database.

A remote authenticated user can partially affect the confidentiality and integrity of the target database.

A remote user can partially affect the availability of the target system.

Solution: The vendor has issued a fix, described in their July 2009 Critical Patch Update advisory.

The Oracle advisory is available at:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

Vendor URL: www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html (Links to External Site)

Cause: Not specified

Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History: None.

Source Message Contents

Date: Tue, 14 Jul 2009 19:40:44 -0400
Subject: Oracle Database


http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

Oracle Critical Patch Update Advisory - July 2009

CVE-2009-0987
CVE-2009-1015
CVE-2009-1019
CVE-2009-1020
CVE-2009-1021
CVE-2009-1963
CVE-2009-1966
CVE-2009-1967
CVE-2009-1968
CVE-2009-1969
CVE-2009-1970
CVE-2009-1973

Go to the Top of This SecurityTracker Archive Page

Home | View Topics | Search | Contact Us
Copyright 2013, SecurityGlobal.net LLC