Oracle Database and Other Products Have Multiple Unspecified Vulnerabilities With Unspecified Impact

	Keep Track of the Latest Vulnerabilities with SecurityTracker!

Home | View Topics | Search | Contact Us |

SecurityTracker
Archives

Sign Up

Instant Alerts

Buy our Premium Vulnerability Notification Service to receive customized, instant alerts

Affiliates

Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!

Partners

Become a Partner and License Our Database or Notification Service

Report a Bug

Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com

Category: Application (Database) > Oracle Database

Vendors: Oracle

Oracle Database and Other Products Have Multiple Unspecified Vulnerabilities With Unspecified Impact

SecurityTracker Alert ID: 1015961

SecurityTracker URL: http://securitytracker.com/id/1015961

CVE Reference: CVE-2006-0435, CVE-2006-1866, CVE-2006-1867, CVE-2006-1868, CVE-2006-1869, CVE-2006-1870, CVE-2006-1871, CVE-2006-1872, CVE-2006-1873, CVE-2006-1874, CVE-2006-1875, CVE-2006-1876 (Links to External Site)

Updated: Nov 29 2009

Original Entry Date: Apr 18 2006

Impact: Execution of arbitrary code via network, User access via network

Fix Available: Yes Vendor Confirmed: Yes

Version(s): 10.2.0.2 and prior versions

Description: More than 30 vulnerabilities were reported in Oracle Database and other Oracle products. The impact was not specified by the vendor.

Oracle released their Critical Patch Update for April 2006, addressing numerous vulnerabilities in Oracle Database, Oracle Application Server, Oracle Collaboration Suite, Oracle Enterprise Manager, and PeopleSoft Enterprise Portal product versions.

The most severe of the vulnerabilities are described by the vendor has having a "Wide" impact on the confidentiality, availability, and integrity of the system.

The following product versions are affected:

* Oracle Database 10g Release 2, versions 10.2.0.1, 10.2.0.2
* Oracle Database 10g Release 1, versions 10.1.0.4, 10.1.0.5
* Oracle Database 10g Release 1, version 10.1.0.4.2
* Oracle Database 10g Release 1, version 10.1.0.3
* Oracle9i Database Release 2, versions 9.2.0.6, 9.2.0.7
* Oracle9i Database Release 2, version 9.2.0.5
* Oracle8i Database Release 3, version 8.1.7.4
* Oracle9i Database Release 1, versions 9.0.1.4
* Oracle9i Database Release 1, versions 9.0.1.5, 9.0.1.5 FIPS
* Oracle8 Database Release 8.0.6, version 8.0.6.3
* Oracle Developer Suite, versions 6i, 9.0.4.2
* Oracle Enterprise Manager 10g Grid Control, versions 10.1.0.3, 10.1.0.4, 10.2.0.1
* Oracle Application Server 10g Release 2, versions 10.1.2.0.0 - 10.1.2.0.2, 10.1.2.1.0, 10.1.3.0.0
* Oracle Application Server 10g Release 1 (9.0.4), versions 9.0.4.1, 9.0.4.2
* Oracle9i Application Server Release 1, version 1.0.2.2
* Oracle Collaboration Suite 10g Release 1, versions 10.1.1, 10.1.2.0, 10.1.2.1
* Oracle9i Collaboration Suite Release 2, version 9.0.4.2
* Oracle E-Business Suite Release 11i, versions 11.5.1 - 11.5.10 CU2
* Oracle E-Business Suite Release 11.0
* Oracle Pharmaceutical Applications versions 4.5.0 - 4.5.2
* Oracle PeopleSoft Enterprise Tools, versions 8.47GA - 8.47.04
* Oracle PeopleSoft Enterprise Tools, versions 8.46GA - 8.46.12
* Oracle Workflow, versions 11.5.1 through 11.5.9.5
* JD Edwards EnterpriseOne Tools, OneWorld Tools, versions 8.95 - 8.95.J1

Oracle credits the following individuals and organizations with reporting these vulnerabilities:

Esteban Martinez Fayo of Application Security, Inc., Alexander Kornbrust of Red Database Security GmbH, David Litchfield of Next Generation Security Software Ltd., and noderat ratty.

Impact: The vendor did not specify the impact other than to say that the bugs have a "wide" risk impact on security.

[Editor's note: NGSSoftware has noted that some of the vulnerabilities are "critical" or "high" risk, which in the past has meant that remote execution of arbitrary code is possible.]

Solution: The vendor has issued a fix, described in their April 2006 Critical Patch Update advisory at:

http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html

Vendor URL: www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html (Links to External Site)

Cause: Not specified

Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)

Message History: This archive entry has one or more follow-up message(s) listed below.

Apr 28 2006

(HP Issues Advisory for Oracle for OpenView) Oracle Database and Other Products Have Multiple Unspecified Vulnerabilities With Unspecified Impact
HP has issued an advisory for Oracle for OpenView users indicating that the Oracle April 2006 critical patch should be applied to Oracle for OpenView.

Source Message Contents

Date: Tue, 18 Apr 2006 16:27:55 -0400
Subject: Oracle Critical Patch Update - April 2006


http://www.oracle.com/technology/deploy/security/pdf/cpuapr2006.html

Go to the Top of This SecurityTracker Archive Page