SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Oracle Database Vendors:   Oracle
Oracle Database Multiple Flaws Let Remote Authenticated Users Gain Full Control, Access and Modify Data, and Deny Service
SecurityTracker Alert ID:  1032118
SecurityTracker URL:  http://securitytracker.com/id/1032118
CVE Reference:   CVE-2015-0455, CVE-2015-0457, CVE-2015-0479, CVE-2015-0483   (Links to External Site)
Date:  Apr 14 2015
Impact:   Denial of service via network, Disclosure of system information, Disclosure of user information, Execution of arbitrary code via network, Modification of system information, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2
Description:   Multiple vulnerabilities were reported in Oracle Database. A remote authenticated user can gain full control of the target system. A remote authenticated user can cause denial of service conditions on the target system. A remote authenticated user can access and modify data on the target system.

A remote authenticated user with Create Session privileges can exploit a flaw in the Java VM component to gain full control of the target system [CVE-2015-0457].

A remote authenticated user can exploit a flaw in the XDB - XML Database component to access data [CVE-2015-0455].

A remote authenticated user with Create Session privileges can exploit a flaw in the Core RDBMS component to partially modify data [CVE-2015-0483].

A remote authenticated user with Create Session privileges can exploit a flaw in the XDK and XDB - XML Database component to cause partial denial of service conditions [CVE-2015-0479].

The following researchers reported these and other Oracle product vulnerabilities:

An Anonymous Reporter working at HTL Leonding; Brandon Vincent; Christopher E. Walter; Daniel Ekberg of Swedish Public Employment Service; David Litchfield of Datacom TSS; Dmitry Janushkevich of Secunia Research; Florian Weimer of Red Hat;
Francis Provencher of Protek Research Lab; Jihui Lu of KeenTeam; Lupin LanYuShi; Mark Litchfield of Securatary; Markus Millbourn of Digifort; Martin Carpenter of Citco; Mateusz Jurczyk of Google Project Zero; Michael Miller of Integrigy;
Moshe Zioni of Comsec Consulting; Ofer Maor formerly of Hacktics; Paul M. Wright; Robbe De Keyzer of The Security Factory; Roberto Soares of Conviso Application Security; Sajith Shetty; Sasha Raljic; Shai Rod of Avnet Information Security;
Steven Seeley of HP's Zero Day Initiative; Tudor Enache of Help AG; Vishal V. Sonar of Control Case International Pvt Ltd.; and Wouter Coekaerts.

Impact:   A remote authenticated user can gain full control of the target system.

A remote authenticated user can cause denial of service conditions on the target system.

A remote authenticated user can access and modify data on the target system.

Solution:   The vendor has issued a fix as part of Oracle Critical Patch Update Advisory - April 2015.

The vendor's advisory is available at:

http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html

Vendor URL:  www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (2003), Windows (2008), Windows (2012)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC