SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Oracle Database Vendors:   Oracle
Oracle Database Bugs Let Remote Authenticated Users Take Fully Control of the Database or System and Remote Users Cause Denial of Service Conditions
SecurityTracker Alert ID:  1022560
SecurityTracker URL:  http://securitytracker.com/id/1022560
CVE Reference:   CVE-2009-0987, CVE-2009-1015, CVE-2009-1019, CVE-2009-1020, CVE-2009-1021, CVE-2009-1963, CVE-2009-1966, CVE-2009-1967, CVE-2009-1968, CVE-2009-1969, CVE-2009-1970, CVE-2009-1973   (Links to External Site)
Date:  Jul 15 2009
Impact:   Denial of service via network, Disclosure of user information, Execution of arbitrary code via network, Modification of user information, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 9.2.0.8, 10.1.0.5, 10.2.0.4, 11.1.0.7; and prior versions
Description:   Several vulnerabilities were reported in Oracle Database. A remote authenticated user can take full control of the target system. A remote user can take full control of the target database. A remote user can cause denial of service conditions.

A remote authenticated user can exploit an unspecified vulnerability to fully affect the confidentiality and integrity of the target system [CVE-2009-1020] on Windows based systems. On Linux and UNIX based systems, only the database layer is affected.

A remote user can affect the confidentiality and integrity of the database on the target system [CVE-2009-1019].

A remote authenticated user can fully affect the availability of the target database [CVE-2009-1963]. Only Database Server 11.1.0.6 is affected by this flaw.

A remote authenticated user can partially affect the confidentiality and integrity of the target database.

A remote user can partially affect the availability of the target system.

No additional details were provided.

The following versions are affected:

- Oracle Database 11g, version 11.1.0.6, 11.1.0.7
- Oracle Database 10g Release 2, versions 10.2.0.3, 10.2.0.4
- Oracle Database 10g, version 10.1.0.5
- Oracle Database 9i Release 2, versions 9.2.0.8, 9.2.0.8DV

The Network Foundation [CVE-2009-1020, CVE-2009-1963], Network Authentication [CVE-2009-1019], Advanced Replication [CVE-2009-1021], Config Management [CVE-2009-1966, CVE-2009-1967], Upgrade [CVE-2009-0987], Virtual Private Database [CVE-2009-1973], Listener [CVE-2009-1970], Secure Enterprise Search [CVE-2009-1968], Core RDBMS [CVE-2009-1015], and Auditing [CVE-2009-1969] components are affected.

The following researchers reported these and other Oracle vulnerabilities:

Anonymous of TippingPoint (3com); Esteban Martinez Fayo of Application Security, Inc.; Kowsik Guruswamy of Mu Security; Joxean Koret; Alexander Kornbrust of Red Database Security; David Litchfield of NGS Software; Oleg P. of HSC Security Portal; Alexandr Polyakov of Digital Security; noderat ratty; and Dennis Yurichev.

Impact:   A remote authenticated user can affect the confidentiality and integrity of the target system.

A remote user can affect the confidentiality and integrity of the target database.

A remote authenticated user can affect the availability of the target database.

A remote authenticated user can partially affect the confidentiality and integrity of the target database.

A remote user can partially affect the availability of the target system.

Solution:   The vendor has issued a fix, described in their July 2009 Critical Patch Update advisory.

The Oracle advisory is available at:

http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html

Vendor URL:  www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2009.html (Links to External Site)
Cause:   Not specified
Underlying OS:  Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (2003), Windows (XP)

Message History:   None.


 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC