Информационная безопасность
[RU] switch to English


Многочисленные уязвимости в Oracle
дополнено с 19 июля 2007 г.
Опубликовано:24 июля 2007 г.
Источник:
SecurityVulns ID:7942
Тип:удаленная
Уровень опасности:
7/10
Описание:Очередной квартальный пакет обновлений: переполнение буфера в DBMS_DRS.GET_PROPERTY, переполнение буфера в MDSYS.MD, межсайтовый скриптинг, повышение привилегий.
Затронутые продукты:ORACLE : Oracle 9i
 ORACLE : Oracle 8i
 ORACLE : Oracle 10g
CVE:CVE-2007-3867 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.10CU2 have unknown impact and attack vectors, related to (1) APPS04, (2) APPS05, and (3) APPS06 in (a) Oracle Application Object Library, (4) APPS07 in Oracle Customer Intelligence, (5) APPS08 in Oracle Payments, (7) APPS10 in Oracle Human Resources, and (8) APPS11 in iRecruitment.)
 CVE-2007-3866 (Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.10CU2 and 12.0.1 allow remote attackers to have an unknown impact via (a) Oracle Configurator (APPS02), (b) Oracle iExpenses (APPS03), (c) Oracle Application Object Library (APPS09), and (1) APPS12, (2) APPS13, and (3) APPS14 in (d) Oracle Payables.)
 CVE-2007-3865 (Unspecified vulnerability in the Oracle Customer Intelligence component in Oracle E-Business Suite 12.0.1 has unknown impact and remote attack vectors, aka APPS01.)
 CVE-2007-3855 (Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote authenticated users to have an unknown impact via (1) SYS.DBMS_DRS in the DataGuard component (DB03), (2) SYS.DBMS_STANDARD in the PL/SQL component (DB10), (3) MDSYS.RTREE_IDX in the Spatial component (DB16), and (4) SQL Compiler (DB17). NOTE: a reliable researcher claims that DB17 is for using Views to perform unauthorized insert, update, or delete actions.)
 CVE-2007-0272 (Unspecified vulnerability in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 has unknown impact and attack vectors related to the Oracle Spatial component and mdsys.md privileges, aka DB05. NOTE: Oracle has not disputed a reliable researcher report that claims this is for multiple buffer overflows and other issues in unspecified public procedures.)
 CVE-2007-0270 (Unspecified vulnerability in Oracle Database 9.2.0.7 and 10.1.0.4 has unknown impact and attack vectors related to the Data Guard and sys.dbms_drs privileges, aka DB03. NOTE: Oracle has not disputed a reliable researcher claim that this is a buffer overflow in the GET_PROPERTY function in SYS.DBMS_DRS, which can be exploited for arbitrary code execution or a denial of service.)
Оригинальный текстdocumentIntegrigy Security Alerts, Oracle E-Business Suite - Multiple Vulnerabilities (24.07.2007)
 documentCERT, US-CERT Technical Cyber Security Alert TA07-200A -- Oracle Releases Patches for Multiple Vulnerabilities (21.07.2007)
 documentSHATTER, Oracle Database Buffer overflow vulnerabilities in procedure DBMS_DRS.GET_PROPERTY (DB03) (19.07.2007)
 documentSHATTER, Oracle Database Buffer overflows and Denial of service vulnerabilities in public procedures of MDSYS.MD (DB12) (19.07.2007)
 documentKornbrust, Alexander, Oracle Security: SQL Injection in APEX CHECK_DB_PASSWORD (19.07.2007)
 documentKornbrust, Alexander, Oracle Security: SQL Injection in package DBMS_PRVTAQIS (19.07.2007)
 documentKornbrust, Alexander, Oracle Security: Insert / Update / Delete Data via Views (19.07.2007)
Файлы:Oracle 9i/10g - evil view exploit (CVE-2007-3855)

О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород