• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Oracle January Security Update Multiple Vulnerabilities

Severity: CRITICAL

Description:

Various Oracle products -- Oracle Database Server, Oracle Enterprise Manager, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, PeopleSoft Enterprise Portal, JD Edwards EnterpriseOne Tools, OneWorld Tools, Oracle Developer Suite, and Oracle Workflow -- are prone to multiple vulnerabilities.

Oracle has released a Critical Patch Update advisory for January 2006 to address these vulnerabilities. This Critical Patch Update addresses the vulnerabilities for supported releases. Earlier, unsupported releases are likely to be affected by the issues as well.

The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Although various levels of authorization are required to leverage some issues, others do not require any authorization. The most severe of the vulnerabilities could possibly expose affected computers to complete compromise.

Oracle Database is vulnerable to an access-control-bypass vulnerability. This issue affects the login routines of the TNS protocol used for communications between clients and servers. An attacker with .create session. or lesser privileges may execute SQL statements in the context of the SYS database user.

The TNS authentication routines consist of two requests by the client and two responses by the server. The first client request includes the username; the second request includes an obfuscated password and a list of name-value pairs that describe various attributes of the client. The .AUTH_ALTER_SESSION. value in this list is used to establish session attributes for a client that are based on their locale and language. This is accomplished using an ALTER SESSION SQL statement.

The issue arises because the .AUTH_ALTER_SESSION. value can contain arbitrary SQL statements that are executed in the context of the SYS user. A client can supply malicious SQL statements through authentication routines to completely compromise the database and gain elevated privileges.

The following specific vulnerabilities were also reported:

APPS01 - This issue affects Application Install and requires Local access. "OS (access to log files)" authorization is needed for exploitation. A successful attack can compromise Confidentiality.

APPS02 - This issue affects CRM Technical Foundation and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

APPS03 - This issue affects iProcurement and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

APPS04 - This issue affects Oracle Application Object Library and requires Local access. "OS (access to log files)" authorization is needed for exploitation. A successful attack can compromise Confidentiality.

APPS05 - This issue affects Oracle Application Object Library and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

APPS06 - This issue affects Oracle Application Object Library and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

APPS07 - This issue affects Oracle Applications Framework and requires Network (HTTP) access. "Valid Session" authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

APPS08 - This issue affects Oracle Applications Technology Stack and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

APPS09 - This issue affects Oracle Applications Technology Stack and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

APPS10 - This issue affects Oracle Applications Technology Stack and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

APPS11 - This issue affects Oracle Applications Technology Stack and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

APPS12 - This issue affects Oracle Human Resources and requires Network (HTTP) access. "Valid Session" authorization is needed for exploitation. A successful attack can compromise Confidentiality.

APPS13 - This issue affects Oracle iLearning and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

APPS14 - This issue affects Oracle iLearning and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

APPS15 - This issue affects Oracle Marketing and requires Network (HTTP) access. "Valid Session" authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

APPS16 - This issue affects Oracle Marketing and requires Network (HTTP) access. "Valid Session" authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

APPS17 - This issue affects Oracle Marketing Encyclopedia System and requires Network (HTTP) access. "Valid Session" authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

APPS18 - This issue affects Oracle Trade Management and requires Network (HTTP) access. "Valid Session" authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

APPS19 - This issue affects Oracle Web Applications Desktop Integration and requires Network (HTTP) access. "Valid Session" authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

AS01 - This issue affects Portal and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

DB01 - This issue affects Advanced Queuing and requires SQL (Oracle Net) access. "Database (execute on sys.dbms_aqadm_sys or sys.dbms_aqadm_syscalls)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB02 - This issue affects Change Data Capture and requires SQL (Oracle Net) access. "Database (execute on sys.dbms_cdc_utility)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB03 - This issue affects Connection Manager and requires Network access. No authorization is needed for exploitation. A successful attack can compromise Availability.

DB04 - This issue affects Data Pump and requires SQL (Oracle Net) access. "Database (execute on sys.kupw$worker)" authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

DB05 - This issue affects Data Pump Metadata API and requires SQL (Oracle Net) access. "Database (execute on sys.dbms_metadata)" authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

DB06 - This issue affects Data Pump Metadata API and requires SQL (Oracle Net) access. "Database (execute on sys.dbms_datapump)" authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

DB07 - This issue affects Dictionary and requires Local access. "Database and OS (alter session, read permission on database log files)" authorization is needed for exploitation. A successful attack can compromise Confidentiality.

DB08 - This issue affects Net Foundation Layer and requires Network (Oracle Net) access. "None (network access to a Listener)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB09 - This issue affects Net Listener and requires Network (Oracle Net) access. "None (network access to a Listener)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB10 - This issue affects Net Listener and requires Network (Oracle Net) access. "None (network access to a Listener)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB11 - This issue affects Net Listener and requires Network (Oracle Net) access. "None (network access to a Listener)" authorization is needed for exploitation. A successful attack can compromise Integrity and Availability.

DB12 - This issue affects Network Communications (RPC) and requires Network (Oracle Net) access. "None (network access to a Listener)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB13 - This issue affects Network Communications (RPC) and requires Network (Oracle Net) access. "None (network access to a Listener)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB14 - This issue affects Oracle Label Security and requires SQL (Oracle Net) access. "Database (execute on lbacsys.lbac_cache)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB15 - This issue affects Oracle Text and requires SQL (Oracle Net) access. "Database (execute on cxtsys.catsearch)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB16 - This issue affects Oracle Text and requires SQL (Oracle Net) access. "Database (use of a rewrite specification)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB17 - This issue affects Oracle Text and requires SQL (Oracle Net) access. "Database (ability to create a ctxsys index)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB18 - This issue affects Program Interface Network and requires SQL (Oracle Net) access. "Database(no special privileges needed)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB19 - This issue affects Query Optimizer and requires SQL (Oracle Net) access. "Database (execute on sys.outln_pkg)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB20 - This issue affects Query Optimizer and requires SQL (Oracle Net) access. "Database (no special privileges needed)" authorization is needed for exploitation. A successful attack can compromise Availability.

DB21 - This issue affects Security and requires SQL (Oracle Net) access. "Database (execute on sys.dbms_fga.add_policy)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB22 - This issue affects Streams Apply and requires SQL (Oracle Net) access. "Database (execute on sys.dbms_apply_adm_internal)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB23 - This issue affects Streams Capture and requires SQL (Oracle Net) access. "Database (execute on sys.dbms_capture_adm_internal)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB24 - This issue affects Streams Capture and requires SQL (Oracle Net) access. "Database (execute on sys.dbms_capture_process)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB25 - This issue affects Streams Capture and requires SQL (Oracle Net) access. "Database (execute on sys.dbms_cdc_ipublish)" authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

DB26 - This issue affects Streams Subcomponent and requires SQL (Oracle Net) access. "Database (execute on sys.dbms_apply_process)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DB27 - This issue affects TDE Wallet and requires Local access. "OS (ability to access the SGA (e.g. via dumpsga))" authorization is needed for exploitation. A successful attack can compromise Confidentiality.

DB28 - This issue affects Upgrade & Downgrade and requires SQL (Oracle Net) access. "Database (execute on sys.dbms_registry)" authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

DB29 - This issue affects XML Database and requires SQL (Oracle Net) access. "Database (execute on xdb.dbms_xmlschema or xdb.dbms_xmlschema_int)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability. This issue is due to a buffer-overflow vulnerability while parsing arguments to 'XDB.DBMS_XMLSCHEMA.GENERATESCHEMAS' or 'XDB.DBMS_XMLSCHEMA_INT.GENERATESCHEMAS' calls. Execute permissions are granted to PUBLIC by default, allowing any database user to exploit this issue.

DBC01 - This issue affects Protocol Support and requires Network (Oracle Net) access. "None (network access to a Listener)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

DBC02 - This issue affects Reorganize Objects & Convert Tablespace and requires Local access. "OS (ability to run nmuct)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

FORM01 - This issue affects Oracle Forms and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

FORM02 - This issue affects Oracle Forms and requires Local and Network(HTTP) access. "OS (ability to upload files to Forms server)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

JDE01 - This issue affects JD Edwards HTML Server and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

JN01 - This issue affects Java Net and requires Network (OID) access. "None (network access to an OID server)" authorization is needed for exploitation. A successful attack can compromise Confidentiality.

OCS01 - This issue affects Email Server and requires Network (EMAIL) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

OCS02 - This issue affects Email Server and requires Network (EMAIL) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

OCS03 - This issue affects Email Server and requires Network (IMAP) access. "Valid Session" authorization is needed for exploitation. A successful attack can compromise Availability.

OCS04 - This issue affects Email Server and requires Network (IMAP/POP) access. No authorization is needed for exploitation. A successful attack can compromise Availability.

OCS05 - This issue affects Email Server and requires Network (SMTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

OCS06 - This issue affects Email Server and requires Network (SMTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

OCS07 - This issue affects Email Server and requires Network (SMTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

OCS08 - This issue affects Email Server and requires Local access. "OS" authorization is needed for exploitation. A successful attack can compromise Confidentiality.

OCS09 - This issue affects Email Server and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

OCS10 - This issue affects Oracle Collaboration Suite Wireless & Voice and requires Local access. "OS" authorization is needed for exploitation. A successful attack can compromise Confidentiality.

OCS11 - This issue affects Oracle Collaboration Suite Wireless & Voice and requires Network (SMS) access. "Valid Session" authorization is needed for exploitation. A successful attack can compromise Confidentiality.

OCS12 - This issue affects Oracle Content Management SDK and requires Network (FTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

OCS13 - This issue affects Oracle Content Management SDK and requires Network (HTTP) access. "Valid Session" authorization is needed for exploitation. A successful attack can compromise Integrity and Availability.

OCS14 - This issue affects Oracle Content Services and requires Network (EMAIL) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

OCS15 - This issue affects Oracle Content Services and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

OHS01 - This issue affects Oracle HTTP Server and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

OHS02 - This issue affects Oracle HTTP Server and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Availability.

PSE01 - This issue affects PeopleSoft Enterprise Portal and requires local access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

REP01 - This issue affects Oracle Reports Developer and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Integrity.

REP02 - This issue affects Oracle Reports Developer and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

REP03 - This issue affects Oracle Reports Developer and requires Local and Network(HTTP) access. "OS (ability to upload files to Reports server)" authorization is needed for exploitation. A successful attack can compromise Confidentiality, Integrity, and Availability.

REP04 - This issue affects Oracle Reports Developer and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality.

REP05 - This issue affects Oracle Reports Developer and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

REP06 - This issue affects Oracle Reports Developer and requires Network (HTTP) access. No authorization is needed for exploitation. A successful attack can compromise Confidentiality and Integrity.

WF01 - This issue affects Oracle Workflow Cartridge and requires Network (HTTP) access. "Valid Session" authorization is needed for exploitation. A successful attack can compromise Confidentiality.

WF02 - This issue affects Oracle Workflow Cartridge and requires Network (HTTP) access. "Valid Session" authorization is needed for exploitation. A successful attack can compromise Confidentiality.

WF03 - This issue affects Oracle Workflow Cartridge and requires Network (HTTP) access. "Valid Session" authorization is needed for exploitation. A successful attack can compromise Confidentiality.

Affected Products:

• HP Oracle for OpenView 8.1.7
• HP Oracle for OpenView 9.1.01
• HP Oracle for OpenView 9.2
• Oracle Application Server 10g 10.1.2
• Oracle Application Server 10g 9.0.4
• Oracle Application Server 10g 9.0.4 .1
• Oracle Application Server 10g 9.0.4 .2
• Oracle Application Server Release 2 10.1.2 .0.0
• Oracle Application Server Release 2 10.1.2 .0.1
• Oracle Application Server Release 2 10.1.2 .0.2
• Oracle Collaboration Suite Release 1 0.0.0
• Oracle Collaboration Suite Release 1 10.1.1
• Oracle Collaboration Suite Release 1 10.1.2
• Oracle Collaboration Suite Release 2 9.0.4 .2
• Oracle Developer Suite 10.1.2
• Oracle Developer Suite 9.0.2 .1
• Oracle Developer Suite 9.0.4 .1
• Oracle Developer Suite 9.0.4 .2
• Oracle E-Business Suite 11i 11.5.1
• Oracle E-Business Suite 11i 11.5.10
• Oracle E-Business Suite 11i 11.5.2
• Oracle E-Business Suite 11i 11.5.3
• Oracle E-Business Suite 11i 11.5.4
• Oracle E-Business Suite 11i 11.5.5
• Oracle E-Business Suite 11i 11.5.6
• Oracle E-Business Suite 11i 11.5.7
• Oracle E-Business Suite 11i 11.5.8
• Oracle E-Business Suite 11i 11.5.9
• Oracle Enterprise Manager Grid Control 10g 10.1.0 .3
• Oracle Enterprise Manager Grid Control 10g 10.1.0 .4
• Oracle JD Edwards EnterpriseOne 8.95.0 _F1
• Oracle JD Edwards EnterpriseOne SP23_L1
• Oracle Oracle 9i Application Server Release 1 1.0.2 .2
• Oracle Oracle10g Application Server 10.1.2
• Oracle Oracle10g Application Server 10.1.2 .0.1
• Oracle Oracle10g Application Server 10.1.2 .0.2
• Oracle Oracle10g Application Server 10.1.2 .1.0
• Oracle Oracle10g Application Server 9.0.4 .1
• Oracle Oracle10g Application Server 9.0.4 .2
• Oracle Oracle10g Enterprise Edition 10.1.0 .0.3
• Oracle Oracle10g Enterprise Edition 10.1.0 .0.4
• Oracle Oracle10g Personal Edition 10.1.0 .0.3
• Oracle Oracle10g Personal Edition 10.1.0 .0.4
• Oracle Oracle10g Standard Edition 10.1.0 .0.3
• Oracle Oracle10g Standard Edition 10.1.0 .0.4
• Oracle Oracle10g Standard Edition 10.1.0 .0.5
• Oracle Oracle10g Standard Edition 10.1.0 .4.2
• Oracle Oracle10g Standard Edition 10.2.0.1
• Oracle Oracle8 8.0.6
• Oracle Oracle8 8.0.6 .3
• Oracle Oracle8 8.1.7.4
• Oracle Oracle8i Enterprise Edition 8.1.7.4
• Oracle Oracle8i Standard Edition 8.0.6
• Oracle Oracle8i Standard Edition 8.0.6.3
• Oracle Oracle8i Standard Edition 8.1.7.4
• Oracle Oracle8i Standard Edition 8.1.7.4
• Oracle Oracle9i Application Server 1.0.2 .2
• Oracle Oracle9i Enterprise Edition 9.0.1 .5 FIPS
• Oracle Oracle9i Enterprise Edition 9.0.1.4
• Oracle Oracle9i Enterprise Edition 9.0.1.5
• Oracle Oracle9i Standard Edition 9.2.0 .6
• Oracle Oracle9i Standard Edition 9.2.0 .7
• Oracle Workflow 11.5.1
• Oracle Workflow 11.5.9 .5
• PeopleSoft Enterprise Portal 8.4.0
• PeopleSoft Enterprise Portal 8.8.0
• PeopleSoft Enterprise Portal 8.9.0

References:

• HP: HPSBMA02094 SSRT061104 rev.1 - HP Oracle for OpenView
• Oracle: Critical Patch Update - January 2006
• Oracle: Oracle Homepage
• Red-Database-Security: Event 10053 logs TDE wallet password in cleartext
• Red-Database-Security: Overwrite any file via desname in Oracle Reports
• Red-Database-Security: Read parts of any XML-file via customize parameter in Oracle Reports
• Red-Database-Security: Read parts of any file via desformat in Oracle Reports
• Red-Database-Security: Transparent Data Encryption stores key unencrypted in the SGA

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.