• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: Oracle April 2006 Security Update Multiple Vulnerabilities

Severity: CRITICAL

Description:

Various Oracle applications including Oracle Database Server, Oracle Enterprise Manager, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, Oracle Pharmaceutical Applications, Oracle PeopleSoft Enterprise, and JD Edwards EnterpriseOne are affected by multiple vulnerabilities.

Oracle has released a Critical Patch Update advisory for April 2006 to address these vulnerabilities. This Critical Patch Update addresses the vulnerabilities for supported releases. Earlier unsupported releases are likely to be affected by the issues as well.

The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Various levels of authorization are needed to leverage some of the issues, but other issues do not require any authorization. The most severe of the vulnerabilities could possibly expose affected computers to complete compromise.

DB01, DB02, DB05, DB09, DB10, DB11, DB12, and PLSQL01 are identified as SQL-injection vulnerabilities. PUBLIC privileges are granted to the issues described in DB01, DB05.

DB03 is identified as a buffer-overflow vulnerability in the 'VERIFY_LOG' procedure in the 'DBMS_SNAPSHOT_UTL' package. This issue requires successful authentication to the database, but PUBLIC privileges are granted to the procedure by default, allowing all valid users access to the vulnerable procedure. Attackers may exploit this issue to execute arbitrary machine code in the context of the affected database server. Failed exploit attempts likely result in crashing the database server.

DB04 requires the ability to create constraints.

DB06 is identified as multiple SQL-injection vulnerabilities in the 'SYS.DBMS_LOGMNR_SESSION' package, in the 'DELETE_FROM_TABLE' function.

DB07 requires local access to the database server.

Further specific details regarding these vulnerabilities are not currently available.

This record will be updated and split into individual BIDs for each issue as further information is disclosed.

Affected Products:

• HP HP-UX 11.11.0
• HP HP-UX 11.23.0
• HP HP-UX B.11.11
• HP HP-UX B.11.11
• HP HP-UX B.11.23
• Oracle Collaboration Suite Release 1 10.1.1
• Oracle Collaboration Suite Release 1 10.1.2
• Oracle Collaboration Suite Release 1 10.1.2 .1
• Oracle Collaboration Suite Release 2 9.0.4 .2
• Oracle Developer Suite 9.0.4 .2
• Oracle E-Business Suite 11.0.0
• Oracle E-Business Suite 11i 11.5.1
• Oracle E-Business Suite 11i 11.5.10
• Oracle E-Business Suite 11i 11.5.10 CU2
• Oracle E-Business Suite 11i 11.5.2
• Oracle E-Business Suite 11i 11.5.3
• Oracle E-Business Suite 11i 11.5.4
• Oracle E-Business Suite 11i 11.5.5
• Oracle E-Business Suite 11i 11.5.6
• Oracle E-Business Suite 11i 11.5.7
• Oracle E-Business Suite 11i 11.5.8
• Oracle E-Business Suite 11i 11.5.9
• Oracle Enterprise Manager Grid Control 10g 10.1.0 .3
• Oracle Enterprise Manager Grid Control 10g 10.1.0 .4
• Oracle Enterprise Manager Grid Control 10g 10.2.0 .1
• Oracle JD Edwards EnterpriseOne 8.95
• Oracle JD Edwards EnterpriseOne 8.95.0 _B1
• Oracle JD Edwards EnterpriseOne 8.95.0 _F1
• Oracle JD Edwards EnterpriseOne 8.95.J1
• Oracle Oracle 9i Application Server Release 1 1.0.2 .2
• Oracle Oracle10g Application Server 10.1.2
• Oracle Oracle10g Application Server 10.1.2 .0.1
• Oracle Oracle10g Application Server 10.1.2 .0.2
• Oracle Oracle10g Application Server 10.1.2 .1.0
• Oracle Oracle10g Application Server 10.1.3 .0.0
• Oracle Oracle10g Application Server 9.0.4 .1
• Oracle Oracle10g Application Server 9.0.4 .2
• Oracle Oracle10g Enterprise Edition 10.1.0 .0.3
• Oracle Oracle10g Enterprise Edition 10.2.0 .1
• Oracle Oracle10g Enterprise Edition 10.2.0 .2
• Oracle Oracle10g Personal Edition 10.1.0 .0.3
• Oracle Oracle10g Personal Edition 10.2.0 .1
• Oracle Oracle10g Personal Edition 10.2.0 .2
• Oracle Oracle10g Standard Edition 10.1.0 .0.3
• Oracle Oracle10g Standard Edition 10.1.0 .4.2
• Oracle Oracle10g Standard Edition 10.2.0 .2
• Oracle Oracle10g Standard Edition 10.2.0.1
• Oracle Oracle8 8.0.6
• Oracle Oracle8 8.0.6 .3
• Oracle Oracle8i Enterprise Edition 8.1.7.4
• Oracle Oracle8i Standard Edition 8.1.7.4
• Oracle Oracle9i Enterprise Edition 9.0.1 .5 FIPS
• Oracle Oracle9i Enterprise Edition 9.0.1.4
• Oracle Oracle9i Enterprise Edition 9.0.1.5
• Oracle Oracle9i Enterprise Edition 9.2.0 .0.5
• Oracle Oracle9i Enterprise Edition 9.2.0 .6
• Oracle Oracle9i Enterprise Edition 9.2.0 .7
• Oracle Oracle9i Personal Edition 9.2.0 .0.5
• Oracle Oracle9i Personal Edition 9.2.0 .6
• Oracle Oracle9i Personal Edition 9.2.0 .7
• Oracle Oracle9i Standard Edition 9.2.0 .0.5
• Oracle Oracle9i Standard Edition 9.2.0 .6
• Oracle Oracle9i Standard Edition 9.2.0 .7
• Oracle PeopleSoft Enterprise Tools 8.46 GA
• Oracle PeopleSoft Enterprise Tools 8.46.12
• Oracle PeopleSoft Enterprise Tools 8.47 GA
• Oracle PeopleSoft Enterprise Tools 8.47.01
• Oracle PeopleSoft Enterprise Tools 8.47.02
• Oracle PeopleSoft Enterprise Tools 8.47.03
• Oracle PeopleSoft Enterprise Tools 8.47.04
• Oracle Pharmaceutical Applications 4.5.0
• Oracle Pharmaceutical Applications 4.5.1
• Oracle Pharmaceutical Applications 4.5.2
• Oracle Workflow 11.5.1
• Oracle Workflow 11.5.9 .5

References:

• Oracle: Oracle Critical Patch Update - April 2006
• Oracle: Oracle Homepage
• Oracle: Oracle Support Page
• Oracle: Oracle Technology Network - Security
• Red-Database Security: Details Oracle Critical Patch Update April 2006

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.