The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Oracle Net Services

computer vulnerability note CVE-2010-0892 CVE-2010-0900 CVE-2010-0901

Oracle Database: several vulnerabilities of July 2010

Synthesis of the vulnerability

Several vulnerabilities of Oracle Database are corrected by the CPU of July 2010.
Impacted products: Oracle DB, Oracle Net Services, SQL*Net.
Severity: 3/4.
Consequences: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 6.
Creation date: 15/07/2010.
Identifiers: BID-41621, BID-41624, BID-41635, BID-41639, BID-41643, cpujul2010, CVE-2010-0892, CVE-2010-0900, CVE-2010-0901, CVE-2010-0902, CVE-2010-0903, CVE-2010-0911, VIGILANCE-VUL-9759.

Description of the vulnerability

The CPU (Critical Patch Update) of July 2010 corrects several vulnerabilities of Oracle Database. Oracle's announce contains a detailed table, summarized below.

An attacker can use a vulnerability of Listener, in order to create a denial of service. [severity:3/4; BID-41624, CVE-2010-0911]

An attacker can use a vulnerability of Net Foundation Layer, in order to create a denial of service. [severity:3/4; BID-41639, CVE-2010-0903]

An attacker can use a vulnerability of Oracle OLAP, in order to obtain information, to alter information, or to create a denial of service. [severity:3/4; BID-41643, CVE-2010-0902]

An attacker can use a vulnerability of Application Express, in order to alter information. [severity:2/4; BID-41621, CVE-2010-0892]

An attacker can use a vulnerability of Network Layer, in order to create a denial of service. [severity:1/4; CVE-2010-0900]

An attacker can use a vulnerability of Export, in order to obtain information. [severity:1/4; BID-41635, CVE-2010-0901]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-0987 CVE-2009-1015 CVE-2009-1019

Oracle Database: several vulnerabilities of July 2009

Synthesis of the vulnerability

Several vulnerabilities are corrected by the CPU of July 2009.
Impacted products: Oracle DB, Oracle Net Services, SQL*Net.
Severity: 2/4.
Consequences: privileged access/rights, data reading, data creation/edition, denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 12.
Creation date: 15/07/2009.
Revision date: 27/07/2009.
Identifiers: BID-35676, BID-35677, BID-35679, BID-35680, BID-35681, BID-35682, BID-35683, BID-35684, BID-35685, BID-35687, BID-35689, BID-35692, cpujul2009, CVE-2009-0987, CVE-2009-1015, CVE-2009-1019, CVE-2009-1020, CVE-2009-1021, CVE-2009-1963, CVE-2009-1966, CVE-2009-1967, CVE-2009-1968, CVE-2009-1969, CVE-2009-1970, CVE-2009-1973, DSECRG-09-025, VIGILANCE-VUL-8865.

Description of the vulnerability

The CPU (Critical Patch Update) of July 2009 corrects several vulnerabilities of Oracle Database. Oracle's announce contains a detailed table, summarized below.

An attacker can send a TTIPFN packet in order to write a zero in the memory of the process, in order to obtain or alter information or create a denial of service via a vulnerability of Network Foundation. [severity:2/4; BID-35684, CVE-2009-1020]

An attacker can send NSPTCN packets to obtain or alter information or create a denial of service via a vulnerability of Network Authentication. [severity:2/4; BID-35680, CVE-2009-1019]

An attacker can use a TTIPFN packet in order to alter information or create a denial of service via a vulnerability of Network Foundation. [severity:1/4; BID-35677, CVE-2009-1963]

An attacker can obtain or alter information via a vulnerability of REPCAT_RPC.VALIDATE_REMOTE_RC of Advanced Replication. [severity:2/4; BID-35685, CVE-2009-1021]

An attacker can obtain or alter information via a SQL injection of Config Management (Oracle Enterprise Manager. [severity:2/4; BID-35676, CVE-2009-1966]

An attacker can obtain or alter information via a SQL injection of Config Management (Oracle Enterprise Manager). [severity:2/4; BID-35692, CVE-2009-1967]

An attacker can obtain or alter information via a vulnerability of Upgrade. [severity:2/4; BID-35679, CVE-2009-0987]

An attacker can obtain or alter information via a vulnerability of Virtual Private Database. [severity:2/4; BID-35687, CVE-2009-1973]

An attacker can send a TNS command in a loop, in order to create a denial of service via a vulnerability of Listener. [severity:2/4; BID-35683, CVE-2009-1970]

An attacker can generate a Cross Site Scripting in the /search/query/search page of Secure Enterprise Search. [severity:2/4; BID-35681, CVE-2009-1968, DSECRG-09-025]

An attacker can alter information via a vulnerability of Core RDBMS. [severity:2/4; BID-35682, CVE-2009-1015]

An attacker can obtain information via a vulnerability of Auditing. [severity:1/4; BID-35689, CVE-2009-1969]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability CVE-2009-0972 CVE-2009-0973 CVE-2009-0975

Oracle Database: several vulnerabilities of April 2009

Synthesis of the vulnerability

Several vulnerabilities are corrected by the CPU of April 2009.
Impacted products: Oracle DB, Oracle Net Services, SQL*Net.
Severity: 2/4.
Consequences: user access/rights, data reading, data creation/edition, denial of service on service.
Provenance: user account.
Number of vulnerabilities in this bulletin: 16.
Creation date: 15/04/2009.
Revision date: 21/04/2009.
Identifiers: CERTA-2009-AVI-154, CPUapr2009, CVE-2009-0972, CVE-2009-0973, CVE-2009-0975, CVE-2009-0976, CVE-2009-0977, CVE-2009-0978, CVE-2009-0979, CVE-2009-0980, CVE-2009-0981, CVE-2009-0984, CVE-2009-0985, CVE-2009-0986, CVE-2009-0988, CVE-2009-0991, CVE-2009-0992, CVE-2009-0997, VIGILANCE-VUL-8635.

Description of the vulnerability

The CPU (Critical Patch Update) of April 2009 corrects several vulnerabilities of Oracle Database. Oracle's announce contains a detailed table, summarized below.

An attacker can generate a buffer overflow by using a long "plan" name in ALTER SYSTEM SET RESOURCE_MANAGER_PLAN or in SYS.DBMS_RESOURCE_MANAGER.SWITCH_PLAN (Resource Manager). [severity:2/4; CVE-2009-0979]

An attacker can obtain or alter information or create a denial of service via a vulnerability of Core RDBMS. [severity:2/4; CVE-2009-0985]

An attacker can obtain or alter information or create a denial of service via a vulnerability of Workspace Manager. [severity:2/4; CERTA-2009-AVI-154, CVE-2009-0972]

An attacker can inject SQL in the GRANT_TYPE_ACCESS procedure of the DBMS_AQADM_SYS package of Advanced Queuing. [severity:2/4; CVE-2009-0977]

An attacker can inject SQL in the DEQ_EXEJOB procedure of the DBMS_AQIN package of Advanced Queuing. [severity:2/4; CVE-2009-0992]

An attacker can obtain or alter information via a vulnerability of Database Vault. [severity:2/4; CVE-2009-0984]

An attacker can alter information or create a denial of service via a vulnerability of SQLX Functions. [severity:2/4; CVE-2009-0980]

An attacker can obtain or alter information via a vulnerability of Workspace Manager. [severity:2/4; CVE-2009-0975]

An attacker can obtain or alter information via a vulnerability of Workspace Manager. [severity:2/4; CVE-2009-0976]

An attacker can obtain or alter information via a SQL injection in LT.ROLLBACKWORKSPACE of Workspace Manager. [severity:2/4; CVE-2009-0978]

An attacker can obtain or alter information or create a denial of service via a vulnerability of Workspace Manager. [severity:2/4; CVE-2009-0986]

An attacker can create a denial of service via a vulnerability of Cluster Ready Services. [severity:2/4; CVE-2009-0973]

An attacker can create a denial of service via a vulnerability of Listener. [severity:2/4; CVE-2009-0991]

An attacker can obtain APEX password hashes. [severity:2/4; CVE-2009-0981]

An attacker can obtain or alter information via a vulnerability of Database Vault. [severity:2/4; CVE-2009-0997]

An attacker can obtain or alter information via a vulnerability of Password Policy. [severity:2/4; CVE-2009-0988]
Full Vigil@nce bulletin... (Free trial)

computer vulnerability alert CVE-2008-3973 CVE-2008-3974 CVE-2008-3978

Oracle Database: several vulnerabilities of January 2009

Synthesis of the vulnerability

Several vulnerabilities are corrected by the CPU of January 2009.
Impacted products: Oracle DB, Oracle Net Services, SQL*Net.
Severity: 2/4.
Consequences: privileged access/rights, data reading, data creation/edition.
Provenance: user shell.
Number of vulnerabilities in this bulletin: 11.
Creation date: 14/01/2009.
Revisions dates: 15/01/2009, 04/02/2009.
Identifiers: cpujan2009, CVE-2008-3973, CVE-2008-3974, CVE-2008-3978, CVE-2008-3979, CVE-2008-3997, CVE-2008-3999, CVE-2008-4015, CVE-2008-5436, CVE-2008-5437, CVE-2008-5439, NISR13012009, VIGILANCE-VUL-8386, ZDI-09-003, ZDI-09-004.

Description of the vulnerability

The CPU (Critical Patch Update) of January 2009 corrects several vulnerabilities of Oracle Database. Oracle's announce contains a detailed table, summarized below.

An attacker (via Oracle Net, authenticated, with the EXECUTE privilege on DBMS_IJOB) can obtain or alter information via a vulnerability of Job Queue. [severity:2/4; CVE-2008-5437]

An attacker (via Oracle Net, authenticated, with the Create Session privilege) can alter information or create a denial of service via a vulnerability of Oracle OLAP. [severity:2/4; CVE-2008-5436]

An attacker (via Oracle Net, authenticated, with the Create Session privilege) can obtain or alter information via a vulnerability of Oracle Spatial. [severity:2/4; CVE-2008-3978]

An attacker (via Oracle Net, authenticated, with the Create Session privilege) can obtain privileges of the MDSYS user via MDSYS.SDO_TOPO_DROP_FTBL of Oracle Spatial. [severity:2/4; CVE-2008-3979, NISR13012009]

An attacker (via Oracle Net, authenticated, with the Execute on SYS.DBMS_STREAMS_AUTH privilege) can obtain or alter information via a vulnerability of Oracle Streams. [severity:2/4; CVE-2008-4015]

An attacker (via Oracle Net, authenticated, with the EXECUTE privilege on SYS.OLAPIMPL_T) can generate a buffer overflow in the SYS.OLAPIMPL_T.ODCITABLESTART procedure, in order to create a denial of service or to execute code. [severity:2/4; CVE-2008-3974]

An attacker (via Oracle Net, authenticated, with the EXECUTE privilege on SYS.DBMS_XSOQ_ODBO) can aller a file via a vulnerability of Summary Advisor (Oracle OLAP). [severity:2/4; CVE-2008-3997]

An attacker (via Oracle Net, authenticated, with the EXECUTE privilege on SYS.OLAPIMPL_T) can create a denial of service via a vulnerability of Oracle OLAP. [severity:2/4; CVE-2008-3999]

An attacker (local, authenticated) can obtain information via a vulnerability of SQL*Plus Windows GUI. [severity:2/4; CVE-2008-5439]

An attacker (local, authenticated) can obtain information via a vulnerability of SQL*Plus Windows GUI. [severity:1/4; CVE-2008-3973]

Other vulnerabilities impact Oracle Secure Backup, Oracle Forms, Oracle EBusiness Suite and Oracle TimesTen. [severity:1/4; ZDI-09-003, ZDI-09-004]
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.