The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability note CVE-2009-1996 CVE-2009-3410 CVE-2009-3411

Oracle Database: several vulnerabilities of January 2010

Synthesis of the vulnerability

Several vulnerabilities of Oracle Database are corrected by the CPU of January 2010.
Impacted products: Oracle DB, SQL*Net.
Severity of this bulletin: 2/4.
Consequences of an intrusion: privileged access/rights, data reading, data creation/edition, denial of service on service.
Hacker's origin: user account.
Number of vulnerabilities in this bulletin: 9.
Creation date: 13/01/2010.
Références of this threat: BID-37728, BID-37729, BID-37730, BID-37731, BID-37738, BID-37740, BID-37743, BID-37746, CERTA-2010-AVI-010, cpujan2010, CVE-2009-1996, CVE-2009-3410, CVE-2009-3411, CVE-2009-3412, CVE-2009-3413, CVE-2009-3414, CVE-2009-3415, CVE-2010-0071, CVE-2010-0076, VIGILANCE-VUL-9339.

Description of the vulnerability

The CPU (Critical Patch Update) of January 2010 corrects several vulnerabilities of Oracle Database. Oracle's announce contains a detailed table, summarized below.

An attacker can generate a buffer overflow in the nsglvcrt() function of the Listener, in order to obtain information, to alter information, or to generate a denial of service. [severity:2/4; BID-37728, CVE-2010-0071]

An attacker can use a vulnerability of Oracle OLAP, in order to obtain information, to alter information, or to generate a denial of service. [severity:2/4; BID-37729, CVE-2009-3415]

An attacker can use a vulnerability of Application Express Application Builder, in order to obtain information, to alter information, or to generate a denial of service. [severity:2/4; CVE-2010-0076]

An attacker can use a vulnerability of Oracle Data Pump, in order to obtain information or to alter information. [severity:2/4; BID-37743, CVE-2009-3411]

An attacker can use a vulnerability of Oracle Spatial, in order to obtain information or to alter information. [severity:2/4; BID-37730, CVE-2009-3414]

An attacker can use a vulnerability of Logical Standby, in order to alter information. [severity:2/4; BID-37740, CERTA-2010-AVI-010, CVE-2009-1996]

An attacker can use a vulnerability of RDBMS, in order to obtain information ou to alter information. [severity:2/4; BID-37746, CVE-2009-3410]

An attacker can use a vulnerability of Oracle Spatial, in order to obtain information or to alter information. [severity:2/4; BID-37738, CVE-2009-3413]

An attacker can use a vulnerability of Unzip, in order to obtain information. [severity:1/4; BID-37731, CVE-2009-3412]
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides systems vulnerabilities patches. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce security watch publishes vulnerability bulletins about threats impacting the information system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.