|The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.|
Oracle Database: several vulnerabilities of July 2009
Synthesis of the vulnerability
Several vulnerabilities are corrected by the CPU of July 2009.
Impacted products: Oracle DB, Oracle Net Services, SQL*Net.
Severity of this bulletin: 2/4.
Consequences of an intrusion: privileged access/rights, data reading, data creation/edition, denial of service on service.
Hacker's origin: user account.
Number of vulnerabilities in this bulletin: 12.
Creation date: 15/07/2009.
Revision date: 27/07/2009.
Références of this threat: BID-35676, BID-35677, BID-35679, BID-35680, BID-35681, BID-35682, BID-35683, BID-35684, BID-35685, BID-35687, BID-35689, BID-35692, cpujul2009, CVE-2009-0987, CVE-2009-1015, CVE-2009-1019, CVE-2009-1020, CVE-2009-1021, CVE-2009-1963, CVE-2009-1966, CVE-2009-1967, CVE-2009-1968, CVE-2009-1969, CVE-2009-1970, CVE-2009-1973, DSECRG-09-025, VIGILANCE-VUL-8865.
Description of the vulnerability
The CPU (Critical Patch Update) of July 2009 corrects several vulnerabilities of Oracle Database. Oracle's announce contains a detailed table, summarized below.
An attacker can send a TTIPFN packet in order to write a zero in the memory of the process, in order to obtain or alter information or create a denial of service via a vulnerability of Network Foundation. [severity:2/4; BID-35684, CVE-2009-1020]
An attacker can send NSPTCN packets to obtain or alter information or create a denial of service via a vulnerability of Network Authentication. [severity:2/4; BID-35680, CVE-2009-1019]
An attacker can use a TTIPFN packet in order to alter information or create a denial of service via a vulnerability of Network Foundation. [severity:1/4; BID-35677, CVE-2009-1963]
An attacker can obtain or alter information via a vulnerability of REPCAT_RPC.VALIDATE_REMOTE_RC of Advanced Replication. [severity:2/4; BID-35685, CVE-2009-1021]
An attacker can obtain or alter information via a SQL injection of Config Management (Oracle Enterprise Manager. [severity:2/4; BID-35676, CVE-2009-1966]
An attacker can obtain or alter information via a SQL injection of Config Management (Oracle Enterprise Manager). [severity:2/4; BID-35692, CVE-2009-1967]
An attacker can obtain or alter information via a vulnerability of Upgrade. [severity:2/4; BID-35679, CVE-2009-0987]
An attacker can obtain or alter information via a vulnerability of Virtual Private Database. [severity:2/4; BID-35687, CVE-2009-1973]
An attacker can send a TNS command in a loop, in order to create a denial of service via a vulnerability of Listener. [severity:2/4; BID-35683, CVE-2009-1970]
An attacker can generate a Cross Site Scripting in the /search/query/search page of Secure Enterprise Search. [severity:2/4; BID-35681, CVE-2009-1968, DSECRG-09-025]
An attacker can alter information via a vulnerability of Core RDBMS. [severity:2/4; BID-35682, CVE-2009-1015]
An attacker can obtain information via a vulnerability of Auditing. [severity:1/4; BID-35689, CVE-2009-1969]
Full Vigil@nce bulletin... (Free trial)
Computer vulnerabilities tracking service
Vigil@nce provides an applications vulnerabilities database. The technology watch team tracks security threats targeting the computer system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce vulnerability database contains several thousand vulnerabilities.