The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

vulnerability note CVE-2009-1007 CVE-2009-1018 CVE-2009-1964

Oracle Database: several vulnerabilities of October 2009

Synthesis of the vulnerability

Several vulnerabilities of Oracle Database are corrected by the CPU of October 2009.
Vulnerable systems: Oracle DB, SQL*Net.
Severity of this threat: 3/4.
Consequences of an attack: privileged access/rights, user access/rights, data reading, data creation/edition, data deletion, denial of service on service.
Pirate's origin: user account.
Number of vulnerabilities in this bulletin: 16.
Creation date: 21/10/2009.
Références of this weakness: BID-36742, BID-36743, BID-36744, BID-36745, BID-36747, BID-36748, BID-36750, BID-36751, BID-36752, BID-36754, BID-36755, BID-36756, BID-36758, BID-36759, BID-36760, cpuoct2009, CVE-2009-1007, CVE-2009-1018, CVE-2009-1964, CVE-2009-1965, CVE-2009-1971, CVE-2009-1972, CVE-2009-1979, CVE-2009-1985, CVE-2009-1991, CVE-2009-1992, CVE-2009-1993, CVE-2009-1994, CVE-2009-1995, CVE-2009-1997, CVE-2009-2000, CVE-2009-2001, DSECRG-09-010, VIGILANCE-VUL-9104.

Description of the vulnerability

The CPU (Critical Patch Update) of October 2009 corrects several vulnerabilities of Oracle Database. Oracle's announce contains a detailed table, summarized below.

An attacker can use a vulnerability of Core RDBMS, in order to obtain information, to alter information, or to generate a denial of service. [severity:3/4; BID-36742, CVE-2009-1992]

An attacker can use a vulnerability of Network Authentication, in order to obtain information, to alter information, or to generate a denial of service. [severity:3/4; BID-36747, CVE-2009-1979]

An attacker can use a vulnerability of Network Authentication, in order to obtain information, to alter information, or to generate a denial of service. [severity:3/4; BID-36745, CVE-2009-1985]

An attacker can use a vulnerability of Data Mining, in order to obtain information, to alter information, or to generate a denial of service. [severity:2/4; BID-36750, CVE-2009-1007]

An attacker can use a vulnerability of Oracle Spatial, in order to obtain information, to alter information, or to generate a denial of service. [severity:2/4; BID-36744, CVE-2009-1994]

An attacker can use a vulnerability of PL/SQL, in order to obtain information, to alter information, or to generate a denial of service. [severity:3/4; BID-36743, CVE-2009-2001]

An attacker can use a vulnerability of Application Express, in order to obtain information, or to alter information. [severity:2/4; BID-36759, CVE-2009-1993]

An attacker can use a vulnerability of Workspace Manager, in order to obtain information, or to alter information. [severity:2/4; CVE-2009-1018]

An attacker can use a vulnerability of Workspace Manager, in order to obtain information, or to alter information. [severity:2/4; BID-36755, CVE-2009-1964]

An attacker can use a vulnerability of Net Foundation Layer, in order to obtain information, to alter information, or to generate a denial of service. [severity:2/4; BID-36760, CVE-2009-1965]

An attacker can use a vulnerability of Authentication, in order to obtain information. [severity:1/4; BID-36751, CVE-2009-1997]

An attacker can use a vulnerability of Authentication, in order to obtain information. [severity:1/4; BID-36756, CVE-2009-2000]

An attacker can use a vulnerability of Advanced Queuing, in order to obtain information, or to alter information. [severity:2/4; BID-36752, CVE-2009-1995]

An attacker can generate a SQL injection in CTXSYS.DRVXTABC of Oracle Text, in order to obtain information, or to alter information. [severity:2/4; BID-36748, CVE-2009-1991, DSECRG-09-010]

An attacker can use a vulnerability of Data Pump, in order to alter information. [severity:2/4; BID-36754, CVE-2009-1971]

An attacker can use a vulnerability of Auditing, in order to alter information. [severity:2/4; BID-36758, CVE-2009-1972]
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a network vulnerability alert. Each administrator can customize the list of products for which he wants to receive vulnerability alerts. The Vigil@nce vulnerability database contains several thousand vulnerabilities. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.