The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Oracle Database: several vulnerabilities of October 2009

Synthesis of the vulnerability 

Several vulnerabilities of Oracle Database are corrected by the CPU of October 2009.
Vulnerable systems: Oracle DB, SQL*Net.
Severity of this threat: 3/4.
Number of vulnerabilities in this bulletin: 16.
Creation date: 21/10/2009.
Références of this weakness: BID-36742, BID-36743, BID-36744, BID-36745, BID-36747, BID-36748, BID-36750, BID-36751, BID-36752, BID-36754, BID-36755, BID-36756, BID-36758, BID-36759, BID-36760, cpuoct2009, CVE-2009-1007, CVE-2009-1018, CVE-2009-1964, CVE-2009-1965, CVE-2009-1971, CVE-2009-1972, CVE-2009-1979, CVE-2009-1985, CVE-2009-1991, CVE-2009-1992, CVE-2009-1993, CVE-2009-1994, CVE-2009-1995, CVE-2009-1997, CVE-2009-2000, CVE-2009-2001, DSECRG-09-010, VIGILANCE-VUL-9104.

Description of the vulnerability 

The CPU (Critical Patch Update) of October 2009 corrects several vulnerabilities of Oracle Database. Oracle's announce contains a detailed table, summarized below.

An attacker can use a vulnerability of Core RDBMS, in order to obtain information, to alter information, or to generate a denial of service. [severity:3/4; BID-36742, CVE-2009-1992]

An attacker can use a vulnerability of Network Authentication, in order to obtain information, to alter information, or to generate a denial of service. [severity:3/4; BID-36747, CVE-2009-1979]

An attacker can use a vulnerability of Network Authentication, in order to obtain information, to alter information, or to generate a denial of service. [severity:3/4; BID-36745, CVE-2009-1985]

An attacker can use a vulnerability of Data Mining, in order to obtain information, to alter information, or to generate a denial of service. [severity:2/4; BID-36750, CVE-2009-1007]

An attacker can use a vulnerability of Oracle Spatial, in order to obtain information, to alter information, or to generate a denial of service. [severity:2/4; BID-36744, CVE-2009-1994]

An attacker can use a vulnerability of PL/SQL, in order to obtain information, to alter information, or to generate a denial of service. [severity:3/4; BID-36743, CVE-2009-2001]

An attacker can use a vulnerability of Application Express, in order to obtain information, or to alter information. [severity:2/4; BID-36759, CVE-2009-1993]

An attacker can use a vulnerability of Workspace Manager, in order to obtain information, or to alter information. [severity:2/4; CVE-2009-1018]

An attacker can use a vulnerability of Workspace Manager, in order to obtain information, or to alter information. [severity:2/4; BID-36755, CVE-2009-1964]

An attacker can use a vulnerability of Net Foundation Layer, in order to obtain information, to alter information, or to generate a denial of service. [severity:2/4; BID-36760, CVE-2009-1965]

An attacker can use a vulnerability of Authentication, in order to obtain information. [severity:1/4; BID-36751, CVE-2009-1997]

An attacker can use a vulnerability of Authentication, in order to obtain information. [severity:1/4; BID-36756, CVE-2009-2000]

An attacker can use a vulnerability of Advanced Queuing, in order to obtain information, or to alter information. [severity:2/4; BID-36752, CVE-2009-1995]

An attacker can generate a SQL injection in CTXSYS.DRVXTABC of Oracle Text, in order to obtain information, or to alter information. [severity:2/4; BID-36748, CVE-2009-1991, DSECRG-09-010]

An attacker can use a vulnerability of Data Pump, in order to alter information. [severity:2/4; BID-36754, CVE-2009-1971]

An attacker can use a vulnerability of Auditing, in order to alter information. [severity:2/4; BID-36758, CVE-2009-1972]
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This cybersecurity weakness impacts software or systems such as Oracle DB, SQL*Net.

Our Vigil@nce team determined that the severity of this security vulnerability is important.

The trust level is of type confirmed by the editor, with an origin of user account.

This bulletin is about 16 vulnerabilities.

A proof of concept or an attack tool is available, so your teams have to process this alert. An attacker with a beginner ability can exploit this vulnerability bulletin.

Solutions for this threat 

Oracle Database: CPU of October 2009.
The October 2009 CPU is corrected:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=881382.1#DBAVAIL
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an application vulnerability bulletin. Each administrator can customize the list of products for which he wants to receive vulnerability alerts.