US-CERT Technical Cyber Security Alert TA04-160A -- SQL Injection Vulnerabilities in Oracle E-Business Suite

09/06/04, US-CERT Technical Cyber Security Alert TA04-160A -- SQL Injection Vulnerabilities in Oracle E-Business Suite
From: CERT Advisory <cert-advisory@cert.org>

Generated by MHonArc

CSIM Logo WelcomeCourses
Faculty, Student, Staff
Projects and reports
Conferences, workshop and seminars
Laboratories and reasearch facilities
Information related to CSIM
Information non-related to CSIM
Address, map, phone, etc.
Search

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]


To: cert-advisory@cert.org
Subject: US-CERT Technical Cyber Security Alert TA04-160A -- SQL Injection Vulnerabilities in Oracle E-Business Suite
From: CERT Advisory <cert-advisory@cert.org>
Date: Tue, 8 Jun 2004 14:38:51 -0400
List-archive: <http://www.cert.org/>
List-help: <http://www.cert.org/>, <mailto:Majordomo@cert.org?body=help>
List-owner: <mailto:cert-advisory-owner@cert.org>
List-post: NO (posting not allowed on this list)
List-unsubscribe: <mailto:Majordomo@cert.org?body=unsubscribe%20cert-advisory>
Mail-from: From nobody@cert.org Wed Jun 9 02:29:42 2004
Organization: CERT(R) Coordination Center - +1 412-268-7090

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Technical Cyber Security Alert TA04-160A
     SQL Injection Vulnerabilities in Oracle E-Business Suite

   Original release date: June 8, 2004
   Last revised: --
   Source: US-CERT

Systems Affected

     * Oracle Applications 11.0 (all releases)
     * Oracle E-Business Suite 11i, 11.5.1 through 11.5.8

Overview

   A vulnerability in the Oracle's E-Business Suite allows a remote
   attacker to execute arbitrary script on a vulnerable database system.
   Exploitation may lead to compromise of the database application, data
   integrity, or underlying operating system.

I. Description

   Oracle E-Business Suite is a set of applications and modules that
   enables an organization to manage customer interactions, deliver
   services, manufacture products, ship orders, collect payments, and
   other tasks using a single database model.

   According to the Oracle Security Alert 67, Oracle Applications 11.0
   (all releases) and Oracle E-Business Suite Release 11i, 11.5.1 through
   11.5.8 are vulnerable to SQL injection vulnerabilities. Oracle
   E-Business Suite Release 11.5.9 and later are not vulnerable. This
   vulnerability is not platform specific. Integrigy Corporation has also
   released an alert about these vulnerabilities.

   Note that no authentication mechanisms of Oracle E-Business Suite will
   mitigate exploitation of the attack.

   US-CERT is tracking this issue as VU#961579.

II. Impact

   An unauthenticated attacker could exploit this vulnerability to
   execute arbitrary SQL statements on the vulnerable system with the
   privileges of the Oracle server process. In addition to compromising
   the integrity of the database information, this may lead to the
   compromise of the database application and the underlying operating
   system.

III. Solution

   Apply Patch or Upgrade

     According to the Oracle Security Alert 67, patches and related
     information are available from:

     http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocumen
     t?p_database_id=NOT&p_id=274375.1

Appendix B. References

     * http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf
     * http://www.integrigy.com/alerts/OraAppsSQLInjection.htm
     * http://www.kb.cert.org/vuls/id/961579
  _________________________________________________________________

   US-CERT thanks Stephen Kost of Integrigy Corporation for reporting
   this problem and for information used to construct this advisory.
  _________________________________________________________________

   Feedback can be directed to the author: Jason A. Rafail
  _________________________________________________________________

   The latest version of this document can be found at:
   
     <http://www.us-cert.gov/cas/techalerts/TA04-160A.html>
  _________________________________________________________________
   
   Copyright 2004 Carnegie Mellon University.
     
   Terms of use:
     
     <http://www.us-cert.gov/legal.html>  
  _________________________________________________________________
   
   Revision History

   June 8, 2004: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAxgVFXlvNRxAkFWARAiZSAKCsoyCrmSth7nWRX62FPnYZRUXp3QCeI5f+
gOYuIony8dN59HQ+63PUiMw=
=k4uL
-----END PGP SIGNATURE-----



Previous message sorted by date: US-CERT Technical Cyber Security Alert TA04-147A -- CVS Heap Overflow Vulnerability
Next message sorted by date: US-CERT Technical Cyber Security Alert TA04-163A -- Cross-Domain Redirect Vulnerability in Internet Explorer
Previous message sorted by thread: US-CERT Technical Cyber Security Alert TA04-147A -- CVS Heap Overflow Vulnerability
Next message by thread: US-CERT Technical Cyber Security Alert TA04-163A -- Cross-Domain Redirect Vulnerability in Internet Explorer
Main Index
Thread Index

CSIM home pageWMailAccount managementCSIM LibraryNetwork test toolsSearch CSIM directories
Contact us: Olivier Nicole CSIM    SET    AIT Last update: Jun 2004