Oracle April 2006 Security Update Multiple Vulnerabilities
BID:17590
Info
Oracle April 2006 Security Update Multiple Vulnerabilities
| Bugtraq ID: | 17590 |
| Class: | Unknown |
| CVE: |
CVE-2006-1867 CVE-2006-1870 CVE-2006-1872 CVE-2006-1869 CVE-2006-1875 CVE-2006-1877 CVE-2006-1883 CVE-2006-1880 CVE-2006-1882 CVE-2006-1885 CVE-2006-1887 CVE-2006-1884 CVE-2006-1873 CVE-2006-1876 CVE-2006-1881 CVE-2006-1874 CVE-2006-1866 CVE-2006-1886 CVE-2006-1879 CVE-2006-1868 CVE-2006-1871 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Apr 18 2006 12:00AM |
| Updated: | Jun 26 2007 11:38PM |
| Credit: | Oracle credits Esteban Martinez Fayo of Application Security, Inc.; Alexander Kornbrust of Red Database Security GmbH; David Litchfield of Next Generation Security Software Ltd.; and noderat ratty. |
| Vulnerable: |
Oracle Workflow 11.5.9 .5 Oracle Workflow 11.5.1 Oracle Pharmaceutical Applications 4.5.2 Oracle Pharmaceutical Applications 4.5.1 Oracle Pharmaceutical Applications 4.5 Oracle PeopleSoft Enterprise Tools 8.47.4 Oracle PeopleSoft Enterprise Tools 8.47.3 Oracle PeopleSoft Enterprise Tools 8.47.2 Oracle PeopleSoft Enterprise Tools 8.47.1 Oracle PeopleSoft Enterprise Tools 8.46.12 Oracle PeopleSoft Enterprise Tools 8.47 GA Oracle PeopleSoft Enterprise Tools 8.46 GA Oracle Oracle9i Standard Edition 9.2 .7 Oracle Oracle9i Standard Edition 9.2 .6 Oracle Oracle9i Standard Edition 9.2 .0.5 Oracle Oracle9i Personal Edition 9.2 .7 Oracle Oracle9i Personal Edition 9.2 .6 Oracle Oracle9i Personal Edition 9.2 .0.5 Oracle Oracle9i Enterprise Edition 9.2 .7.0 Oracle Oracle9i Enterprise Edition 9.2 .6.0 Oracle Oracle9i Enterprise Edition 9.2 .0.5 Oracle Oracle9i Enterprise Edition 9.0.1 .5 FIPS Oracle Oracle9i Enterprise Edition 9.0.1 .5 Oracle Oracle9i Enterprise Edition 9.0.1 .4 Oracle Oracle8i Standard Edition 8.1.7 .4 Oracle Oracle8i Enterprise Edition 8.1.7 .4.0 Oracle Oracle8 8.0.6 .3 Oracle Oracle8 8.0.6 Oracle Oracle10g Standard Edition 10.2 .2 Oracle Oracle10g Standard Edition 10.2 .1 Oracle Oracle10g Standard Edition 10.1 .4.2 Oracle Oracle10g Standard Edition 10.1 .0.3 Oracle Oracle10g Personal Edition 10.2 .2 Oracle Oracle10g Personal Edition 10.2 .1 Oracle Oracle10g Personal Edition 10.1 .0.3 Oracle Oracle10g Enterprise Edition 10.2 .2 Oracle Oracle10g Enterprise Edition 10.2 .1 Oracle Oracle10g Enterprise Edition 10.1 .0.3 Oracle Oracle10g Application Server 10.1.3 .0.0 Oracle Oracle10g Application Server 10.1.2 .1.0 Oracle Oracle10g Application Server 10.1.2 .0.2 Oracle Oracle10g Application Server 10.1.2 .0.1 Oracle Oracle10g Application Server 10.1.2 Oracle Oracle10g Application Server 9.0.4 .2 Oracle Oracle10g Application Server 9.0.4 .1 Oracle Oracle 9i Application Server Release 1 1.0.2 .2 Oracle JD Edwards EnterpriseOne 8.95 _F1 Oracle JD Edwards EnterpriseOne 8.95 _B1 Oracle JD Edwards EnterpriseOne 8.95.J1 Oracle JD Edwards EnterpriseOne 8.95 Oracle Enterprise Manager Grid Control 10g 10.2 .1 Oracle Enterprise Manager Grid Control 10g 10.1 .4 Oracle Enterprise Manager Grid Control 10g 10.1 .3 Oracle E-Business Suite 11i 11.5.10 CU2 Oracle E-Business Suite 11i 11.5.10 Oracle E-Business Suite 11i 11.5.9 Oracle E-Business Suite 11i 11.5.8 Oracle E-Business Suite 11i 11.5.7 Oracle E-Business Suite 11i 11.5.6 Oracle E-Business Suite 11i 11.5.5 Oracle E-Business Suite 11i 11.5.4 Oracle E-Business Suite 11i 11.5.3 Oracle E-Business Suite 11i 11.5.2 Oracle E-Business Suite 11i 11.5.1 Oracle E-Business Suite 11.0 Oracle Developer Suite 9.0.4 .2 Oracle Collaboration Suite Release 2 9.0.4 .2 Oracle Collaboration Suite Release 1 10.1.2 .1 Oracle Collaboration Suite Release 1 10.1.2 Oracle Collaboration Suite Release 1 10.1.1 HP HP-UX 11.23 HP HP-UX 11.11 HP HP-UX B.11.23 HP HP-UX B.11.11 HP HP-UX B.11.11 |
| Not Vulnerable: | |
Discussion
Oracle April 2006 Security Update Multiple Vulnerabilities
Oracle has released a Critical Patch Update advisory for April 2006 to address multiple vulnerabilities in multiple Oracle products. This Critical Patch Update addresses the vulnerabilities for supported releases. Earlier unsupported releases are likely to be affected by the issues as well.
The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Various levels of authorization are needed to exploit some of the issues, but other issues do not require any authorization. The most severe of these vulnerabilities could possibly expose affected computers to complete compromise.
This record will be updated and split into individual BIDs for each issue as further information is disclosed.
Oracle has released a Critical Patch Update advisory for April 2006 to address multiple vulnerabilities in multiple Oracle products. This Critical Patch Update addresses the vulnerabilities for supported releases. Earlier unsupported releases are likely to be affected by the issues as well.
The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Various levels of authorization are needed to exploit some of the issues, but other issues do not require any authorization. The most severe of these vulnerabilities could possibly expose affected computers to complete compromise.
This record will be updated and split into individual BIDs for each issue as further information is disclosed.
Exploit / POC
Oracle April 2006 Security Update Multiple Vulnerabilities
Some of these issues require an exploit, others don't.
The following exploit code is available:
Some of these issues require an exploit, others don't.
The following exploit code is available:
Solution / Fix
Oracle April 2006 Security Update Multiple Vulnerabilities
Solution:
Oracle has released a Critical Patch Update (Critical Patch Update - April 2006) to address these issues. Please see the update for information on obtaining and applying appropriate patches.
Red-Database-Security GmbH states that one of the fixes for Oracle Spatial is incorrect (p5064365_92070_WINNT). Users of affected packages should contact the vendor for further information on obtaining a corrected fix.
Please see the referenced vendor advisories for further information.
Solution:
Oracle has released a Critical Patch Update (Critical Patch Update - April 2006) to address these issues. Please see the update for information on obtaining and applying appropriate patches.
Red-Database-Security GmbH states that one of the fixes for Oracle Spatial is incorrect (p5064365_92070_WINNT). Users of affected packages should contact the vendor for further information on obtaining a corrected fix.
Please see the referenced vendor advisories for further information.
References
Oracle April 2006 Security Update Multiple Vulnerabilities
References:
References:
- Details Oracle Critical Patch Update April 2006 (Red-Database Security)
- Oracle Critical Patch Update - April 2006 (Oracle)
- Oracle Homepage (Oracle)
- Oracle Support Page (Oracle)
- Oracle Technology Network - Security (Oracle)
- [Argeniss] Oracle Database 10gR1 Buffer overflow in VERIFY_LOG procedure (Cesar
- Multiple critical and high risk issues in Oracle's database server ("NGSSoftware Insight Security Research"
- SQL Injection in package SYS.DBMS_LOGMNR_SESSION ([email protected])