Oracle April 2007 Security Update Multiple Vulnerabilities
BID:23532
Info
Oracle April 2007 Security Update Multiple Vulnerabilities
| Bugtraq ID: | 23532 |
| Class: | Unknown |
| CVE: |
CVE-2007-2170 CVE-2007-2108 CVE-2007-2109 CVE-2007-2110 CVE-2007-2111 CVE-2007-2112 CVE-2007-2113 CVE-2007-2114 CVE-2007-2115 CVE-2007-2116 CVE-2007-2117 CVE-2007-2118 CVE-2007-2119 CVE-2007-2120 CVE-2007-2121 CVE-2007-2122 CVE-2007-2123 CVE-2007-2124 CVE-2007-2125 CVE-2007-2126 CVE-2007-2127 CVE-2007-2128 CVE-2007-2129 CVE-2007-2130 CVE-2007-2131 CVE-2007-2132 CVE-2007-2133 CVE-2007-2134 CVE-2007-2135 |
| Remote: | Yes |
| Local: | Yes |
| Published: | Apr 17 2007 12:00AM |
| Updated: | Oct 23 2012 03:40PM |
| Credit: | Vicente Aguilera Diaz of Internet Security Auditors, S.L.; Gerhard Eschelbeck of Qualys, Inc.; Esteban Martinez Fayo of Application Security, Inc.; Joxean Koret; Alexander Kornbrust of Red Database Security GmbH; David Litchfield and Paul M. Wright of NGS; |
| Vulnerable: |
Oracle Secure Enterprise Search 10g Release 1 10.1.6 Oracle PeopleSoft Enterprise PeopleTools 8.48 Oracle PeopleSoft Enterprise PeopleTools 8.47 Oracle PeopleSoft Enterprise PeopleTools 8.22 Oracle PeopleSoft Enterprise Human Capital Management 8.9 Oracle Oracle9i Personal Edition 9.2 .8 Oracle Oracle9i Personal Edition 9.2 .7 Oracle Oracle9i Personal Edition 9.2 .0.5 Oracle Oracle9i Personal Edition 9.2 .0.1 Oracle Oracle9i Personal Edition 9.0.1 .5 Oracle Oracle9i Enterprise Edition 9.2 .8.0 Oracle Oracle9i Enterprise Edition 9.2 .7.0 Oracle Oracle9i Enterprise Edition 9.2 .0.5 Oracle Oracle9i Enterprise Edition 9.2 .0.1 Oracle Oracle9i Enterprise Edition 9.0.1 .5 Oracle Oracle9i Application Server 9.2 .8 Oracle Oracle9i Application Server 9.2 .0.7 Oracle Oracle10g Standard Edition 10.2 .3 Oracle Oracle10g Standard Edition 10.2 .2 Oracle Oracle10g Standard Edition 10.2 .1 Oracle Oracle10g Standard Edition 10.1 .0.5 Oracle Oracle10g Standard Edition 10.1 .0.4 Oracle Oracle10g Standard Edition 10.1 .0.2 Oracle Oracle10g Personal Edition 10.2 .3 Oracle Oracle10g Personal Edition 10.2 .2 Oracle Oracle10g Personal Edition 10.2 .1 Oracle Oracle10g Personal Edition 10.1 .5 Oracle Oracle10g Personal Edition 10.1 .0.4 Oracle Oracle10g Personal Edition 10.1 .0.2 Oracle Oracle10g Enterprise Edition 10.2 .3 Oracle Oracle10g Enterprise Edition 10.2 .2 Oracle Oracle10g Enterprise Edition 10.2 .1 Oracle Oracle10g Enterprise Edition 10.1 .5 Oracle Oracle10g Enterprise Edition 10.1 .0.4 Oracle Oracle10g Enterprise Edition 10.1 .0.2 Oracle Oracle10g Application Server 10.1.3 .2.0 Oracle Oracle10g Application Server 10.1.3 .1.0 Oracle Oracle10g Application Server 10.1.3 .0.0 Oracle Oracle10g Application Server 10.1.2 .2.0 Oracle Oracle10g Application Server 10.1.2 .1.0 Oracle Oracle10g Application Server 10.1.2 .0.2 Oracle Oracle10g Application Server 10.1.2 .0.1 Oracle Oracle10g Application Server 10.1 .5 Oracle Oracle10g Application Server 10.1 .0.4 Oracle Oracle10g Application Server 9.0.4 3 Oracle JD Edwards OneWorld Tools SP23 Oracle JD Edwards EnterpriseOne 8.96 Oracle Enterprise Manager 9i Release 2 9.2 8 Oracle Enterprise Manager 9i Release 2 9.2 7 Oracle Enterprise Manager 9i 9.0.1 5 Oracle E-Business Suite 12 12.0 Oracle E-Business Suite 11i 11.5.10 CU2 Oracle E-Business Suite 11i 11.5.10 Oracle E-Business Suite 11i 11.5.9 Oracle E-Business Suite 11i 11.5.8 Oracle E-Business Suite 11i 11.5.7 Oracle E-Business Suite 11i 11.5.10.2 Oracle Collaboration Suite Release 1 10.1.2 Oracle Application Server 10.1.2 .0.2 IBM Tivoli Compliance Insight Manager 8.0 IBM Tivoli Compliance Insight Manager 7.0 IBM Tivoli Compliance Insight Manager 6.0 HP Oracle for OpenView for Linux LTU 0 HP Oracle for OpenView 9.1.1 HP Oracle for OpenView 8.1.7 HP Oracle for OpenView 9.2 |
| Not Vulnerable: | |
Discussion
Oracle April 2007 Security Update Multiple Vulnerabilities
Oracle has released a Critical Patch Update advisory for April 2007 to address these vulnerabilities for supported releases. Earlier unsupported releases are likely to be affected by these issues as well.
The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Various levels of authorization are needed to leverage some of the issues, but other issues do not require any authorization. The most severe of the vulnerabilities could possibly expose affected computers to complete compromise.
Oracle has released a Critical Patch Update advisory for April 2007 to address these vulnerabilities for supported releases. Earlier unsupported releases are likely to be affected by these issues as well.
The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Various levels of authorization are needed to leverage some of the issues, but other issues do not require any authorization. The most severe of the vulnerabilities could possibly expose affected computers to complete compromise.
Exploit / POC
Oracle April 2007 Security Update Multiple Vulnerabilities
Currently we are not aware of any exploits for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Some of these issues may not require specific exploit code.
Currently we are not aware of any exploits for these issues. If you feel we are in error or if you are aware of more recent information, please mail us at: [email protected].
Some of these issues may not require specific exploit code.
Solution / Fix
Oracle April 2007 Security Update Multiple Vulnerabilities
Solution:
Oracle has released a Critical Patch Update (April 2007) to address these issues. Please see the update for information on obtaining and applying appropriate patches.
Please see the references for more information.
Solution:
Oracle has released a Critical Patch Update (April 2007) to address these issues. Please see the update for information on obtaining and applying appropriate patches.
Please see the references for more information.
References
Oracle April 2007 Security Update Multiple Vulnerabilities
References:
References:
- Analysis of the Oracle April 2007 Critical Patch Update (David Litchfield)
- Bypass Oracle Logon Trigger (7826485) [DB05] (Alexander Kornbrust)
- Cross-Site-Scripting Vulnerability in Oracle Secure Enterprise Search - SES01 (Alexander Kornbrust)
- Oracle Engine Upgrade and Critical Patch - TCIM 6.0/7.0/8.0 Embedded Database En (IBM)
- Oracle Homepage (Oracle)
- Shutdown unprotected Oracle TNS Listener via Oracle Discoverer Servlet (6085705) (Alexander Kornbrust)
- SQL Injection in package SYS.DBMS_AQADM_SYS (6980695) [DB04] (Alexander Kornbrust)
- SQL Injection in package SYS.DBMS_UPGRADE_INTERNAL (6980753) [DB07] (Alexander Kornbrust)
- [Full-disclosure] ZDI-07-016: Oracle E-Business Suite Arbitrary Node Deletion Vu (Oracle)
- [Full-disclosure] ZDI-07-017: Oracle E-Business Suite Arbitrary Document Downloa (Oracle)
- Advisory: Bypass Oracle Logon Trigger (Alexander Kornbrust)
- Advisory: Shutdown unprotected Oracle TNS Listener via Oracle Discoverer Servlet (Alexander Kornbrust)
- Advisory: SQL Injection in package SYS.DBMS_AQADM_SYS (Alexander Kornbrust)
- Advisory: SQL Injection in package SYS.DBMS_UPGRADE_INTERNAL (Alexander Kornbrust)
- Advisory: XSS Vulnerability in Oracle Secure Enterprise Search (Alexander Kornbrust)
- Analysis of the Oracle April 2007 Critical Patch Update (David Litchfield)
- Oracle Database Buffer overflow vulnerabilities in package DBMS_SNAP_INTERNAL (Team SHATTER
) - RE: [Full-disclosure] ZDI-08-088: Oracle E-Business Suite Self-Service Web Appli ("Integrigy Security"
) - ZDI-08-088: Oracle E-Business Suite Business Intelligence SQL Injection Vulnerab ([email protected])
- Oracle Critical Patch Update - April 2007 (Oracle)