Oracle Database Remote Denial of Service Vulnerability

Bugtraq ID:	26108
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2007-5506
Remote:	Yes
Local:	No
Published:	Oct 17 2007 12:00AM
Updated:	May 07 2015 05:34PM
Credit:	David Litchfield of Next Generation Security Software Ltd. is credited the discovery of this vulnerability.
Vulnerable:	Oracle PeopleSoft Enterprise PeopleTools 8.49 Oracle PeopleSoft Enterprise PeopleTools 8.48 Oracle PeopleSoft Enterprise PeopleTools 8.47 Oracle PeopleSoft Enterprise PeopleTools 8.22 Oracle PeopleSoft Enterprise Human Capital Management 9.0 Oracle PeopleSoft Enterprise Human Capital Management 8.9 Oracle Oracle9i Standard Edition 9.2 .8DV Oracle Oracle9i Standard Edition 9.2 .8 Oracle Oracle9i Personal Edition 9.2 .8DV Oracle Oracle9i Personal Edition 9.2 .8 Oracle Oracle9i Enterprise Edition 9.2 .8DV Oracle Oracle9i Enterprise Edition 9.2 .8.0 Oracle Oracle10g Standard Edition 10.2 .3 Oracle Oracle10g Standard Edition 10.2 .2 Oracle Oracle10g Standard Edition 10.1 .5 Oracle Oracle10g Personal Edition 10.2 .3 Oracle Oracle10g Personal Edition 10.2 .2 Oracle Oracle10g Personal Edition 10.1 .5 Oracle Oracle10g Enterprise Edition 10.2 .3 Oracle Oracle10g Enterprise Edition 10.2 .2 Oracle Oracle10g Enterprise Edition 10.1 .5 Oracle Oracle10g Application Server 10.1.3 .3.0 Oracle Oracle10g Application Server 10.1.3 .2.0 Oracle Oracle10g Application Server 10.1.3 .1.0 Oracle Oracle10g Application Server 10.1.3 .0.0 Oracle Oracle10g Application Server 10.1.2 .2.0 Oracle Oracle10g Application Server 10.1.2 .1.0 Oracle Oracle10g Application Server 10.1.2 .0.2 Oracle Oracle10g Application Server 10.1.2 .0.1 Oracle Oracle10g Application Server 9.0.4 3 Oracle Enterprise Manager Grid Control 10g 10.1 6 Oracle Enterprise Manager Grid Control 10g 10.1 .5 Oracle Enterprise Manager Database Control 10g 10.2.0.3 Oracle Enterprise Manager Database Control 10g 10.2.0.2 Oracle Enterprise Manager Database Control 10g 10.1.0.5 Oracle E-Business Suite 12 12.0.3 Oracle E-Business Suite 12 12.0.2 Oracle E-Business Suite 12 12.0.1 Oracle E-Business Suite 12 12.0 Oracle E-Business Suite 11i 11.5.10 CU2 Oracle E-Business Suite 11i 11.5.10 Oracle E-Business Suite 11i 11.5.9 Oracle E-Business Suite 11i 11.5.8 Oracle Collaboration Suite 10g 10.1.2 HP Oracle for OpenView for Linux LTU Service Bureaus 0 HP Oracle for OpenView for Linux LTU 0 HP Oracle for OpenView 9.1.1 HP Oracle for OpenView 8.1.7 HP Oracle for OpenView 9.2
Not Vulnerable:

Oracle Database Remote Denial of Service Vulnerability

Oracle Database is prone to a remote denial-of-service vulnerability that remote attackers may exploit prior to authentication.

Successfully exploiting this issue allows attackers to consume excessive CPU resources, denying service to legitimate users.

NOTE: This issue was previously documented in BID 26039 (Oracle October 2007 Critical Patch Update Multiple Vulnerabilities) and has been given its own BID because further technical details are now available.

Oracle Database Remote Denial of Service Vulnerability

To exploit this issue, attackers can use readily available network utilities.

Oracle Database Remote Denial of Service Vulnerability

Solution:
Oracle has released a Critical Patch Update (October 2007) to address this issue. Please see the referenced advisory for information on obtaining and applying appropriate patches.

Oracle Database Remote Denial of Service Vulnerability

References:

• Oracle Critical Patch Update - October 2007 - Version Support Matrix (Integrigy Corporation)
  
• Oracle Homepage (Oracle)
  
• HPSBMA02133 SSRT061201 rev.6 - HP Oracle for OpenView (OfO) Critical Patch Updat ([email protected])
  
• Oracle RDBMS TNS Data packet DoS ("NGSSoftware Insight Security Research" )
  
• Oracle Critical Patch Update - October 2007 (Oracle)