Executive Summary
Summary | |
---|---|
Title | Oracle Updates for Multiple Vulnerabilities |
Informations | |||
---|---|---|---|
Name | TA08-017A | First vendor Publication | 2008-01-17 |
Vendor | US-CERT | Last vendor Modification | 2008-01-17 |
Severity (Vendor) | N/A | Revision | N/A |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:N/AC:L/Au:N/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 10 | Attack Range | Network |
Cvss Impact Score | 10 | Attack Complexity | Low |
Cvss Expoit Score | 10 | Authentication | None Required |
Calculate full CVSS 2.0 Vectors scores |
Detail
Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service. I. Description Oracle has released Critical Patch Update - January 2008. This update addresses 26 vulnerabilities in different Oracle products and components. The Critical Patch Update provides information about affected components, access and authorization required, and the impact from the vulnerabilities on data confidentiality, integrity, and availability. According to Oracle, none of the vulnerabilities corrected in the Oracle Critical Patch Update affect Oracle Database Client-only installations. In most cases, Oracle does not associate Vuln# identifiers (e.g., DB01) with other available information. If significant additional details about vulnerabilities and remediation techniques become available, we will update the Vulnerability Notes Database. II. Impact The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to gain access to sensitive information. III. Solution Apply a patch Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update - January 2008. Note that this Critical Patch Update only lists newly corrected issues. Updates to patches for previously known issues are not listed. As noted in the update, some patches are cumulative, others are not: The Oracle Database, Oracle Application Server, Oracle Enterprise Manager Grid Control, Oracle E-Business Suite Applications (Release Oracle E-Business Suite Applications Release 11i patches are not cumulative, so Oracle E-Business Suite Applications customers should refer to previous Critical Patch Updates to identify previous security fixes they want to apply. Oracle Collaboration Suite patches were cumulative up to and including the fixes provided in the April 2007 Critical Patch Update. From the July Patches for some platforms and components were not available when the Critical Patch Update was published on January 17, 2008. Please see MetaLink Note 467880.1 (login required) for more information. Known issues with Oracle patches are documented in the pre-installation notes and patch readme files. Please consult these documents specific to your system before applying patches. Appendix A. Vendor Information Oracle Please see Oracle Critical Patch Update - January 2008 and Critical Patch Updates and Security Alerts. Appendix B. |
Original Source
Url : http://www.us-cert.gov/cas/techalerts/TA08-017A.html |
CPE : Common Platform Enumeration
SAINT Exploits
Description | Link |
---|---|
Oracle XDB component PITRIG_TRUNCATE buffer overflow | More info here |
OpenVAS Exploits
Date | Description |
---|---|
2011-12-07 | Name : Oracle Application Server Unspecified Vulnerability File : nvt/gb_oracle_appln_server_unspecified_vuln.nasl |
2011-12-07 | Name : Oracle Database Server Multiple Unspecified Vulnerabilities - Jan 08 File : nvt/gb_oracle_database_mult_unspecified_vuln_jan08.nasl |
2011-12-07 | Name : Oracle Database Server and Application Server Ultra Search Component Unspecif... File : nvt/gb_oracle_database_n_appln_server_ultra_serach_comp_unspecified_vuln.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
41689 | Oracle Database Core RDBMS Dictionary Selection Unspecified Issue |
40306 | Oracle Database Spatial Unspecified Remote Issue (DB07) |
40305 | Oracle Database Spatial Unspecified Remote Issue (DB06) |
40304 | Oracle Database Upgrade/Downgrade Unspecified Remote Issue |
40303 | Oracle Database Spatial MDSYS.SDO_CATALOG Unspecified Remote Issue |
40302 | Oracle Database Advanced Queuing SYS.DBMS_PRVTAQIP Unspecified Remote Issue |
40301 | Oracle Database Advanced Queuing SYS.DBMS_PRVTAQIM Unspecified Remote Issue |
40300 | Oracle Database XML DB XDB.XDB_PITRIG_PKG Package PITRIG_TRUNCATE Function Ov... |
40298 | Oracle Application Server Internet Directory LDAP Unspecified Remote Informat... |
40297 | Oracle Application Server JDeveloper Unspecified Remote Issue |
40296 | Oracle Application Server Forms Unspecified Remote Issue |
40295 | Oracle Application Server BPEL Worklist Application Unspecified Remote Issue |
40294 | Oracle Application Server Jinitiator Unspecified Remote Issue (AS02) |
40293 | Oracle Application Server Jinitiator Unspecified Remote Issue (AS01) |
40290 | Oracle E-Business Suite Applications Technology Stack Unspecified Remote Issue |
40289 | Oracle E-Business Suite Application Object Library Unspecified Remote Issue (... |
40288 | Oracle E-Business Suite CRM Technical Foundation Unspecified Remote Issue |
40287 | Oracle E-Business Suite Applications Manager Unspecified Remote Information D... |
40286 | Oracle E-Business Suite Applications Framework Unspecified Remote Information... |
40285 | Oracle E-Business Suite Application Object Library Unspecified Remote Issue (... |
40284 | Oracle E-Business Suite Mobile Application Server Unspecified Remote Issue |
40283 | Oracle PeopleSoft PeopleTools PeopleCode Unspecified Logging Remote Informati... PeopleSoft PeopleTools contains a flaw that may lead to an unauthorized information disclosure. The issue is triggered via the logging of sensitive information in PeopleCode occurs, which could disclose said sensitive information resulting in a loss of confidentiality. |
40282 | Oracle PeopleSoft PeopleTools PIA Unspecified XSS (PSE03) PeopleSoft PeopleTools contains a flaw that allows a remote cross site scripting attack. The flaw exists in the PeopleSoft Internet Architecture (PIA). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. No further details have been provided. |
40281 | Oracle PeopleSoft PeopleTools Unspecified Remote XSS (PSE02) PeopleSoft PeopleTools contains a flaw that allows a remote cross site scripting attack. This flaw exists in the CRM component. This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. No further details have been provided. |
40280 | Oracle PeopleSoft PeopleTools PIA Unauthenticated XSS PeopleSoft PeopleTools contains a flaw that allows a remote unauthenticated cross site scripting attack. The flaw exists in the PeopleSoft Internet Architecture (PIA). This could allow a user to create a specially crafted URL that would execute arbitrary code in a user's browser within the trust relationship between the browser and the server, leading to a loss of integrity. No further details have been provided. |
40279 | Oracle Collaboration Suite Ultra Search Unspecified Remote Issue |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | XDB.XDB_PITRIG_PKG buffer overflow attempt RuleID : 17722 - Revision : 10 - Type : SERVER-ORACLE |
2014-01-10 | Oracle XDB.XDB_PITRIG_PKG sql injection attempt RuleID : 13551 - Revision : 10 - Type : SERVER-ORACLE |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2012-01-24 | Name : The remote web server may be affected by multiple vulnerabilities. File : oracle_application_server_pci.nasl - Type : ACT_GATHER_INFO |
2011-11-16 | Name : The remote database server is affected by multiple vulnerabilities. File : oracle_rdbms_cpu_jan_2008.nasl - Type : ACT_GATHER_INFO |