Oracle E-Business SQL injection
| oracle-ebusiness-sql-injection (16324) |  Medium Risk |
Description:
Oracle E-Business Suite Releases is vulnerable to SQL injection. A remote attacker could supply a specially-crafted HTTP GET or POST request containing malicious SQL code to the vulnerable program, which would allow the attacker to add, modify or delete user information in the backend database.
Consequences:
Data Manipulation
Remedy:
Apply the appropriate patch for your system, available from the Oracle Security Alert #67. See References.
For HP-UX 11.23:
Apply the PHNE_30465.depot.11.23.gz or later patch for your system, as listed in Hewlett-Packard Company Security Bulletin HPSBUX0310-29. See References.
For HP-UX 11.22:
Apply the PHNE_29859.depot or later patch for your system, as listed in Hewlett-Packard Company Security Bulletin HPSBUX0310-290. See References.
For HP-UX 11.11:
Apply the B.11.11.01.005 or later patch for your system, as listed in Hewlett-Packard Company Security Bulletin HPSBUX0310-290. See References.
For HP-UX 11.00:
Apply the B.11.00.01.003 or later patch for your system, as listed in Hewlett-Packard Company Security Bulletin HPSBUX0310-290. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- CIAC Information Bulletin O-153: Oracle E-Business Suite SQL Injection Vulnerability.
- Oracle Security Alert #67: Unauthorized Access Vulnerabilities in Oracle EBusiness Suite.
- VulnWatch Mailing List, Fri Jun 04 2004 - 12:59:04 CDT : Integrigy Security Alert - Multiple SQL Injection Vulnerabilities in Oracle E-Business Suite.
- BID-10465: Oracle E-Business Suite Multiple Unspecified SQL Injection Vulnerabilities
- CVE-2004-0543: Multiple SQL injection vulnerabilities in Oracle Applications 11.0 and Oracle E-Business Suite 11.5.1 through 11.5.8 allow remote attackers to execute arbitrary SQL procedures and queries.
- US-CERT VU#961579: Oracle E-Business Suite SQL Injection vulnerabilities
Platforms Affected:
- Oracle E-Business Suite 11.0
- Oracle E-Business Suite 11.5.1
- Oracle E-Business Suite 11.5.2
- Oracle E-Business Suite 11.5.3
- Oracle E-Business Suite 11.5.4
- Oracle E-Business Suite 11.5.5
- Oracle E-Business Suite 11.5.6
- Oracle E-Business Suite 11.5.7
- Oracle E-Business Suite 11.5.8
Reported:
Jun 04, 2004
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net