Oracle Critical Patch Update - January 2006

oracle-january2006-update (24321) The risk level is classified as HighHigh Risk

Description:

The Oracle Critical Patch Update dated January 2006 is not installed, which could allow an attacker to exploit multiple vulnerabilities. Refer to the risk matrix from the Oracle Critical Patch Update - January 2006 for details.


Consequences:

Informational

Remedy:

Refer to Oracle Critical Patch Update - January 2006 for patch, upgrade, or suggested workaround information. See References.

References:

  • IBM Internet Security Systems X-Force Database: Oracle Reports desname file overwrite.
  • IBM Internet Security Systems X-Force Database: Oracle Reports Server customize parameter information disclosure.
  • IBM Internet Security Systems X-Force Database: Oracle TDE masterkey in plaintext.
  • IBM Internet Security Systems X-Force Database: Oracle SYS.KUPV$FT_INT multiple functions SQL injection.
  • IBM Internet Security Systems X-Force Database: Oracle TNS authentication AUTH_ALTER_SESSION SQL command execution.
  • IBM Internet Security Systems X-Force Database: Oracle TDE masterkey in plaintext in SJA.
  • IBM Internet Security Systems X-Force Database: Oracle SYS.KUPV$FT multiple functions SQL injection.
  • Oracle Web site: Oracle Critical Patch Update Advisory - January 2006.
  • BID-16287: Oracle January Security Update Multiple Vulnerabilities
  • CVE-2005-2371: Directory traversal vulnerability in Oracle Reports 6.0, 6i, 9i, and 10g allows remote attackers to overwrite arbitrary files via (1) .., (2) Windows drive letter (C:), and (3) absolute path sequences in the desname parameter. NOTE: this issue was probably fixed by REP06 in CPU Jan 2006, in which case it overlaps CVE-2006-0289.
  • CVE-2006-0257: Unspecified vulnerability in the Change Data Capture component of Oracle Database server 9.2.0.7, 10.1.0.5, and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB02. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the CDC_ALLOCATE_LOCK function of the DBMS_CDC_UTILITY package.
  • CVE-2006-0258: Unspecified vulnerability in the Connection Manager component of Oracle Database server 8.1.7.4 and 9.0.1.5 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB03.
  • CVE-2006-0259: Multiple unspecified vulnerabilities in Oracle Database server 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB04 and (2) DB06 in the (a) Data Pump component; (3) DB10 in the (b) Net Listener component; and (4) DB16 in the (c) Oracle Text component. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB06 is SQL injection in the GENERATE_JOB_NAME, GET_WORKERSTATUSLIST1010, GET_PARAMVALUES1010, GET_DUMPFILESET1010, GET_JOBSTATUS1010, ATTACH, and ESTABLISH_REMOTE_CONTEXT functions in DBMS_DATAPUMP.
  • CVE-2006-0260: Multiple unspecified vulnerabilities in Oracle Database server 9.2.0.7 and 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB05 in the (a) Data Pump component; (2) DB15 in the (b) Oracle Text component; (3) DB22 in the (c) Streams Apply component; (4) DB23 and (5) DB24 in the (d) Streams Capture component; and (6) DB26 in the (e) Streams Subcomponent. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB05 involves SQL injection in the (f) LONG2VARCHAR, LONG2VCMAX, LONG2VCNT, and LONG2CLOB functions in the DBMS_METADATA_UTIL package; (g) MAKE_FILTER, FETCH_VIEWS_ERROR, FETCH_FILTERS, FETCH_VIEWS, SET_FILTER_COMMON, DO_FILTER_SCRIPT, SET_TABLE_FILTERS, and MAKE_F
  • CVE-2006-0261: Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.5 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB07 in the Dictionary component and (2) DB14 in the Oracle Label Security component. NOTE: Oracle has not disputed reliable researcher claims that DB07 involves plaintext storage of the TDE wallet password in a trace file by event 10053.
  • CVE-2006-0262: Unspecified vulnerability in the Net Foundation Layer component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB08.
  • CVE-2006-0263: Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, 10.1.0.5, and 10.2.0.1 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB09 in the (a) Net Listener component; and (2) DB12 and (3) DB13 in the Network Communications (RPC) component.
  • CVE-2006-0265: Multiple unspecified vulnerabilities in Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and 10.2.0.1 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) DB17 in the Oracle Text component and (2) DB18 in the Program Interface Network component. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that DB17 involves SQL injection in the (a) VALIDATE_STATEMENT and BUILD_DML functions in CTXSYS.DRILOAD; (b) CLEAN_DML function in CTXSYS.DRIDML; (c) GET_ROWID function in CTXSYS.CTX_DOC; (d) BROWSE_WORDS function in CTXSYS.CTX_QUERY; and (e) ODCIINDEXTRUNCATE, ODCIINDEXDROP, and ODCIINDEXDELETE functions in CATINDEXMETHODS.
  • CVE-2006-0266: Unspecified vulnerability in the Query Optimizer component of Oracle Database server 9.0.1.5, 9.2.0.7, and 10.1.0.5 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB19.
  • CVE-2006-0267: Unspecified vulnerability in the Query Optimizer component of Oracle Database server 9.2.0.6 and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB20.
  • CVE-2006-0268: Unspecified vulnerability in the Security component of Oracle Database server 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.6, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB21.
  • CVE-2006-0269: Unspecified vulnerability in the Streams Capture component of Oracle Database server 10.1.0.5 and 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB25. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the SET_DIRECTORY_ROOT function in the DBMS_CDC_PUBLISH package.
  • CVE-2006-0270: Unspecified vulnerability in the Transparent Data Encryption (TDE) Wallet component of Oracle Database server 10.2.0.1 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB27. NOTE: Oracle has not disputed a reliable researcher report that TDA stores the master key without encryption, which allows local users to obtain the key via the SGA.
  • CVE-2006-0271: Unspecified vulnerability in the Upgrade & Downgrade component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.2.0.7, and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB28. NOTE: details are unavailable from Oracle, but they have not publicly disputed a claim by a reliable independent researcher that states that the problem is SQL injection in the DBMS_REGISTRY package in certain parameters to the (1) IS_COMPONENT, (2) GET_COMP_OPTION, (3) DISABLE_DDL_TRIGGERS, (4) SCRIPT_EXISTS, (5) COMP_PATH, (6) GATHER_STATS, (7) NOTHING_SCRIPT, and (8) VALIDATE_COMPONENTS functions.
  • CVE-2006-0272: Unspecified vulnerability in the XML Database component of Oracle Database server 9.2.0.7 and 10.1.0.4 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB29. NOTE: based on mutual credits by the relevant sources, it is highly likely that this issue is a buffer overflow in the (a) DBMS_XMLSCHEMA and (b) DBMS_XMLSCHEMA_INT packages, as exploitable via long arguments to (1) XDB.DBMS_XMLSCHEMA.GENERATESCHEMA or (2) XDB.DBMS_XMLSCHEMA.GENERATESCHEMAS.
  • CVE-2006-0273: Unspecified vulnerability in the Portal component of Oracle Application Server 9.0.4.2 and 10.1.2.0 has unspecified impact and attack vectors, as identified by Oracle Vuln# AS01.
  • CVE-2006-0274: Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 and 10.1.2.0.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP03.
  • CVE-2006-0275: Unspecified vulnerability in the Oracle Reports Developer component of Oracle Application Server 9.0.4.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# REP04. NOTE: Oracle has not disputed reliable researcher claims that this issue is related to directory traversal that allows reading of portions of arbitrary XML files via the customize parameter.
  • CVE-2006-0276: Multiple unspecified vulnerabilities in Oracle Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) OCS01, 2) OCS02, 3) OCS03, 4) OCS04, 5) OCS05, 6) OCS06, 7) OCS07, (8) OCS08, and (9) OCS09 in the (a) Email Server component; 10) OCS10 (and (11) OCS11 in the (b) Oracle Collaboration Suite Wireless & Voice (component; 12) OCS12 and (13) OCS13 in the (c) Oracle Content (Management SDK component; 14) OCS14 and (15) OCS15 in the (d) Oracle (Content Services component.
  • CVE-2006-0277: Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS01 in the (a) Application Install component; (2) APPS07 in the (b) Oracle Applications Framework component; (3) APPS08, (4) APPS09, (5) APPS10, and (6) APPS11 in the (c) Oracle Applications Technology Stack component; (7) APPS12 in the (d) Oracle Human Resources component; (8) APPS15 and (9) APPS16 in the (e) Oracle Marketing component; (10) APPS17 in the (f) Marketing Encyclopedia System component; (11) APPS18 in the (g) Oracle Trade Management component; and (12) APPS19 in the (h) Oracle Web Applications Desktop Integration component.
  • CVE-2006-0278: Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.9 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS02 in the (a) CRM Technical Foundation component; (2) APPS03 in the (b) iProcurement component; and (3) APPS04, (4) APPS05, and (5) APPS06 in the Oracle Application Object Library component.
  • CVE-2006-0279: Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 4.3 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) APPS13 and (2) APPS14 in the Oracle iLearning component.
  • CVE-2006-0280: Unspecified vulnerability in Oracle PeopleSoft Enterprise Portal 8.4 Bundle 15, 8.8 Bundle 10, and 8.9 Bundle 2 has unspecified impact and attack vectors, as identified by Oracle Vuln# PSE01.
  • CVE-2006-0281: Unspecified vulnerability in Oracle JD Edwards HTML Server 8.95.F1 SP23_L1 has unspecified impact and attack vectors, as identified by Oracle Vuln# JDE01.
  • CVE-2006-0282: Unspecified vulnerability in Oracle Database Server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.5, Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, and Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) has unspecified impact and attack vectors, as identified by Oracle Vuln# DBC01 in the Protocol Support component.
  • CVE-2006-0283: Unspecified vulnerability in Oracle Database Server 10.1.0.4.2, Application Server 10.1.2.0.2, and Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) has unspecified impact and attack vectors, as identified by Oracle Vuln# DBC02 in the Reorganize Objects & Convert Tablespace component.
  • CVE-2006-0284: Multiple unspecified vulnerabilities in Oracle Application Server 9.0.4.2 and 10.1.2.0.2, and E-Business Suite and Applications 11.5.10, have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) FORM01 and (2) FORM02 in the Oracle Forms component.
  • CVE-2006-0285: Unspecified vulnerability in the Java Net component of Oracle Database Server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.4, and Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, has unspecified impact and attack vectors, as identified by Oracle Vuln# JN01.
  • CVE-2006-0286: Unspecified vulnerability in the Oracle HTTP Server component of Oracle Database Server 9.0.1.5, 9.0.1.5 FIPS, 9.2.0.7, and 10.1.0.5, and Application Server 1.0.2.2, 9.0.4.2, and 10.1.2.0.2, has unspecified impact and attack vectors, as identified by Oracle Vuln# OHS01.
  • CVE-2006-0287: Unspecified vulnerability in the Oracle HTTP Server component of Oracle Database Server 10.1.0.5 and Application Server 10.1.2.0.2 has unspecified impact and attack vectors, as identified by Oracle Vuln# OHS02.
  • CVE-2006-0288: Multiple unspecified vulnerabilities in the Oracle Reports Developer component of Oracle Application Server 9.0.4.1 and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) REP01 and (2) REP02.
  • CVE-2006-0289: Multiple unspecified vulnerabilities in Oracle Application Server 6.0.8.26(PS17) and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) REP05 and (2) REP06 in the Oracle Reports Developer component. NOTE: Oracle has not disputed reliable researcher claims that REP05 is the same as CVE-2005-2378 and REP06 is the same as CVE-2005-2371, both of which involve directory traversal.
  • CVE-2006-0290: Unspecified vulnerability in Oracle Database Server 9.2.0.7, Application Server 9.0.4.2 and 10.1.2.1, Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i), and E-Business Suite and Applications 11.5.10 has unspecified impact and attack vectors, as identified by Oracle Vuln# WF01 in the Oracle Workflow Cartridge component.
  • CVE-2006-0291: Multiple unspecified vulnerabilities in Oracle Database Server 10.2.0.1, Application Server 9.0.4.2 and 10.1.2.1, Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i), and E-Business Suite and Applications 11.5.10 have unspecified impact and attack vectors, as identified by Oracle Vuln# (1) WF02 and (2) WF03 in the Oracle Workflow Cartridge component.
  • CVE-2006-0548: SQL injection vulnerability in the Oracle Text component of Oracle Database 10g, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB15 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0260.
  • CVE-2006-0549: SQL injection vulnerability in the SYS.DBMS_METADATA_UTIL package in Oracle Database 10g, and possibly earlier versions, might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB05 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0260. However, there are some inconsistencies that make this unclear, and there is also a possibility that this is related to DB06, which is subsumed by CVE-2006-0259.
  • CVE-2006-0550: Buffer overflow in an unspecified Oracle Client utility might allow remote attackers to execute arbitrary code or cause a denial of service. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DBC02 from the January 2006 CPU, in which case this would be a duplicate of CVE-2006-0283. However, there are enough inconsistencies that the mapping can not be made authoritatively.
  • CVE-2006-0551: SQL injection vulnerability in the Data Pump Metadata API in Oracle Database 10g and possibly earlier might allow remote attackers to execute arbitrary SQL commands via unknown vectors. NOTE: due to the lack of relevant details from the Oracle advisory, a separate CVE is being created since it cannot be conclusively proven that this issue has been addressed by Oracle. It is possible that this is the same issue as Oracle Vuln# DB06 from the January 2006 CPU, in which case this would be subsumed by CVE-2006-0259 or, if it is DB05, subsumed by CVE-2006-0260.
  • CVE-2006-0552: Unspecified vulnerability in the Net Listener component of Oracle Database server 8.1.7.4, 9.0.1.5, 9.0.1.5 FIPS, and 9.2.0.7 has unspecified impact and attack vectors, as identified by Oracle Vuln# DB11.
  • OSVDB ID: 22541: Oracle Database Connection Manager Trivial Remote DoS
  • OSVDB ID: 22543: Oracle Database Data Pump Metadata API DBMS_METADATA_UTIL Multiple Procedure SQL Injection
  • OSVDB ID: 22544: Oracle Database Data Pump Metadata API DBMS_DATAPUMP Multiple Procedure SQL Injection
  • OSVDB ID: 22546: Oracle Database Net Foundation Layer Unspecified Remote Issue
  • OSVDB ID: 22547: Oracle Database Net Listener Multiple Unspecified Remote Issues (DB09)
  • OSVDB ID: 22549: Oracle Database Net Listener Multiple Unspecified Remote Issues (DB11)
  • OSVDB ID: 22550: Oracle Database Network Communications (RPC) Unspecified Remote Issue (DB12)
  • OSVDB ID: 22551: Oracle Database Network Communications (RPC) Unspecified Remote Issue (DB13)
  • OSVDB ID: 22553: Oracle Database Text cxtsys.catsearch Unspecified SQL Issue
  • OSVDB ID: 22555: Oracle Database Text CTXSYS.DRILOAD Multiple Procedure SQL Injection
  • OSVDB ID: 22556: Oracle Database TNS Authentication Phase AUTH_ALTER_SESSION Attribute SQL Injection
  • OSVDB ID: 22557: Oracle Database Query Optimizer sys.outln_pkg Unspecified SQL Issue
  • OSVDB ID: 22558: Oracle Database Query Optimizer Unspecified Trivial Remote DoS
  • OSVDB ID: 22559: Oracle Database Security sys.dbms_fga.add_policy Unspecified SQL Issue
  • OSVDB ID: 22563: Oracle Database Streams Capture DBMS_CDC_PUBLISH SET_DIRECTORY_ROOT Procedure SQL Injection
  • OSVDB ID: 22566: Oracle Database Upgrade & Downgrade DBMS_REGISTRY Multiple Procedure SQL Injection
  • OSVDB ID: 22568: Oracle Protocol Support Unspecified Limited Impact Remote Issue
  • OSVDB ID: 22569: Oracle Reorganize Objects & Convert Tablespace Unspecified Local Issue
  • OSVDB ID: 22570: Oracle Java Net Network (OID) Unspecified Trivial Remote Information Disclosure
  • OSVDB ID: 22571: Oracle Database HTTP Server Unspecified Trivial Remote Information Disclosure
  • OSVDB ID: 22572: Oracle Database HTTP Server Unspecified Trivial Remote DoS
  • OSVDB ID: 22573: Oracle Workflow Cartridge HTTP Unspecified Trivial Remote Information Disclosure (WF01)
  • OSVDB ID: 22574: Oracle Workflow Cartridge HTTP Unspecified Trivial Remote Information Disclosure (WF02)
  • OSVDB ID: 22575: Oracle Workflow Cartridge HTTP Unspecified Trivial Remote Information Disclosure (WF03)
  • OSVDB ID: 22576: Oracle Application Server Portal HTTP Unspecified Trivial Remote Information Disclosure
  • OSVDB ID: 22577: Oracle Forms HTTP Unspecified Remote Issue
  • OSVDB ID: 22578: Oracle Forms File Upload Unspecified Issue
  • OSVDB ID: 22579: Oracle Reports Developer HTTP Unspecified Remote Issue
  • OSVDB ID: 22580: Oracle Application Server Reports Developer HTTP Unspecified Remote DoS
  • OSVDB ID: 22581: Oracle Application Server Reports Developer File Upload Unspecified Issue
  • OSVDB ID: 22582: Oracle Application Server Reports Developer rwservlet customize Variable Arbitrary XML File Portion Disclosure
  • OSVDB ID: 22585: Oracle Collaboration Suite Email Server Trivial Remote Information Disclosure (OCS01)
  • OSVDB ID: 22586: Oracle Collaboration Suite Email Server Trivial Remote Information Disclosure (OCS02)
  • OSVDB ID: 22587: Oracle Collaboration Suite Email Server IMAP Authenticated Remote Trivial DoS
  • OSVDB ID: 22588: Oracle Collaboration Suite Email Server IMAP/POP Unauthenticated Remote Trivial DoS
  • OSVDB ID: 22589: Oracle Collaboration Suite Email Server SMTP Unspecified Issue (OCS05)
  • OSVDB ID: 22590: Oracle Collaboration Suite Email Server SMTP Unspecified Issue (OCS06)
  • OSVDB ID: 22591: Oracle Collaboration Suite Email Server SMTP Unspecified Issue (OCS07)
  • OSVDB ID: 22592: Oracle Collaboration Suite Email Server Unspecified Local Trivial Information Disclosure
  • OSVDB ID: 22593: Oracle Collaboration Suite Email Server HTTP Unspecified Remote Information Disclosure
  • OSVDB ID: 22594: Oracle Collaboration Suite Wireless & Voice Local Information Disclosure
  • OSVDB ID: 22595: Oracle Collaboration Suite Wireless & Voice Authenticated SMS Remote Information Disclosure
  • OSVDB ID: 22596: Oracle Collaboration Suite Management SDK FTP Unspecified Issue
  • OSVDB ID: 22597: Oracle Collaboration Suite Management SDK HTTP Unspecified Authenticated Issue
  • OSVDB ID: 22598: Oracle Collaboration Suite Content Services Email Unspecified Information Disclosure
  • OSVDB ID: 22599: Oracle Collaboration Suite Content Services HTTP Unspecified Issue
  • OSVDB ID: 22600: Oracle E-Business Suite/Applications Application Install Log File Local Information Disclosure
  • OSVDB ID: 22601: Oracle E-Business Suite/Applications CRM Technical Foundation HTTP Information Disclosure
  • OSVDB ID: 22602: Oracle E-Business Suite/Applications iProcurement HTTP Information Disclosure
  • OSVDB ID: 22603: Oracle E-Business Suite/Applications Application Object Library Log File Information Disclosure
  • OSVDB ID: 22604: Oracle E-Business Suite/Applications Application Object Library HTTP Information Disclosure (APPS05)
  • OSVDB ID: 22605: Oracle E-Business Suite/Applications Application Object Library HTTP Information Disclosure (APPS06)
  • OSVDB ID: 22606: Oracle E-Business Suite/Applications Applications Framework HTTP Unspecified Authenticated Issue
  • OSVDB ID: 22607: Oracle E-Business Suite/Applications Applications Technology Stack HTTP Trivial Information Disclosure (APPS08)
  • OSVDB ID: 22608: Oracle E-Business Suite/Applications Applications Technology Stack HTTP Trivial Information Disclosure (APPS10)
  • OSVDB ID: 22609: Oracle E-Business Suite/Applications Applications Technology Stack HTTP Trivial Information Disclosure (APPS11)
  • OSVDB ID: 22610: Oracle E-Business Suite/Applications Human Resources HTTP Authenticated Information Disclosure
  • OSVDB ID: 22611: Oracle E-Business Suite/Applications iLearning HTTP Information Disclosure (APPS13)
  • OSVDB ID: 22612: Oracle E-Business Suite/Applications iLearning HTTP Information Disclosure (APPS14)
  • OSVDB ID: 22613: Oracle E-Business Suite/Applications Marketing HTTP Authenticated Issue (APPS15)
  • OSVDB ID: 22614: Oracle E-Business Suite/Applications Marketing HTTP Authenticated Issue (APPS16)
  • OSVDB ID: 22615: Oracle E-Business Suite/Applications Marketing Encyclopedia System HTTP Information Disclosure
  • OSVDB ID: 22616: Oracle E-Business Suite/Applications Trade Management HTTP Information Disclosure
  • OSVDB ID: 22617: Oracle E-Business Suite/Applications Web Applications Desktop Integration HTTP Information Disclosure
  • OSVDB ID: 22618: Oracle PeopleSoft Enterprise Portal Unspecified Local Issue
  • OSVDB ID: 22619: Oracle JD Edwards HTML Server HTTP Unspecified Issue
  • OSVDB ID: 22620: Oracle E-Business Suite/Applications Applications Technology Stack HTTP Trivial Information Disclosure (APPS09)
  • OSVDB ID: 22637: Oracle Database Data Pump Metadata API DBMS_METADATA_INT Multiple Procedure SQL Injection
  • OSVDB ID: 22639: Oracle Database Text CTXSYS.DRIDML CLEAN_DML Procedure SQL Injection
  • OSVDB ID: 22640: Oracle Database Text CTXSYS.CTX_DOC GET_ROWID Procedure SQL Injection
  • OSVDB ID: 22641: Oracle Database Text CTXSYS.CTX_QUERY BROWSE_WORDS Procedure SQL Injection
  • OSVDB ID: 22642: Oracle Database Text CATINDEXMETHODS Multiple Procedure SQL Injection
  • OSVDB ID: 22643: Oracle Database Data Pump Metadata API DBMS_METADATA Unspecified Procedure SQL Injection
  • OSVDB ID: 60409: Oracle Client Utility Unspecified Remote Overflow
  • SA18493: Oracle Products Multiple Vulnerabilities and Security Issues
  • SA18608: HP Oracle for Openview Multiple Vulnerabilities
  • SECTRACK ID: 1015499: Oracle Database and Other Products Have Multiple Unspecified Vulnerabilities With Unspecified Impact
  • US-CERT VU#150332: Oracle Text SQL injection vulnerability
  • US-CERT VU#472148: Oracle Reports arbitrary file writing vulnerability
  • US-CERT VU#545804: Oracle products contain multiple vulnerabilities
  • US-CERT VU#629316: Oracle Database SYS.DBMS_METADATA_UTIL package SQL injection vulnerability
  • US-CERT VU#857412: Oracle Transparent Data Encryption master encryption key stored as plaintext
  • US-CERT VU#870172: Oracle Database Net Listener vulnerability
  • US-CERT VU#891644: Oracle Database XML Database SQL Injection vulnerability
  • US-CERT VU#925261: Oracle Reports arbitrary file reading vulnerability
  • US-CERT VU#983340: Oracle Database Data Pump Metadata API SQL injection vulnerability
  • US-CERT VU#999268: Oracle Client Tools buffer overflow vulnerability

Platforms Affected:

  • Oracle Application Server 1.0.2.2
  • Oracle Application Server 10.1.2.0.0 R2
  • Oracle Application Server 10.1.2.0.1 R2
  • Oracle Application Server 10.1.2.0.2 R2
  • Oracle Application Server 10.1.2.1.0 R2
  • Oracle Application Server 9.0.4.1
  • Oracle Application Server 9.0.4.2
  • Oracle Collaboration Suite 10.1.1 R1
  • Oracle Collaboration Suite 10.1.2 R1
  • Oracle Collaboration Suite 9.0.4.2 R2
  • Oracle Database Server 10.1.0.3 R1
  • Oracle Database Server 10.1.0.4 R1
  • Oracle Database Server 10.1.0.4.2 R1
  • Oracle Database Server 10.1.0.5 R1
  • Oracle Database Server 10.2.0.1 R2
  • Oracle Database Server 8.0.6.3
  • Oracle Database Server 9.0.1.4 R1
  • Oracle Database Server 9.0.1.5 R1
  • Oracle Database Server 9.0.1.5 FIPS
  • Oracle Database Server 9.2.0.6 R2
  • Oracle Database Server 9.2.0.7 R2
  • Oracle Developer Suite 10.1.2.0
  • Oracle Developer Suite 6i
  • Oracle Developer Suite 9.0.2.1
  • Oracle Developer Suite 9.0.4.1
  • Oracle Developer Suite 9.0.4.2
  • Oracle E-Business Suite 11.5.1
  • Oracle E-Business Suite 11.5.10
  • Oracle E-Business Suite 11.5.10 CU2
  • Oracle E-Business Suite 11.5.2
  • Oracle E-Business Suite 11.5.3
  • Oracle E-Business Suite 11.5.4
  • Oracle E-Business Suite 11.5.5
  • Oracle E-Business Suite 11.5.6
  • Oracle E-Business Suite 11.5.7
  • Oracle E-Business Suite 11.5.8
  • Oracle E-Business Suite 11.5.9
  • Oracle Enterprise Manager Grid Control 10.1.0.3
  • Oracle Enterprise Manager Grid Control 10.1.0.4
  • Oracle PeopleSoft Enterprise Portal 8.4
  • Oracle PeopleSoft Enterprise Portal 8.8
  • Oracle PeopleSoft Enterprise Portal 8.9
  • Oracle Workflow 11.5.1
  • Oracle Workflow 11.5.9.5

Reported:

Jan 17, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page