Oracle Critical Patch Update - July 2006

oracle-cpu-july2006 (27897) The risk level is classified as HighHigh Risk

Description:

Oracle Critical Patch Update - July 2006 contains fixes for multiple security vulnerabilities affecting various Oracle products and components. These vulnerabilities include multiple SQL injection issues and multiple unspecified issues, the most serious of which could be used to gain complete control over an affected system.

Platforms Affected:

  • Oracle, Application Server 10.1.2.0.0 R2
  • Oracle, Application Server 10.1.2.0.1 R2
  • Oracle, Application Server 10.1.2.0.2 R2
  • Oracle, Application Server 10.1.2.1.0 R2
  • Oracle, Application Server 10.1.3.0.0 R3
  • Oracle, Application Server 9.0.4.2
  • Oracle, Application Server 9.0.4.3
  • Oracle, Collaboration Suite 10.1.2 R1
  • Oracle, Collaboration Suite 9.0.4.2 R2
  • Oracle, Database Server 10.1.0.4 R1
  • Oracle, Database Server 10.1.0.5 R1
  • Oracle, Database Server 10.2.0.1 R2
  • Oracle, Database Server 10.2.0.2 R2
  • Oracle, Database Server 8.1.7.4
  • Oracle, Database Server 9.2.0.6 R2
  • Oracle, Database Server 9.2.0.7 R2
  • Oracle, E-Business Suite 11.0
  • Oracle, E-Business Suite 11.5.10
  • Oracle, E-Business Suite 11.5.10 CU2
  • Oracle, E-Business Suite 11.5.7
  • Oracle, E-Business Suite 11.5.8
  • Oracle, E-Business Suite 11.5.9
  • Oracle, Enterprise Manager Grid Control 10.2.0.1
  • Oracle, EnterpriseOne 8.95
  • Oracle, EnterpriseOne 8.96
  • Oracle, PeopleSoft Enterprise Portal 8.4
  • Oracle, PeopleSoft Enterprise Portal 8.8
  • Oracle, PeopleSoft Enterprise Portal 8.9
  • Oracle, Pharmaceutical 4.5.0
  • Oracle, Pharmaceutical 4.5.1
  • Oracle, Pharmaceutical 4.5.2

Remedy:

Refer to Oracle Critical Patch Update - July 2006 for patch, upgrade, or suggested workaround information. See References.

Consequences:

Informational

References:

  • ISS X-Force Database, Oracle Database SYS.DBMS_CDC_IMPDP SQL injection at http://xforce.iss.net/xforce/xfdb/27889.
  • ISS X-Force Database, Oracle Database SYS.DBMS_STATS SQL injection at http://xforce.iss.net/xforce/xfdb/27887.
  • ISS X-Force Database, Oracle Database SYS.KUPW$WORKER SQL injection at http://xforce.iss.net/xforce/xfdb/27888.
  • ISS X-Force Database, Oracle Database SYS.DBMS_UPGRADE SQL injection at http://xforce.iss.net/xforce/xfdb/27886.
  • Oracle Web site, Oracle Critical Patch Update - July 2006 at http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2006.html.
  • Red-Database-Security Web site, Details Oracle Critical Patch Update July 2006 - V1.02 at http://www.red-database-security.com/advisory/oracle_cpu_jul_2006.html.
  • US-CERT Technical Cyber Security Alert TA06-200A, Oracle Products Contain Multiple Vulnerabilities at http://www.us-cert.gov/cas/techalerts/TA06-200A.html.
  • BID-19054: Oracle July 2006 Security Update Multiple Vulnerabilities
  • CVE-2006-3698: Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 have unknown impact and attack vectors, aka Oracle Vuln# (1) DB01 for Change Data Capture (CDC) component and (2) DB03 for Data Pump Metadata API. NOTE: as of 20060719, Oracle has not disputed a claim by a reliable researcher that DB01 is related to multiple SQL injection vulnerabilities in SYS.DBMS_CDC_IMPDP using the (a) IMPORT_CHANGE_SET, (b) IMPORT_CHANGE_TABLE, (c) IMPORT_CHANGE_COLUMN, (d) IMPORT_SUBSCRIBER, (e) IMPORT_SUBSCRIBED_TABLE, (f) IMPORT_SUBSCRIBED_COLUMN, (g) VALIDATE_IMPORT, (h) VALIDATE_CHANGE_SET, (i) VALIDATE_CHANGE_TABLE, and (j) VALIDATE_SUBSCRIPTION procedures, and that DB03 is for SQL injection in the MAIN procedure for SYS.KUPW$WORKER.
  • CVE-2006-3699: Unspecified vulnerability in the Core RDBMS component in Oracle Database 9.0.1.5 and 9.2.0.6 has unknown impact and attack vectors, aka Oracle Vuln# DB02.
  • CVE-2006-3700: Multiple unspecified vulnerabilities in Oracle Database 9.2.0.6 and 10.1.0.4 have unknown impact and attack vectors, aka Oracle Vuln# (1) DB04 for Web Distributed Authoring and Versioning (DAV) and (2) DB23 for XMLDB.
  • CVE-2006-3701: Unspecified vulnerability in the Dictionary component in Oracle Database 8.1.7.4, 9.0.1.5, and 9.2.0.6 has unknown impact and attack vectors, aka Oracle Vuln# DB05.
  • CVE-2006-3702: Multiple unspecified vulnerabilities in Oracle Database 8.1.7.4, 9.0.1.5, 9.2.0.7, 10.1.0.5, and 10.2.0.2 have unknown impact and attack vectors, aka Oracle Vuln# (1) DB06 in Export; (2) DB08, (3) DB09, (4) DB10, (5) DB11, (6) DB12, (7) DB13, (8) DB14, and (9) DBC01 for OCI; (10) DB16 for Query Rewrite/Summary Mgmt; (11) DB17, (12) DB18, (13) DB19, (14) DBC02, (15) DBC03, and (16) DBC04 for RPC; and (17) DB20 for Semantic Analysis. NOTE: as of 20060719, Oracle has not disputed third party claims that DB06 is related to SQL injection using DBMS_EXPORT_EXTENSION with a modified ODCIIndexGetMetadata routine and a call to GET_DOMAIN_INDEX_METADATA, in which case DB06 might be CVE-2006-2081.
  • CVE-2006-3703: Unspecified vulnerability in InterMedia for Oracle Database 9.0.1.5, 9.2.0.6, and 10.1.0.4 has unknown impact and attack vectors, aka oracle Vuln# DB07.
  • CVE-2006-3704: Unspecified vulnerability in the Oracle ODBC Driver for Oracle Database 10.1.0.4 has unknown impact and attack vectors, aka Oracle Vuln# 10.1.0.4.
  • CVE-2006-3705: Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 have unknown impact and attack vectors, aka Oracle Vuln# (1) DB21 for Statistics and (2) DB22 for Upgrade & Downgrade. NOTE: as of 20060719, Oracle has not disputed a claim by a reliable researcher that DB21 is for a local SQL injection vulnerability in SYS.DBMS_STATS, and that DB22 is for SQL injection in SYS.DBMS_UPGRADE.
  • CVE-2006-3706: Unspecified vulnerability in OC4J for Oracle Application Server 9.0.2.3 has unknown impact and attack vectors, aka Oracle Vuln# AS01.
  • CVE-2006-3707: Unspecified vulnerability in OC4J for Oracle Application Server 9.0.2.3 and 9.0.3.1 has unknown impact and attack vectors, aka Oracle Vuln# AS02.
  • CVE-2006-3708: Unspecified vulnerability in OC4J for Oracle Application Server 9.0.2.3, 9.0.3.1, 9.0.4.2, 10.1.2.0.2, and 10.1.2.1 has unknown impact and attack vectors, aka Oracle Vuln# AS03.
  • CVE-2006-3709: Unspecified vulnerability in OC4J for Oracle Application Server 9.0.2.3, 9.0.3.1, and 10.1.2.0.0 has unknown impact and attack vectors, aka Oracle Vuln# AS04.
  • CVE-2006-3710: Unspecified vulnerability in OC4J for Oracle Application Server 9.0.2.3, 9.0.3.1, 9.0.4.2, and 10.1.2.0.0 has unknown impact and attack vectors, aka Oracle Vuln# (1) AS05 and (2) AS08.
  • CVE-2006-3711: Unspecified vulnerability in OC4J for Oracle Application Server 9.0.2.3, 9.0.3.1, and 9.0.4.1 has unknown impact and attack vectors, aka Oracle Vuln# AS06.
  • CVE-2006-3712: Unspecified vulnerability in OC4J for Oracle Application Server 9.0.4.2 and 10.1.2.0.0 has unknown impact and attack vectors, aka Oracle Vuln# AS07.
  • CVE-2006-3713: Unspecified vulnerability in OC4J for Oracle Application Server 10.1.3.0 has unknown impact and attack vectors, aka Oracle Vuln# AS09.
  • CVE-2006-3714: Unspecified vulnerability in OC4J for Oracle Application Server 10.1.2.0.2 and 10.1.2.1 has unknown impact and attack vectors, aka Oracle Vuln# AS10.
  • CVE-2006-3715: Unspecified vulnerability in Calendar for Oracle Collaboration Suite 10.1.2 has unknown impact and attack vectors, aka Oracle Vuln# OCS01.
  • CVE-2006-3716: Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.10CU2 have unknown impact and attack vectors, aka Oracle Vuln# (1) APPS01 for Internet Expenses; (2) APPS02, (3) APPS05, (4) APPS06, (5) APPS07, (6) APPS08, (7) APPS09, and (8) APPS10 for Oracle Application Object Library; (9) APPS11, (10) APPS12, and (11) APPS13 for Oracle Applications Technology Stack; (12) APPS14 for Oracle Call Center Technology; (13) APPS15 for Oracle Common Applications; (14) APPS18 for Oracle Self-Service Web Applications; and (15) APPS19 for Oracle Workflow Cartridge.
  • CVE-2006-3717: Multiple unspecified vulnerabilities in Oracle E-Business Suite and Applications 11.5.9 have unknown impact and attack vectors, aka Oracle Vuln# (1) APPS03 and (2) APPS04 for Oracle Application Object Library; and (3) APPS20 for Oracle XML Gateway.
  • CVE-2006-3718: Multiple unspecified vulnerabilities in Oracle Exchange for Oracle E-Business Suite and Applications 6.2.4 have unknown impact and attack vectors, aka Oracle Vuln# (1) APPS16 and (2) APPS17.
  • CVE-2006-3719: Unspecified vulnerability in CORE: Repository for Oracle Enterprise Manager 9.0.1.0 and 9.2.0.1 has unknown impact and attack vectors, aka Oracle Vuln# EM01.
  • CVE-2006-3720: Unspecified vulnerability in Enterprise Config Management for Oracle Enterprise Manager 10.1.0.3 has unknown impact and attack vectors, aka Oracle Vuln# EM02.
  • CVE-2006-3721: Multiple unspecified vulnerabilities in Oracle Management Service for Oracle Enterprise Manager 10.1.0.5 and 10.2.0.1 have unknown impact and attack vectors, aka Oracle Vuln# EM03 and EM04.
  • CVE-2006-3722: Unspecified vulnerability in PeopleSoft Enterprise Portal for Oracle PeopleSoft Enterprise Portal 8.4 Bundle #16, 8.8 Bundle #10, and 8.9 Bundle #3 has unknown impact and attack vectors, aka Oracle Vuln# PSE01.
  • CVE-2006-3723: Unspecified vulnerability in PeopleSoft Enterprise Portal for Oracle PeopleSoft Enterprise Portal 8.8 with Enforcer Portal Pack Bundle #10 and 8.9 Bundle #3 has unknown impact and attack vectors, aka Oracle Vuln# PSE02.
  • CVE-2006-3724: Unspecified vulnerability in JD Edwards HTML Server for Oracle OneWorld Tools EnterpriseOne Tools 8.95 and 8.96 has unknown impact and attack vectors, aka Oracle Vuln# JDE01.
  • SA21111: Oracle Products Multiple Vulnerabilities
  • SA21165: HP Oracle for OpenView Multiple Vulnerabilities
  • SECTRACK ID: 1016529: Oracle Database and Other Products Have Multiple Unspecified Vulnerabilities With Unspecified Impact
  • US-CERT VU#932124: Oracle DBMS_EXPORT_EXTENSION package vulnerable to SQL injection
  • VUPEN/ADV-2006-2863: Oracle Products Multiple Components SQL Injection and Security Bypass Vulnerabilities
  • VUPEN/ADV-2006-2947: HP Oracle for OpenView (OfO) Multiple SQL Injection and Security Bypass Vulnerabilities

Reported:

Jul 18, 2006

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page