Oracle Critical Patch Update - July 2007

oracle-cpu-july2007 (35490) The risk level is classified as HighHigh Risk

Description:

Oracle Critical Patch Update - July 2007 contains fixes for multiple security vulnerabilities affecting various Oracle products and components. These vulnerabilities include multiple SQL injection issues and multiple unspecified issues that have an unknown impact and remote attack vector.


Consequences:

Informational

Remedy:

Refer to Oracle Critical Patch Update - July 2007 for patch, upgrade, or suggested workaround information. See References.

References:

  • HPSBMA02133 SSRT061201 rev.5: HP Oracle for OpenView (OfO) Critical Patch Update.
  • IBM Internet Security Systems X-Force Database: Oracle Application Express CHECK_DB_PASSWORD SQL injection.
  • IBM Internet Security Systems X-Force Database: Oracle Database MDSYS.MD multiple buffer overflows.
  • IBM Internet Security Systems X-Force Database: Oracle Database DBMS_DRS GET_PROPERTY buffer overflow.
  • IBM Internet Security Systems X-Force Database: Oracle Database SQL Compiler unauthorized View access.
  • IBM Internet Security Systems X-Force Database: Oracle Database SYS.DBMS_PRVTAQIS SQL injection.
  • iMPERVA Web site: Oracle EBS - XSS Vulnerability.
  • Oracle Critical Patch Update - July 2007: Oracle Critical Patch Update Advisory - July 2007.
  • Red-Database-Security Web site: Details Oracle Critical Patch Update July 2007 - V1.01.
  • CVE-2007-3853: Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 and 10.2.0.3 allow remote authenticated users to have unknown impact via (1) DBMS_JAVA_TEST in the JavaVM component (DB01), (2) Oracle Text component (DB09), and (3) MDSYS.SDO_GEOR_INT in the Spatial component (DB15). NOTE: a reliable researcher claims that DB01 is SQL injection in DBMS_PRVTAQIS.
  • CVE-2007-3854: Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5+, 9.2.0.7, and 10.1.0.5 allow remote authenticated users to have unknown impact via (1) SYS.DBMS_PRVTAQIS in the Advanced Queuing component (DB02) and (2) MDSYS.MD in the Spatial component (DB12). NOTE: Oracle has not disputed reliable researcher claims that DB02 is for SQL injection and DB12 is for a buffer overflow.
  • CVE-2007-3855: Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 allows remote authenticated users to have an unknown impact via (1) SYS.DBMS_DRS in the DataGuard component (DB03), (2) SYS.DBMS_STANDARD in the PL/SQL component (DB10), (3) MDSYS.RTREE_IDX in the Spatial component (DB16), and (4) SQL Compiler (DB17). NOTE: a reliable researcher claims that DB17 is for using Views to perform unauthorized insert, update, or delete actions.
  • CVE-2007-3856: Unspecified vulnerability in the Oracle Data Mining component for Oracle Database 10g Release 2 10.2.0.2 and 10.2.0.3, 10g 10.1.0.5, and Oracle9i Database Release 2 9.2.0.7, 9.2.0.8, and 9.2.0.8DV has unknown impact and remote authenticated attack vectors related to DMSYS.DMP_SYS, aka DB04.
  • CVE-2007-3857: Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 allow remote authenticated users to have an unknown impact via (a) the Oracle Text component, including (1) unspecified vectors (DB05), (2) CTXSYS.DRVXMD (DB06), (3) CTXSYS.DRI_MOVE_CTXSYS (DB07), (4) CTXSYS.DRVXMD (DB08), and (b) JavaVM (DB14).
  • CVE-2007-3858: Multiple unspecified vulnerabilities in Oracle Database 10.2.0.3 allow remote authenticated users to have an unknown impact via (1) EXFSYS.DBMS_RLMGR_UTL in Rules Manager (DB11) and (2) Program Interface (DB13).
  • CVE-2007-3859: Unspecified vulnerability in the Oracle Internet Directory component for Oracle Database 9.2.0.8 and 9.2.0.8DV; Application Server 9.0.4.3, 10.1.2.0.2, and 10.1.2.2; and Collaboration Suite 10.1.2 has unknown impact and remote attack vectors, aka OID01.
  • CVE-2007-3860: Unspecified vulnerability in Oracle Application Express (formerly Oracle HTML DB) 2.2.0.00.32 up to 3.0.0.00.20 allows developers to have an unknown impact via unknown attack vectors, aka APEX01. NOTE: a reliable researcher states that this is SQL injection in the wwv_flow_security.check_db_password function due to insufficient checks for '"' characters.
  • CVE-2007-3861: Unspecified vulnerability in Oracle Jdeveloper in Oracle Application Server 10.1.2.2 and Collaboration Suite 10.1.2 allows context-dependent attackers to have an unknown impact via custom applications that use JBO.KEY, aka JDEV01.
  • CVE-2007-3862: Unspecified vulnerability in Oracle Application Server 9.0.4.3 and 10.1.2.0.2 allows remote attackers to have an unknown impact via Oracle Single Sign On, aka AS01.
  • CVE-2007-3863: Unspecified vulnerability in Oracle JDeveloper for Application Server 10.1.2.2 and 10.1.3.1, and Collaboration Suite 10.1.2, allows context-dependent attackers to have an unknown impact via custom applications that use JBO.SERVER, aka JDEV02.
  • CVE-2007-3864: Multiple unspecified vulnerabilities in Oracle Collaboration Suite 10.1.2 have unknown impact and remote attack vectors via (1) Instant Messaging/Presence (OCS01) and (2) Oracle Single Sign On (AS02).
  • CVE-2007-3865: Unspecified vulnerability in the Oracle Customer Intelligence component in Oracle E-Business Suite 12.0.1 has unknown impact and remote attack vectors, aka APPS01.
  • CVE-2007-3866: Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.10CU2 and 12.0.1 allow remote attackers to have an unknown impact via (a) Oracle Configurator (APPS02), (b) Oracle iExpenses (APPS03), (c) Oracle Application Object Library (APPS09), and (1) APPS12, (2) APPS13, and (3) APPS14 in (d) Oracle Payables.
  • CVE-2007-3867: Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.10CU2 have unknown impact and attack vectors, related to (1) APPS04, (2) APPS05, and (3) APPS06 in (a) Oracle Application Object Library, (4) APPS07 in Oracle Customer Intelligence, (5) APPS08 in Oracle Payments, (7) APPS10 in Oracle Human Resources, and (8) APPS11 in iRecruitment.
  • CVE-2007-3868: Multiple unspecified vulnerabilities in PeopleTools in Oracle PeopleSoft Enterprise 8.22.15, 8.47.13, 8.48.10, and 8.49.02 allows remote authenticated users or attackers to have an unknown impact via multiple vectors, aka (1) PSE01, (2) PSE02, and (3) PSE03.
  • CVE-2007-3869: Multiple unspecified vulnerabilities in the Customer Relationship Management Online Marketing component in Oracle PeopleSoft Enterprise 8.9 Bundle 26 and 9.0 Bundle 7 allow remote authenticated users to have an unknown impact, aka (1) PSE04 and (2) PSE05.
  • CVE-2007-3870: Multiple unspecified vulnerabilities in the Human Capital Management component in Oracle PeopleSoft Enterprise 8.9 Bundle 11 allow local users to have unknown impact via unknown vectors, aka (1) PSE06 and (2) PSE07.
  • OSVDB ID: 39962: Oracle PeopleSoft PeopleTools App Designer Component Unspecified Remote Issue
  • OSVDB ID: 39963: Oracle PeopleSoft PeopleTools Reporting Run Control Parameters Unspecified Remote Issue
  • OSVDB ID: 39964: Oracle PeopleSoft PeopleTools PIA Component Unspecified XSS (PSE03)
  • OSVDB ID: 39965: Oracle PeopleSoft Customer Relationship Management Online Marketing Unspecified Cleartext Password Disclosure
  • OSVDB ID: 39966: Oracle PeopleSoft Customer Relationship Management Online Marketing HTTP Unspecified Remote Issue (PSE05)
  • OSVDB ID: 39967: Oracle PeopleSoft Human Capital Management Unspecified Local Issue
  • OSVDB ID: 39968: Oracle PeopleSoft Human Capital Management Unspecified Local Information Disclosure
  • OSVDB ID: 39969: Oracle Instant Messaging/Presence HTTP Unspecified Remote Issue
  • OSVDB ID: 39971: Oracle Application Server Single Sign On (SSO) HTTP Unspecified Remote Issue
  • OSVDB ID: 39972: Oracle JDeveloper JBO.KEY Unspecified Remote DoS
  • OSVDB ID: 39973: Oracle JDeveloper JBO.SERVER HTTP Unspecified Local Issue
  • OSVDB ID: 39974: Oracle Internet Directory LDAP Unspecified Remote Information Disclosure
  • OSVDB ID: 39975: Oracle Database JavaVM DBMS_JAVA_TEST DBMS_PRVTAQIS SQL Injection
  • OSVDB ID: 39978: Oracle Database Data Mining DMSYS.DMP_SYS Unspecified Remote Issue
  • OSVDB ID: 39983: Oracle Database Text Session Creation Unspecified Remote Issue (DB05)
  • OSVDB ID: 39984: Oracle Database Text CTXSYS.DRVXMD Unspecified Remote Issue
  • OSVDB ID: 39985: Oracle Database Text CTXSYS.DRI_MOVE_CTXSYS Unspecified Remote Issue
  • OSVDB ID: 39986: Oracle Database Text CTXSYS.DRVXMD Unspecified Remote Issue
  • OSVDB ID: 39987: Oracle Database Text Session Creation Unspecified Remote Issue (DB09)
  • OSVDB ID: 39990: Oracle Database Rules Manager EXFSYS.DBMS_RLMGR_UTL Unspecified Remote Issue
  • OSVDB ID: 39992: Oracle Database Progam Interface Unspecified Remote DoS
  • OSVDB ID: 39993: Oracle Database JavaVM Unspecified Remote Issue
  • OSVDB ID: 39994: Oracle Database Spatial MDSYS.SDO_GEOR_INT Unspecified Remote DoS
  • OSVDB ID: 39998: Oracle E-Business Suite Customer Intelligence Unspecified Remote Unauthenticated Issue
  • OSVDB ID: 39999: Oracle E-Business Suite Configurator HTTP Unspecified Remote Issue
  • OSVDB ID: 40000: Oracle E-Business Suite iExpenses HTTP Unspecified Remote Issue
  • OSVDB ID: 40001: Oracle E-Business Suite Application Object Library HTTP Unspecified Remote Information Disclosure (APPS04)
  • OSVDB ID: 40002: Oracle E-Business Suite Application Object Library HTTP Unspecified Remote Information Disclosure (APPS05)
  • OSVDB ID: 40003: Oracle E-Business Suite Application Object Library HTTP Unspecified Remote Information Disclosure (APPS06)
  • OSVDB ID: 40004: Oracle E-Business Suite Customer Intelligence Unspecified Remote Information Disclosure
  • OSVDB ID: 40005: Oracle E-Business Suite Payments Unspecified Remote Information Disclosure
  • OSVDB ID: 40006: Oracle E-Business Suite Application Object Library Unspecified Remote Information Disclosure
  • OSVDB ID: 40007: Oracle E-Business Suite Human Resources Unspecified Remote Information Disclosure
  • OSVDB ID: 40008: Oracle E-Business Suite iRecruitment Administrator Unspecified Remote Information Disclosure
  • OSVDB ID: 40009: Oracle E-Business Suite Payables Payable User Unspecified Remote Information Disclosure (APPS12)
  • OSVDB ID: 40010: Oracle E-Business Suite Payables Payable User Unspecified Remote Information Disclosure (APPS13)
  • OSVDB ID: 40011: Oracle E-Business Suite Payables Payable User Unspecified Remote Information Disclosure (APPS14)
  • SECTRACK ID: 1018415: Oracle Database and Other Products Have Unspecified Vulnerabilities With Unspecified Impact
  • US-CERT VU#322460: Oracle Collaboration Suite denial of service vulnerability

Platforms Affected:

  • Oracle Application Server 1.0.2.2
  • Oracle Application Server 10.1.2.0.1 R2
  • Oracle Application Server 10.1.2.0.2 R2
  • Oracle Application Server 10.1.2.1.0 R2
  • Oracle Application Server 10.1.2.2.0 R2
  • Oracle Application Server 10.1.3.0.0 R3
  • Oracle Application Server 10.1.3.1.0 R3
  • Oracle Application Server 10.1.3.2.0 R3
  • Oracle Application Server 10.1.3.3.0 R3
  • Oracle Application Server 9.0.4.3
  • Oracle Collaboration Suite 10.1.2 R1
  • Oracle Database Server 10.1.0.5 R1
  • Oracle Database Server 10.2.0.2 R2
  • Oracle Database Server 10.2.0.3 R2
  • Oracle Database Server 9.0.1.5 FIPS+
  • Oracle Database Server 9.2.0.7 R2
  • Oracle Database Server 9.2.0.8 R2
  • Oracle Database Server 9.2.0.8DV R2
  • Oracle E-Business Suite 11.5.10
  • Oracle E-Business Suite 11.5.10 CU2
  • Oracle E-Business Suite 11.5.8
  • Oracle E-Business Suite 11.5.9
  • Oracle E-Business Suite 12.0.0
  • Oracle E-Business Suite 12.0.1
  • Oracle HTTP Server 9.2.0
  • Oracle PeopleSoft Enterprise Customer Relationship Management 8.9
  • Oracle PeopleSoft Enterprise Customer Relationship Management 9.0
  • Oracle PeopleSoft Enterprise Human Capital Management 8.9
  • Oracle PeopleSoft Enterprise Human Capital Management 9.0
  • Oracle PeopleSoft Enterprise PeopleTools 8.22
  • Oracle PeopleSoft Enterprise PeopleTools 8.47
  • Oracle PeopleSoft Enterprise PeopleTools 8.48
  • Oracle PeopleSoft Enterprise PeopleTools 8.49
  • Oracle Secure Enterprise Search 10.1.6
  • Oracle Secure Enterprise Search 10.1.8

Reported:

Jul 17, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email ignore thisxforceignore this@ignore thisus.ignore thisibm.comignore this

Return to the main page