Oracle Critical Patch Update - April 2008

oracle-cpu-april-2008 (41858) The risk level is classified as HighHigh Risk

Description:

Oracle Critical Patch Update - April 2008 contains fixes for multiple security vulnerabilities affecting various Oracle products and components. These vulnerabilities include multiple SQL injection issues and multiple unspecified issues that have an unknown impact and remote attack vector.

Platforms Affected:

  • Oracle, APEX 3.0.1
  • Oracle, Application Server 1.0.2.2
  • Oracle, Application Server 10.1.2.0.2 R2
  • Oracle, Application Server 10.1.2.1.0 R2
  • Oracle, Application Server 10.1.2.2.0 R2
  • Oracle, Application Server 10.1.3.1.0 R3
  • Oracle, Application Server 10.1.3.3.0 R3
  • Oracle, Application Server 9.0.4.3
  • Oracle, Collaboration Suite 10.1.2 R1
  • Oracle, Database Server 10.1.0.5
  • Oracle, Database Server 10.2.0.2 R2
  • Oracle, Database Server 10.2.0.3 R2
  • Oracle, Database Server 11.1.0.6
  • Oracle, Database Server 9.0.1.5 FIPS+
  • Oracle, Database Server 9.2.0.8 R2
  • Oracle, Database Server 9.2.0.8DV R2
  • Oracle, E-Business Suite 11.5.10.2
  • Oracle, E-Business Suite 12.0.4
  • Oracle, Jinitiator 1.3.1.14
  • Oracle, Peoplesoft Enterprise Human Capital Management 8.8 SP1
  • Oracle, PeopleSoft Enterprise Human Capital Management 8.9
  • Oracle, PeopleSoft Enterprise Human Capital Management 9.0
  • Oracle, PeopleSoft Enterprise PeopleTools 8.22.19
  • Oracle, PeopleSoft Enterprise PeopleTools 8.48.16
  • Oracle, PeopleSoft Enterprise PeopleTools 8.49.09
  • Oracle, Siebel SimBuilder 7.8.2
  • Oracle, Siebel SimBuilder 7.8.5

Remedy:

Refer to Oracle Critical Patch Update - April 2008 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Apply the appropriate update for your system. See References.

Consequences:

Informational

References:

  • HPSBMA02133 SSRT061201 rev.8, HP Oracle for OpenView (OfO) Critical Patch Update at http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c00727143.
  • IBM Internet Security Systems X-Force Database, Oracle Database Core RDBMS component Create Session unspecified at http://xforce.iss.net/xforce/xfdb/41992.
  • IBM Internet Security Systems X-Force Database, Oracle Application Express privilege escalation at http://xforce.iss.net/xforce/xfdb/41988.
  • IBM Internet Security Systems X-Force Database, Oracle E-Business Suite Advanced Pricing component unspecified information disclosure at http://xforce.iss.net/xforce/xfdb/42056.
  • IBM Internet Security Systems X-Force Database, Oracle E-Business Suite Advanced Pricing component unspecified at http://xforce.iss.net/xforce/xfdb/42057.
  • IBM Internet Security Systems X-Force Database, Oracle E-Business Suite Application Object Library unspecified denial of service at http://xforce.iss.net/xforce/xfdb/42059.
  • IBM Internet Security Systems X-Force Database, Oracle E-Business Suite Applications Manager unspecified information disclosure at http://xforce.iss.net/xforce/xfdb/42060.
  • IBM Internet Security Systems X-Force Database, Oracle E-Business Suite Application Object Library unspecified at http://xforce.iss.net/xforce/xfdb/42061.
  • IBM Internet Security Systems X-Force Database, Oracle E-Business Suite Applications Technology Stack component unspecified information disclosure at http://xforce.iss.net/xforce/xfdb/42062.
  • IBM Internet Security Systems X-Force Database, Oracle E-Business Suite Advanced Pricing component unspecified at http://xforce.iss.net/xforce/xfdb/42063.
  • IBM Internet Security Systems X-Force Database, Oracle E-Business Suite Application Object Library component unspecified at http://xforce.iss.net/xforce/xfdb/42064.
  • IBM Internet Security Systems X-Force Database, Oracle PeopleSoft Enterprise PeopleTools unspecified at http://xforce.iss.net/xforce/xfdb/42065.
  • IBM Internet Security Systems X-Force Database, Oracle PeopleSoft Enterprise HCM Recruiting component unspecified privilege escalation at http://xforce.iss.net/xforce/xfdb/42066.
  • IBM Internet Security Systems X-Force Database, Oracle PeopleSoft Enterprise HCM ePerformance component unspecified privilege escalation at http://xforce.iss.net/xforce/xfdb/42067.
  • IBM Internet Security Systems X-Force Database, Oracle Siebel SimBuilder multiple unspecified unauthorized access at http://xforce.iss.net/xforce/xfdb/42068.
  • IBM Internet Security Systems X-Force Database, Oracle Siebel SimBuilder unspecified unauthorized access at http://xforce.iss.net/xforce/xfdb/42069.
  • IBM Internet Security Systems X-Force Database, Oracle Siebel SimBuilder unspecified information disclosure at http://xforce.iss.net/xforce/xfdb/42070.
  • IBM Internet Security Systems X-Force Database, Oracle Siebel SimBuilder multiple unspecified information disclosure at http://xforce.iss.net/xforce/xfdb/42071.
  • IBM Internet Security Systems X-Force Database, Oracle Enterprise Manager unspecified privilege escalation at http://xforce.iss.net/xforce/xfdb/41989.
  • IBM Internet Security Systems X-Force Database, Oracle Database Advanced Queuing component SYS.DBMS_AQ unspecified at http://xforce.iss.net/xforce/xfdb/41991.
  • IBM Internet Security Systems X-Force Database, Oracle E-Business Suite Advanced Pricing component unspecified at http://xforce.iss.net/xforce/xfdb/42055.
  • IBM Internet Security Systems X-Force Database, Oracle Database Spatial component SDO_GEOM SQL injection at http://xforce.iss.net/xforce/xfdb/41993.
  • IBM Internet Security Systems X-Force Database, Oracle Database Direct Path Export information disclosure at http://xforce.iss.net/xforce/xfdb/41994.
  • IBM Internet Security Systems X-Force Database, Oracle Database Query Optimizer component DBMS_STATS default password reset at http://xforce.iss.net/xforce/xfdb/41995.
  • IBM Internet Security Systems X-Force Database, Oracle Secure Enterprise Search and Ultrasearch WKSYS unspecified at http://xforce.iss.net/xforce/xfdb/41997.
  • IBM Internet Security Systems X-Force Database, Oracle Database Change Data Capture component DBMS_CDC_UTILITY unspecified at http://xforce.iss.net/xforce/xfdb/41998.
  • IBM Internet Security Systems X-Force Database, Oracle Database Spatial component SDO_UTIL SQL injection at http://xforce.iss.net/xforce/xfdb/41999.
  • IBM Internet Security Systems X-Force Database, Oracle Database Audit component unspecified at http://xforce.iss.net/xforce/xfdb/42000.
  • IBM Internet Security Systems X-Force Database, Oracle Database Spatial component SDO_IDX SQL injection at http://xforce.iss.net/xforce/xfdb/42001.
  • IBM Internet Security Systems X-Force Database, Oracle Database Core RDBMS component information disclosure at http://xforce.iss.net/xforce/xfdb/42002.
  • IBM Internet Security Systems X-Force Database, Oracle Database Authentication component unspecified information disclosure at http://xforce.iss.net/xforce/xfdb/42031.
  • IBM Internet Security Systems X-Force Database, Oracle Database Net Services component unspecified privilege escalation at http://xforce.iss.net/xforce/xfdb/42033.
  • IBM Internet Security Systems X-Force Database, Oracle Database Data Pump component unspecified denial of service at http://xforce.iss.net/xforce/xfdb/42036.
  • IBM Internet Security Systems X-Force Database, Oracle Database Advanced Queuing component unspecified denial of service at http://xforce.iss.net/xforce/xfdb/42037.
  • IBM Internet Security Systems X-Force Database, Oracle Application Express unspecified unauthorized access at http://xforce.iss.net/xforce/xfdb/42041.
  • IBM Internet Security Systems X-Force Database, Oracle Jinitiator unspecified unauthorized access at http://xforce.iss.net/xforce/xfdb/42045.
  • IBM Internet Security Systems X-Force Database, Oracle Application Server Dynamic Monitoring Service unspecified at http://xforce.iss.net/xforce/xfdb/42050.
  • IBM Internet Security Systems X-Force Database, Oracle Application Server Portal component unspecified at http://xforce.iss.net/xforce/xfdb/42051.
  • IBM Internet Security Systems X-Force Database, Oracle E-Business Suite Advanced Pricing component unspecified information disclosure at http://xforce.iss.net/xforce/xfdb/42053.
  • IBM Internet Security Systems X-Force Database, Oracle E-Business Suite Applications Framework component unspecified information disclosure at http://xforce.iss.net/xforce/xfdb/42054.
  • Oracle Critical Patch Update - April 2008, Oracle Critical Patch Update Advisory - April 2008 at http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html.
  • BID-28725: Oracle April 2008 Critical Patch Update Multiple Vulnerabilities
  • CVE-2008-1811: Unspecified vulnerability in Oracle Application Express 3.0.1 has unspecified impact and remote authenticated attack vectors related to flows_030000.wwv_execute_immediate, aka APEX01. NOTE: the previous information was obtained from the April 2008 CPU. Oracle has not commented on reliable researcher claims that APEX01 is for insufficient authorization checks for SQL commands in the run_ddl function in flows_030000.wwv_execute_immediate, allowing privilege escalation by certain non-DBA remote authenticated users.
  • CVE-2008-1812: Unspecified vulnerability in the Oracle Enterprise Manager component in Oracle Database 9.0.1.5 FIPS+; Application Server 1.0.2.2; and Enterprise Manager for AS 1.0.2.2 and Database 9.0.1.5 has unknown impact and local attack vectors, aka EM01.
  • CVE-2008-1813: Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3 have unknown impact and remote unauthenticated or authenticated attack vectors related to (1) SYS.DBMS_AQ in the Advanced Queuing component, aka DB01; (2) Core RDBMS, aka DB03; (3) SDO_GEOM in Oracle Spatial, aka DB06; (4) Export, aka DB12; and (5) DBMS_STATS in Query Optimizer, aka DB13. NOTE: the previous information was obtained from the Oracle CPU. Oracle has not commented on reliable researcher claims that DB06 is SQL injection, and DB13 occurs when the OUTLN account is reset to use a hard-coded password.
  • CVE-2008-1814: Unspecified vulnerability in the Oracle Secure Enterprise Search or Ultrasearch component in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, and 10.2.0.3; Application Server 9.0.4.3 and 10.1.2.2; and Oracle Collaboration Suite 10.1.2; haas unknown impact and remote attack vectors, aka DB04.
  • CVE-2008-1815: Unspecified vulnerability in the Change Data Capture component in Oracle Database 10.1.0.5, 10.2.0.3, and 11.1.0.6 has unknown impact and remote authenticated attack vectors related to DBMS_CDC_UTILITY, aka DB02. NOTE: the previous information was obtained from the April 2008 CPU. Oracle has not commented on reliable researcher claims that DB02 is for SQL injection in LOCK_CHANGE_SET.
  • CVE-2008-1816: Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 and 10.2.0.3 have unknown impact and remote authenticated attack vectors related to (1) SDO_UTIL in the Oracle Spatial component, aka DB05; or (2) fine grained auditing in the Audit component, aka DB14. NOTE: the previous information was obtained from the Oracle CPU. Oracle has not commented on reliable researcher claims that DB05 is SQL injection.
  • CVE-2008-1817: Multiple unspecified vulnerabilities in Oracle Database 9.0.1.5 FIPS+, 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.3, and 11.1.0.6 have unknown impact and remote attack vectors related to (1) SDO_IDX in the Spatial component, aka DB07; and (2) Core RDBMS, aka DB10. NOTE: the previous information was obtained from the Oracle CPU. Oracle has not commented on reliable researcher claims that DB07 is SQL injection.
  • CVE-2008-1818: Unspecified vulnerability in the Authentication component in Oracle Database 11.1.0.6 has unknown impact and remote attack vectors, aka DB08.
  • CVE-2008-1819: Unspecified vulnerability in the Oracle Net Services component in Oracle Database 9.2.0.8, 10.1.0.5, and 10.2.0.3 has unknown impact and local attack vectors, aka DB09.
  • CVE-2008-1820: Unspecified vulnerability in the Data Pump component in Oracle Database 9.2.0.8, 10.1.0.5, 10.2.0.3, and 11.1.0.6 has unknown impact and remote attack vectors related to KUPF$FILE_INT, aka DB11. NOTE: the previous information was obtained from the April 2008 CPU. Oracle has not commented on reliable researcher claims that DB11 is for a buffer overflow in the SYS.KUPF$FILE_INT.GET_FULL_FILENAME procedure.
  • CVE-2008-1821: Unspecified vulnerability in the Advanced Queuing component in Oracle Database 9.0.1.5 FIPS+, and 10.1.0.5 has unknown impact and remote attack vectors related to SYS.DBMS_AQJMS_INTERNAL, aka DB15. NOTE: the previous information was obtained from the April 2008 CPU. Oracle has not commented on reliable researcher claims that DB15 is for multiple buffer overflows in the (1) AQ$_REGISTER and (2) AQ$_UNREGISTER procedures.
  • CVE-2008-1822: Unspecified vulnerability in the Oracle Application Express component in Oracle Application Express 3.0.1 has unknown impact and remote attack vectors, aka APEX02.
  • CVE-2008-1823: Unspecified vulnerability in the Oracle Jinitiator component in Oracle Application Server 1.3.1.14 has unknown impact and remote attack vectors, aka AS01.
  • CVE-2008-1824: Unspecified vulnerability in the Oracle Dynamic Monitoring Service component in Oracle Application Server 9.0.4.3, 10.1.2.2, and 10.1.3.3 has unknown impact and remote attack vectors, aka AS02.
  • CVE-2008-1825: Unspecified vulnerability in the Oracle Portal component in Oracle Application Server 9.0.4.3 has unknown impact and remote attack vectors, aka AS03.
  • CVE-2008-1826: Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.10.2 have unknown impact and attack vectors related to (a) Advanced Pricing, aka (1) APP01 and (2) APP10; and (b) Applications Framework, aka (3) APP05.
  • CVE-2008-1827: Multiple unspecified vulnerabilities in Oracle E-Business Suite 11.5.10.2 and 12.0.4 have unknown impact and attack vectors related to (a) Advanced Pricing component, aka (1) APP02, (2) APP03, and (3) APP09; (b) Application Object Library component, aka (4) APP04, (5) APP07, and (6) APP11; (c) Applications Manager component, aka (7) APP06; (d) and Applications Technology Stack component, aka (8) APP08.
  • CVE-2008-1828: Unspecified vulnerability in the PeopleSoft PeopleTools component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.22.19, 8.48.16, and 8.49.09 has unknown impact and remote authenticated attack vectors, aka PSE01.
  • CVE-2008-1829: Unspecified vulnerability in the PeopleSoft HCM Recruiting component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.8 SP1 has unknown impact and local attack vectors, aka PSE02.
  • CVE-2008-1830: Unspecified vulnerability in the PeopleSoft HCM ePerformance component in Oracle PeopleSoft Enterprise and JD Edwards EnterpriseOne 8.9 and 9.0 has unknown impact and local attack vectors, aka PSE03.
  • CVE-2008-1831: Multiple unspecified vulnerabilities in the Siebel SimBuilder component in Oracle Siebel Enterprise 7.8.2 and 7.8.5 have unknown impact and remote or local attack vectors, aka (1) SEBL01, (2) SEBL02, (3) SEBL03, (4) SEBL04, (5) SEBL05, and (6) SEBL06.
  • FrSIRT/ADV-2008-1233: Oracle Products Command Execution and SQL Injection Vulnerabilities
  • SA29829: Oracle Products Multiple Vulnerabilities
  • SECTRACK ID: 1019855: Oracle Database and Other Products Have Unspecified Vulnerabilities With Unspecified Impact

Reported:

Apr 15, 2008

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page