FrSIRT - Oracle Products Multiple Remote Command Execution and SQL Injection Vulnerabilities / Exploit

French Security Incident Response Team

Français

English

Oracle Products Multiple Remote Command Execution and SQL Injection Vulnerabilities

Date de Publication : 2007-04-17 © FrSIRT.COM
Titre : Oracle Products Multiple Remote Command Execution and SQL Injection Vulnerabilities
Identifiant : FrSIRT/AVIS-2007-1426
CVE ID : CVE-2007-2108 - CVE-2007-2109 - CVE-2007-2110 - CVE-2007-2111 - CVE-2007-2112 - CVE-2007-2113 - CVE-2007-2114 - CVE-2007-2115 - CVE-2007-2116 - CVE-2007-2117 - CVE-2007-2118 - CVE-2007-2119 - CVE-2007-2120 - CVE-2007-2121 - CVE-2007-2122 - CVE-2007-2123 - CVE-2007-2124 - CVE-2007-2125 - CVE-2007-2126 - CVE-2007-2127 - CVE-2007-2128 - CVE-2007-2129 - CVE-2007-2130 - CVE-2007-2131 - CVE-2007-2132 - CVE-2007-2133 - CVE-2007-2134 - CVE-2007-2135 - CVE-2007-2170
Risque : Elevé (3/4) -

Exploitable à distance : Oui
Exploitable en local : Oui

En savoir plus

Description

Produits affectés

Solution

Références

Description Technique

Plusieurs vulnérabilités ont été identifiées dans des produits Oracle, elles pourraient être exploitées par des attaquants locaux ou distants afin de causer un déni de service, exécuter des commandes arbitraires, lire ou écraser des des fichiers arbitraires, conduire des attaques par injection SQL ou par cross site scripting, ou afin de contourner les mesures de sécurité [...]

Produits Affectés

Oracle Database 10g Release 2 version 10.2.0.1
Oracle Database 10g Release 2 version 10.2.0.2
Oracle Database 10g Release 2 version 10.2.0.3
Oracle Database 10g Release 1 version 10.1.0.4
Oracle Database 10g Release 1 version 10.1.0.5
Oracle9i Database Release 2 version 9.2.0.5
Oracle9i Database Release 2 version 9.2.0.7
Oracle9i Database Release 2 version 9.2.0.8
Oracle9i Database Release 1 version 9.0.1.5
Oracle9i Database Release 1 version 9.0.1.5 FIPS
Oracle Secure Enterprise Search 10g Release 1 version 10.1.6
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.0.0
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.1.0
Oracle Application Server 10g Release 3 (10.1.3) version 10.1.3.2.0
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.0.1
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.0.2
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.1.0
Oracle Application Server 10g Release 2 (10.1.2) version 10.1.2.2.0
Oracle Application Server 10g (9.0.4) version 9.0.4.3
Oracle10g Collaboration Suite Release 1 version 10.1.2
Oracle E-Business Suite Release 11i versions 11.5.7 à 11.5.10 CU2
Oracle E-Business Suite Release 12 version 12.0.0
Oracle Enterprise Manager 9i Release 2 version 9.2.0.7
Oracle Enterprise Manager 9i Release 2 version 9.2.0.8
Oracle Enterprise Manager 9i version 9.0.1.5
Oracle PeopleSoft Enterprise PeopleTools version 8.22
Oracle PeopleSoft Enterprise PeopleTools version 8.47
Oracle PeopleSoft Enterprise PeopleTools version 8.48
Oracle PeopleSoft Enterprise Human Capital Management version 8.9
JD Edwards EnterpriseOne Tools version 8.96
JD Edwards OneWorld Tools SP23

Crédit

Vulnérabilités découvertes par Vicente Aguilera Diaz (Internet Security Auditors), Gerhard Eschelbeck (Qualys), Esteban Martinez Fayo (Application Security), Joxean Koret, Alexander Kornbrust (Red Database Security), David Litchfield et Paul M. Wright (Next Generation Security Software), noderat ratty, et TippingPoint Zero Day Initiative.

Historique

2007-04-17 : Version Initiale
2007-04-18 : MaJ Références

Recevez les bulletins FrSIRT

Le service FrSIRT VNS permet aux professionnels de la sécurité (RSSI, DSI, administrateurs et consultants) de recevoir en temps-réel, par email, SMS et flux RSS/XML, des bulletins de vulnérabilités complets, détaillés et personnalisés.

Recherche

Newsletter

	Apple Safari URL Spoofing and Denial of Service
	Apple Safari Code Execution and Cross Site Scripting Vulnerabilities
	Apple QuickTime Multiple File Handling Code Execution Vulnerabilities
	Apple Safari Memory Corruption and Address Bar Spoofing Vulnerabilities
	Apple Aperture and iPhoto DNG Image Buffer Overflow Vulnerability
	Apple AirPort Extreme AFP Request Denial of Service Vulnerability
	Apple Mac OS X Command Execution Vulnerabilities

	IBM Lotus Quickr WYSIWYG Editors Cross Site Scripting Vulnerability
	IBM Rational Build Forge Remote Denial of Service Vulnerability
	IBM WebSphere Application Server Java Plugin Vulnerability
	IBM Lotus Expeditor "cai:" URI Handler Command Injection Vulnerability
	IBM DB2 Universal Database Local Privilege Escalation Vulnerabilities
	IBM HTTP Server Multiple Cross Site Scripting Vulnerabilities
	IBM Lotus Notes Keyview Module Remote Buffer Overflow Vulnerabilities

	Microsoft Internet Explorer Printing Cross-Zone Scripting Vulnerability
	Microsoft Malware Protection Engine Remote DoS Vulnerability (MS08-029)
	Microsoft Publisher Object Handler Validation Vulnerability (MS08-027)
	Microsoft Office Multiple Code Execution Vulnerabilities (MS08-026)
	Microsoft Windows XP I2O Filter Privilege Escalation Vulnerability
	Microsoft Internet Explorer DisableCachingOfSSLPages Weakness
	Microsoft Windows CE Image Handling Code Execution Vulnerabilities