More than one hundred vulnerabilities have been identified in various Oracle products, which could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information, conduct SQL injection attacks, or bypass security restrictions [...]
Affected Products
Oracle Database 10g Release 2 version 10.2.0.1
Oracle Database 10g Release 2 version 10.2.0.2
Oracle Database 10g Release 1 version 10.1.0.4
Oracle Database 10g Release 1 version 10.1.0.5
Oracle9i Database Release 2 version 9.2.0.6
Oracle9i Database Release 2 version 9.2.0.7
Oracle8i Database Release 3 version 8.1.7.4
Oracle Application Express (formerly called HTML DB) versions 1.5 through 2.0
Oracle Application Server 10g Release 3 version 10.1.3.0.0
Oracle Application Server 10g Release 2 versions 10.1.2.0.0 through 10.1.2.0.2
Oracle Application Server 10g Release 2 version 10.1.2.1.0
Oracle Application Server 10g Release 1 (9.0.4) version 9.0.4.2
Oracle Application Server 10g Release 1 (9.0.4) version 9.0.4.3
Oracle Collaboration Suite 10g Release 1 version 10.1.2.0
Oracle9i Collaboration Suite Release 2 version 9.0.4.2
Oracle E-Business Suite Release 11i versions 11.5.7 through 11.5.10 CU2
Oracle E-Business Suite Release 11.0
Oracle Pharmaceutical Applications versions 4.5.0 through 4.5.1
Oracle PeopleSoft Enterprise PeopleTools version 8.22
Oracle PeopleSoft Enterprise PeopleTools version 8.46
Oracle PeopleSoft Enterprise PeopleTools version 8.47
Oracle PeopleSoft Enterprise PeopleTools version 8.48
Oracle PeopleSoft Enterprise Portal Solutions and Enterprise Portal version 8.8
Oracle PeopleSoft Enterprise Portal Solutions and Enterprise Portal version 8.9
JD Edwards EnterpriseOne Tools version 8.95
JD Edwards EnterpriseOne Tools version 8.96
JD Edwards OneWorld Tools SP23
Oracle Developer Suite versions 6i 9.0.4.1
Oracle Developer Suite versions 6i 9.0.4.2
Oracle Developer Suite versions 6i 9.0.4.3
Oracle Developer Suite versions 6i 10.1.2.0.2
Oracle Developer Suite versions 6i 10.1.2.2
Oracle9i Database Release 1 version 9.0.1.4
Oracle9i Database Release 1 version 9.0.1.5
Oracle9i Database Release 1 version 9.0.1.5 FIPS
Oracle9i Application Server Release 2 version 9.0.2.3
Oracle9i Application Server Release 2 version 9.0.3.1
Oracle9i Application Server Release 1 version 1.0.2.2
Oracle Database 10g Release 1 version 10.1.0.3
Oracle9i Database Release 2 version 9.2.0.5
Oracle Application Server 10g Release 1 (9.0.4) version 9.0.4.1
Credits
Vulnerabilities reported by Johannes Fahrenkrug, Sacha Faust (S.P.I. Dynamics), Esteban Martinez Fayo (Application Security), Alexander Kornbrust (Red Database Security GmbH), David Litchfield (Next Generation Security Software), and Andrew Maksimenko (COMEC-92).
ChangeLog
2006-10-17 : Initial release
Vulnerability Management
Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.
Feedback
If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.
French
