Technical Description

Multiple vulnerabilities have been identified in various Oracle products, which could be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, read and overwrite arbitrary data, disclose sensitive information, conduct SQL injection and cross site scripting attacks, or bypass security restrictions. These issues are caused by errors in the Import, Export, Oracle Text, Spatial, Workspace Manager, Advanced Security Option, Core RDBMS, Database Control, Oracle Database Vault, Oracle Net Services, XML DB, Oracle Internet Directory, Oracle Help for Web, Advanced Queuing, SQL Execution, Oracle Process Mgmt & Notification, Oracle Portal, Oracle HTTP Server, Oracle Containers for J2EE, Oracle Single Sign-On, Oracle Application Object Library, Oracle Contracts Integration, Oracle Public Sector Human Resources, Oracle Marketing, Oracle Quoting, Oracle Exchange and Oracle Self-Service Web Applications components.

Credits

Vulnerabilities reported by Esteban Martinez Fayo (Application Security), Johannes Greil (SEC Consult), Joxean Koret, Zero Day Initiative, Alexander Kornbrust (Red Database Security) and David Litchfield (Next Generation Security Software).

ChangeLog

2007-10-17 : Initial release

Vulnerability Management

Subscribe to FrSIRT VNS and receive real-time e-mail and SMS alerts when new vulnerabilities, exploits, or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form or by email to updates@frsirt.com.