Security Advisory
- Oracle Database Multiple Vulnerabilities Reported Date: 13-01-10
Rated Level: 
Impact: Dos,Exposure Of Sensitive Information,Manipulation,System Access,Remotely Exploitable
Affected Software: Oracle Database 10.x
Oracle Database 11.x
Oracle9i Database Enterprise Edition
Oracle9i Database Standard Edition
Oracle Database 11.x
Oracle9i Database Enterprise Edition
Oracle9i Database Standard Edition
Description: Some vulnerabilities have been reported in Oracle Database, which can be exploited by malicious users to manipulate certain data, disclose potentially sensitive information, or compromise a vulnerable system and by malicious people to compromise a vulnerable system.
1) An error in the Listener component can be exploited to e.g. execute arbitrary code when running on the Windows platform.
2) An error in the Oracle OLAP component can be exploited by authenticated users to execute arbitrary code.
3) An error in the Application Express Application Builder component can be exploited by authenticated users to disclose or manipulate certain data.
4) An error in the Oracle Data Pump component can be exploited by authenticated users to disclose or manipulate certain data.
5) An error in the Oracle Spatial component can be exploited by authenticated users to disclose or manipulate certain data.
6) An error in the Logical Standby component can be exploited by authenticated users to manipulate certain data.
7) An error in the RDBMS component can be exploited by authenticated users to disclose or manipulate certain data.
8) An error in the Oracle Spatial component can be exploited by authenticated users to disclose or manipulate certain data.
9) An error in the Unzip component can be exploited by authenticated, local users to disclose certain data.
The vulnerabilities are reported in the following products and versions:
* Oracle Database 11g version 11.1.0.7
* Oracle Database 10g Release 2 versions 10.2.0.3 and 10.2.0.4
* Oracle Database 10g version 10.1.0.5
* Oracle Database 9i Release 2 versions 9.2.0.8 and 9.2.0.8DV
1) An error in the Listener component can be exploited to e.g. execute arbitrary code when running on the Windows platform.
2) An error in the Oracle OLAP component can be exploited by authenticated users to execute arbitrary code.
3) An error in the Application Express Application Builder component can be exploited by authenticated users to disclose or manipulate certain data.
4) An error in the Oracle Data Pump component can be exploited by authenticated users to disclose or manipulate certain data.
5) An error in the Oracle Spatial component can be exploited by authenticated users to disclose or manipulate certain data.
6) An error in the Logical Standby component can be exploited by authenticated users to manipulate certain data.
7) An error in the RDBMS component can be exploited by authenticated users to disclose or manipulate certain data.
8) An error in the Oracle Spatial component can be exploited by authenticated users to disclose or manipulate certain data.
9) An error in the Unzip component can be exploited by authenticated, local users to disclose certain data.
The vulnerabilities are reported in the following products and versions:
* Oracle Database 11g version 11.1.0.7
* Oracle Database 10g Release 2 versions 10.2.0.3 and 10.2.0.4
* Oracle Database 10g version 10.1.0.5
* Oracle Database 9i Release 2 versions 9.2.0.8 and 9.2.0.8DV
Solution:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2010.html
Original Advisory: Oracle:
http://www.oracle.com/technology/depl...ritical-patch-updates/cpujan2010.html
http://www.oracle.com/technology/depl...ritical-patch-updates/cpujan2010.html
Feedback: If you have additional information or corrections for this security advisory please contact us at advisory(at)triviasecurity.org
- Cpanel v11.25 PHP Restriction Bypass Vulnerability (03/09/10)
- cPanel Customer Portal (index.cgi) Xss Vulnerability (03/09/10)
- TFTP Desktop v2.5 Directory Traversal Vulnerability (03/09/10)
- TFTPDWIN v0.4.2 Directory Traversal Vulnerability (03/09/10)
- Apple QuickTime FlashPix NumberOfTiles Remote Code Execution Vulnerability (03/09/10)
- Novell Netware 6.5 OpenSSH Remote Stack Overflow (03/09/10)
- Microsoft Visio 2010 v14.0.4514.1004 (dwmapi.dll) DLL Hijacking Exploit (27/08/10)
- Microsoft Windows Power Point 2007 DLL Hijacking Exploit (pp4x322.dll) (27/08/10)
- Windows Live Messenger (Build 14.0.8117.416) dll (msgsres.dll) Hijacking exploit (27/08/10)
- Windows Live Messenger (Build 1.0.8117.416) dll (msgsres.dll) Hijacking exploit (27/08/10)
- Copyright © 2003-2010 TriviaSecurity Team