About Us | Contact Us
View Cart

Oracle SQL Injection Vulnerability

By Dan Hadaway | Tuesday, June 8, 2004 - Leave a Comment

A vulnerability in the Oracle E-Business Suite can allow a remote user to compromise the database and/or the server running hosting the database. This is a serious issue.

If you’re running Oracle you’re most likely vulnerable. This applies to all platforms running Oracle, versions are listed below, most are covered unless you’ve very recently upgraded.

There is a patch to apply.

Original post is below. Let us know if we can provide any assistance.

Technical Cyber Security Alert TA04-160A
SQL Injection Vulnerabilities in Oracle E-Business Suite

Original release date: June 8, 2004
Last revised: —
Source: US-CERT

Systems Affected

* Oracle Applications 11.0 (all releases)
* Oracle E-Business Suite 11i, 11.5.1 through 11.5.8

Overview

A vulnerability in the Oracle’s E-Business Suite allows a remote
attacker to execute arbitrary script on a vulnerable database system.
Exploitation may lead to compromise of the database application, data
integrity, or underlying operating system.

I. Description

Oracle E-Business Suite is a set of applications and modules that
enables an organization to manage customer interactions, deliver
services, manufacture products, ship orders, collect payments, and
other tasks using a single database model.

According to the Oracle Security Alert 67, Oracle Applications 11.0
(all releases) and Oracle E-Business Suite Release 11i, 11.5.1 through
11.5.8 are vulnerable to SQL injection vulnerabilities. Oracle
E-Business Suite Release 11.5.9 and later are not vulnerable. This
vulnerability is not platform specific. Integrigy Corporation has also
released an alert about these vulnerabilities.

Note that no authentication mechanisms of Oracle E-Business Suite will
mitigate exploitation of the attack.

US-CERT is tracking this issue as VU#961579.

II. Impact

An unauthenticated attacker could exploit this vulnerability to
execute arbitrary SQL statements on the vulnerable system with the
privileges of the Oracle server process. In addition to compromising
the integrity of the database information, this may lead to the
compromise of the database application and the underlying operating
system.

III. Solution

Apply Patch or Upgrade

According to the Oracle Security Alert 67, patches and related
information are available from:

http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocumen
t?p_database_id=NOT&p_id=274375.1

Appendix B. References

* http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf
* http://www.integrigy.com/alerts/OraAppsSQLInjection.htm
* http://www.kb.cert.org/vuls/id/961579

Posted in Vulnerability News

Leave a comment

(required)

(required) [will not be published]

Solve this Captcha * Time limit is exhausted. Please reload CAPTCHA.

Latest News