About Us | Contact Us
View Cart

Oracle SQL Injection Vulnerability

By Dan Hadaway | Tuesday, June 8, 2004 - Leave a Comment

A vulnerability in the Oracle E-Business Suite can allow a remote user to compromise the database and/or the server running hosting the database. This is a serious issue.

If you’re running Oracle you’re most likely vulnerable. This applies to all platforms running Oracle, versions are listed below, most are covered unless you’ve very recently upgraded.

There is a patch to apply.

Original post is below. Let us know if we can provide any assistance.

Technical Cyber Security Alert TA04-160A
SQL Injection Vulnerabilities in Oracle E-Business Suite

Original release date: June 8, 2004
Last revised: —
Source: US-CERT

Systems Affected

* Oracle Applications 11.0 (all releases)
* Oracle E-Business Suite 11i, 11.5.1 through 11.5.8

Overview

A vulnerability in the Oracle’s E-Business Suite allows a remote
attacker to execute arbitrary script on a vulnerable database system.
Exploitation may lead to compromise of the database application, data
integrity, or underlying operating system.

I. Description

Oracle E-Business Suite is a set of applications and modules that
enables an organization to manage customer interactions, deliver
services, manufacture products, ship orders, collect payments, and
other tasks using a single database model.

According to the Oracle Security Alert 67, Oracle Applications 11.0
(all releases) and Oracle E-Business Suite Release 11i, 11.5.1 through
11.5.8 are vulnerable to SQL injection vulnerabilities. Oracle
E-Business Suite Release 11.5.9 and later are not vulnerable. This
vulnerability is not platform specific. Integrigy Corporation has also
released an alert about these vulnerabilities.

Note that no authentication mechanisms of Oracle E-Business Suite will
mitigate exploitation of the attack.

US-CERT is tracking this issue as VU#961579.

II. Impact

An unauthenticated attacker could exploit this vulnerability to
execute arbitrary SQL statements on the vulnerable system with the
privileges of the Oracle server process. In addition to compromising
the integrity of the database information, this may lead to the
compromise of the database application and the underlying operating
system.

III. Solution

Apply Patch or Upgrade

According to the Oracle Security Alert 67, patches and related
information are available from:

http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocumen
t?p_database_id=NOT&p_id=274375.1

Appendix B. References

* http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf
* http://www.integrigy.com/alerts/OraAppsSQLInjection.htm
* http://www.kb.cert.org/vuls/id/961579

Posted in Vulnerability News

Latest News
    A Webinar-Movie In 2018 the NCUA started reviewing credit unions with $1 billion or more in assets using a tool known as the Automated Cybersecurity Examination Tool, or ACET. The expansion to smaller credit unions is inevitable. In the new year, credit unions should now think about how they can come into compliance with the […]
    What are the top seven risks your board should know about in 2021? Since his first board presentation in 2000, when Dan presents audit reports to boards of directors, he also talks to the board about the top risks the institution is facing. Since 2006, Dan has been compiling a list of the “top seven […]
    It’s time for another workshop for the technical side of the community-bank. The infotex Team brings you all new topics for 2021! Topics that are jam packed with all the techno-babble that is often lost on management, but is music to the Bank IT Geek’s ears. Time for a workshop where we can turn off the […]
     A Timeline Update as of 02/22/21 An update to our Newest Employee’s FIRST Technical Article Another interim post-mortem review . . . . A Note About Updates: We have decided to leave the original article as it was originally posted and to update this post with any changes that have been made. You can see […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    A Webinar-Movie The 2020 annual webinar update on the subject will include a review of the previous years’ movies that are already available, and a discussion about alternative tactics that have arisen from recent virtual conferences and regulator panels.
    The cybersecurity industry faces challenges, and some of them may involve your business… An article review. In a world where threats to your organization’s electronic assets are constantly emerging and evolving a cybersecurity insurance policy can help mitigate risk…but what kind of risk does the cybersecurity insurance industry face?  A new article in the Harvard […]
    A Timeline as of 01/24/2021 Our Newest Employee’s FIRST Technical Article Another interim post-mortem review . . . . A Note About Updates: We are leaving this article as is, but for any updates to the timeline, check the Autopsy of the SolarWinds Hack Timeline Update article!      – Vigilize Introduction: As the managing […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS FORUM AND CONFERENCE NEWS infotex is proud to announce that Dan Hadaway will be moderating a series of IT Forums for the Ohio Bankers League. “We are excited to continue fostering the relationship with the OBL to help educate and keep Risk Management at the forefront of […]
    Top 7 Trend Articles of 2021. . .  . . .For ISOs of Small Financial Institutions. Welcome to our annual T7 article:  a list of our favorite trend articles from the past year.  Our intent: help you organize your thoughts as your work through your strategic planning process.  We hope reviewing these articles will help you […]