About Us | Contact Us
View Cart

Oracle SQL Injection Vulnerability

By Dan Hadaway | Tuesday, June 8, 2004 - Leave a Comment

A vulnerability in the Oracle E-Business Suite can allow a remote user to compromise the database and/or the server running hosting the database. This is a serious issue.

If you’re running Oracle you’re most likely vulnerable. This applies to all platforms running Oracle, versions are listed below, most are covered unless you’ve very recently upgraded.

There is a patch to apply.

Original post is below. Let us know if we can provide any assistance.

Technical Cyber Security Alert TA04-160A
SQL Injection Vulnerabilities in Oracle E-Business Suite

Original release date: June 8, 2004
Last revised: —
Source: US-CERT

Systems Affected

* Oracle Applications 11.0 (all releases)
* Oracle E-Business Suite 11i, 11.5.1 through 11.5.8

Overview

A vulnerability in the Oracle’s E-Business Suite allows a remote
attacker to execute arbitrary script on a vulnerable database system.
Exploitation may lead to compromise of the database application, data
integrity, or underlying operating system.

I. Description

Oracle E-Business Suite is a set of applications and modules that
enables an organization to manage customer interactions, deliver
services, manufacture products, ship orders, collect payments, and
other tasks using a single database model.

According to the Oracle Security Alert 67, Oracle Applications 11.0
(all releases) and Oracle E-Business Suite Release 11i, 11.5.1 through
11.5.8 are vulnerable to SQL injection vulnerabilities. Oracle
E-Business Suite Release 11.5.9 and later are not vulnerable. This
vulnerability is not platform specific. Integrigy Corporation has also
released an alert about these vulnerabilities.

Note that no authentication mechanisms of Oracle E-Business Suite will
mitigate exploitation of the attack.

US-CERT is tracking this issue as VU#961579.

II. Impact

An unauthenticated attacker could exploit this vulnerability to
execute arbitrary SQL statements on the vulnerable system with the
privileges of the Oracle server process. In addition to compromising
the integrity of the database information, this may lead to the
compromise of the database application and the underlying operating
system.

III. Solution

Apply Patch or Upgrade

According to the Oracle Security Alert 67, patches and related
information are available from:

http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocumen
t?p_database_id=NOT&p_id=274375.1

Appendix B. References

* http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf
* http://www.integrigy.com/alerts/OraAppsSQLInjection.htm
* http://www.kb.cert.org/vuls/id/961579

Posted in Vulnerability News

Latest News
      Alternatives From 2020 Conferences The 2020 Update Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Each year as we go to various conferences throughout the Midwest ranging in scope; from small banker conferences that Dan himself moderates, to hacker conferences like Defcon.  We […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    The IBA Presents an infotex Workshop: Tech-Shop (A Virtual Workshop for Banks IT Geeks) Live Workshop Time for a workshop for the technical side of the community-bank. Time for a workshop full of command lines and configurations, acronyms we are forbidden to use around management, and even dark-web jokes. Time for a workshop where we […]
    An Analogy… …About Taking Better Notes Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . An interesting set of metaphors arose out of our efforts to improve our time management practices at infotex.  In the spirit of sound strategic planning, we as a team decided […]
    A Webinar-Movie In our current world of uncertainty there is at least one thing that is certain. Business needs to continue, and that means that it is important for managers to be able to meet with their team even if everyone is working remotely at this point. In this Webinar-Movie, Dan will compare virtual meeting […]