Oracle SQL Injection Vulnerability

A vulnerability in the Oracle E-Business Suite can allow a remote user to compromise the database and/or the server running hosting the database. This is a serious issue.

If you’re running Oracle you’re most likely vulnerable. This applies to all platforms running Oracle, versions are listed below, most are covered unless you’ve very recently upgraded.

There is a patch to apply.

Original post is below. Let us know if we can provide any assistance.

Technical Cyber Security Alert TA04-160A
SQL Injection Vulnerabilities in Oracle E-Business Suite

Original release date: June 8, 2004
Last revised: —
Source: US-CERT

Systems Affected

* Oracle Applications 11.0 (all releases)
* Oracle E-Business Suite 11i, 11.5.1 through 11.5.8

Overview

A vulnerability in the Oracle’s E-Business Suite allows a remote
attacker to execute arbitrary script on a vulnerable database system.
Exploitation may lead to compromise of the database application, data
integrity, or underlying operating system.

I. Description

Oracle E-Business Suite is a set of applications and modules that
enables an organization to manage customer interactions, deliver
services, manufacture products, ship orders, collect payments, and
other tasks using a single database model.

According to the Oracle Security Alert 67, Oracle Applications 11.0
(all releases) and Oracle E-Business Suite Release 11i, 11.5.1 through
11.5.8 are vulnerable to SQL injection vulnerabilities. Oracle
E-Business Suite Release 11.5.9 and later are not vulnerable. This
vulnerability is not platform specific. Integrigy Corporation has also
released an alert about these vulnerabilities.

Note that no authentication mechanisms of Oracle E-Business Suite will
mitigate exploitation of the attack.

US-CERT is tracking this issue as VU#961579.

II. Impact

An unauthenticated attacker could exploit this vulnerability to
execute arbitrary SQL statements on the vulnerable system with the
privileges of the Oracle server process. In addition to compromising
the integrity of the database information, this may lead to the
compromise of the database application and the underlying operating
system.

III. Solution

Apply Patch or Upgrade

According to the Oracle Security Alert 67, patches and related
information are available from:

http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocumen
t?p_database_id=NOT&p_id=274375.1

Appendix B. References

* http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf
* http://www.integrigy.com/alerts/OraAppsSQLInjection.htm
* http://www.kb.cert.org/vuls/id/961579

Related Posts

The Magnificent Seven 2023

Seven Trends . . . …that small bank Information Security Officers face in 2023 Another one of those Dan’s New Leaf Posts, meant to inspire thought about IT Governance . . . . Welcom...
READ MORE

“Phone Phishing” – Awareness Poster (Re-release)

Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers!Check out posters.infotex.com for...
READ MORE

“Strong Password Tips” – Awareness Poster

Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers!Check out posters.infotex.com for...
READ MORE

infotex

MANAGING TECHNOLOGY RISK

Linkedin-in Facebook-f Youtube Twitter

SERVICES

EDUCATION

COMPANY

CONTACT

SIGN UP FOR OUR BLOG

As part of infotex‘s service to our clients, find “non-mainstream” articles about relevant security issues.

Facebook Youtube Twitter