Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)
Services
Oracle Audit / Hardening
Security Training
Consulting
Information
Oracle Security Blog
Published Alerts
Upcoming Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts
News & Events
Events
News
Company
Contact
People
Partner
Impressum
Sitemap
Search
Not to the Black
|
Details Oracle Critical Patch Update April 2006 - V1.05
If you are interested to get the latest information of the Oracle CPU April 2006
you can now subscribe our newsletter .
Additional information will be added soon.
If your database (only database!!!) is not using mod_plsql, Oracle Spatial and Enterprise Manager reporting, there are only 7 security issues left.
DB07 (EM Agent) is only exploitable from an OS account on the database server. In many cases this risk is acceptable because a normal user should never have OS access to the database server.
DB01, DB02, DB03, DB05, DB06 are bug fixes for SQL Injection issues in database packages. Only DB01 (DBMS_REPUTIL),
DB03 (DBMS_SNAPSHOT_UTL) and DB05 (DBMS_EXPORT_EXTENSION) are granted to PUBLIC. Revoking the privilege from these 3 packages to public could mitigate the risk. If these vulnerable packages are needed you should create a custom role and assign this custom role. The first exploit for the bug DB05 was already posted on bugtraq.
DB04 requires the ability to enable constraints. Additional details are currently not available .
A short analysis of the Oracle spatial bug fixes (DB08-DB13) shows that 1 bugfix is incorrect for Oracle 9.2.0.7 and one parameter in this spatial package is accidentially not sanitized properly. Oracle handles this a a new bug (7520291) which will be fixed in a upcoming patchset.
Keep in mind that Oracle 10g XE (eXpress Edition) is also affected but not mentioned in the April CPU 2006. Patches for Oracle XE are currently NOT available.
We tested the exploit for dbms_export_extension on Oracle XE for Windows and the exploit works as expected.
With this CPU Oracle has fixed 36 security bugs in various products and components:
Database |
13 |
MOD_PLSQL |
1 |
OCS |
4 |
APPS |
13 |
OPA |
1 |
EM |
2 |
PSE |
1 |
JDE |
1 |
The view bug affecting all versions from 9.1.0.0 until 10.2.0.3 is, as expected, not fixed in this CPU.
Fixed security vulnerabilities in Oracle PL/SQL-Packages and Java classes:
Package |
Function/Procedure |
Granted to |
Vulnerability/ Change |
SYS.DBMS_REPUTIL |
|
PUBLIC |
DB01 |
SYS.DBMS_REPCAT_ADMIN |
|
EXECUTE_CATALOG_ROLE |
DB02 |
SYS.DBMS_SNAPSHOT_UTL |
VERIFY_LOG |
PUBLIC |
DB03 |
SYS.DBMS_EXPORT_EXTENSION |
GET_DOMAIN_INDEX_METADATA |
PUBLIC |
DB05 |
SYS.DBMS_LOGMNR_SESSION |
DELETE_FROM_TABLE |
EXECUTE_CATALOG_ROLE |
DB06 |
MDSYS.PRVT_IDX |
EXECUTE_INSERT, EXECUTE_DELETE, EXECUTE_UPDATE, EXECUTE UPDATE, CRT_DUMMY |
PUBLIC |
DB09 |
MDSYS.SDO_CATALOG |
INSERT_CATALOG, UPDATE_CATALOG, DELETE_CATALOG |
PUBLIC |
DB10 |
MDSYS.SDO_LRS_TRIG_INS |
check for single quote in table_name and column_name |
PUBLIC |
DB11 |
MDSYS.SDO_PRIDX |
GEN_RID_RANGE_BY_AREA, GEN_RID_RANGE |
PUBLIC |
DB12 |
PublishedReportGenerator.class |
|
|
EM01 |
PublishedReportGenerator.class |
|
|
EM02 |
The following table contains a mapping of Oracle vuln
to the CVE numbers.
References
History
- 18-apr-2006 - 1.00 - Initial version
- 19-apr-2006 - 1.01 - First results of the analysis added
- 19-apr-2006 - 1.02 - Comments added
- 19-apr-2006 - 1.03 - One patch for an Oracle Spatial bug solves only parts of the problems
- 20-apr-2006 - 1.04 - Advisory from Argeniss added, Exploit for dbms_export_extension added
- 21-apr-2006 - 1.05 - CVE numbers added, Details bug 7520291 added, Details Oracle XE added
© 2006 by Red-Database-Security GmbH - last update 21-apr-2006
|