Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Not to the Black
Details Oracle Critical Patch Update April 2006 - V1.05

If you are interested to get the latest information of the Oracle CPU April 2006
you can now subscribe our newsletter .

Additional information will be added soon.


If your database (only database!!!) is not using mod_plsql, Oracle Spatial and Enterprise Manager reporting, there are only 7 security issues left.
  • DB07 (EM Agent) is only exploitable from an OS account on the database server. In many cases this risk is acceptable because a normal user should never have OS access to the database server.

  • DB01, DB02, DB03, DB05, DB06 are bug fixes for SQL Injection issues in database packages. Only DB01 (DBMS_REPUTIL), DB03 (DBMS_SNAPSHOT_UTL) and DB05 (DBMS_EXPORT_EXTENSION) are granted to PUBLIC. Revoking the privilege from these 3 packages to public could mitigate the risk. If these vulnerable packages are needed you should create a custom role and assign this custom role. The first exploit for the bug DB05 was already posted on bugtraq.

  • DB04 requires the ability to enable constraints. Additional details are currently not available .


  • A short analysis of the Oracle spatial bug fixes (DB08-DB13) shows that 1 bugfix is incorrect for Oracle 9.2.0.7 and one parameter in this spatial package is accidentially not sanitized properly. Oracle handles this a a new bug (7520291) which will be fixed in a upcoming patchset.

    Keep in mind that Oracle 10g XE (eXpress Edition) is also affected but not mentioned in the April CPU 2006. Patches for Oracle XE are currently NOT available. We tested the exploit for dbms_export_extension on Oracle XE for Windows and the exploit works as expected.

    With this CPU Oracle has fixed 36 security bugs in various products and components:



    Database 13
    MOD_PLSQL 1
    OCS 4
    APPS 13
    OPA 1
    EM 2
    PSE 1
    JDE 1

    The view bug affecting all versions from 9.1.0.0 until 10.2.0.3 is, as expected, not fixed in this CPU.

    Fixed security vulnerabilities in Oracle PL/SQL-Packages and Java classes:

    Package

    Function/Procedure

    Granted to

    Vulnerability/ Change

    SYS.DBMS_REPUTIL PUBLIC DB01
    SYS.DBMS_REPCAT_ADMIN EXECUTE_CATALOG_ROLE DB02
    SYS.DBMS_SNAPSHOT_UTL VERIFY_LOG PUBLIC DB03
    SYS.DBMS_EXPORT_EXTENSION GET_DOMAIN_INDEX_METADATA PUBLIC DB05
    SYS.DBMS_LOGMNR_SESSION DELETE_FROM_TABLE EXECUTE_CATALOG_ROLE DB06
    MDSYS.PRVT_IDX EXECUTE_INSERT, EXECUTE_DELETE, EXECUTE_UPDATE, EXECUTE UPDATE, CRT_DUMMY PUBLIC DB09
    MDSYS.SDO_CATALOG INSERT_CATALOG, UPDATE_CATALOG, DELETE_CATALOG PUBLIC DB10
    MDSYS.SDO_LRS_TRIG_INS check for single quote in table_name and column_name PUBLIC DB11
    MDSYS.SDO_PRIDX GEN_RID_RANGE_BY_AREA, GEN_RID_RANGE PUBLIC DB12
    PublishedReportGenerator.class   EM01
    PublishedReportGenerator.class   EM02




    The following table contains a mapping of Oracle vuln to the CVE numbers.

    Oracle Vuln

    CVE#

    Vulnerability-Type

    DB01 CVE-2006-1866  
    DB02 CVE-2006-1867  
    DB03 CVE-2006-1868 Buffer Overflow
    DB04 CVE-2006-1869  
    DB05 CVE-2006-1870 SQL Injection
    DB06 CVE-2006-1871 SQL Injection
    DB07 CVE-2006-1872  
    DB08 CVE-2006-1873  
    DB09 CVE-2006-1874 SQL Injection
    DB10 CVE-2006-1866 SQL Injection
    DB11 CVE-2006-1875 SQL Injection
    DB12 CVE-2006-1876 SQL Injection
    DB13 CVE-2006-1877  
         
    PLSQL01 CVE-2006-0435 SQL Injection in mod_plsql
         
    OCS01 CVE-2006-1879  
    OCS02 CVE-2006-1879  
    OCS03 CVE-2006-1879  
    OCS04 CVE-2006-1879  
         
    APPS01 CVE-2006-1880  
    APPS02 CVE-2006-1881  
    APPS03 CVE-2006-1882  
    APPS04 CVE-2006-1882  
    APPS05 CVE-2006-1883  
    APPS06 CVE-2006-1882  
    APPS07 CVE-2006-1882  
    APPS08 CVE-2006-1882  
    APPS09 CVE-2006-1880  
    APPS10 CVE-2006-1880  
    APPS11 CVE-2006-1882  
    APPS12 CVE-2006-1880  
    APPS13 CVE-2006-1880  
         
    OPA01 CVE-2006-1884  
    PSE01 CVE-2006-1886  
    JDE01 CVE-2006-1887  
         
    EM01 CVE-2006-1885 Reporting Framework
    EM02 CVE-2006-1885 Reporting Framework



    References

    History
    • 18-apr-2006 - 1.00 - Initial version
    • 19-apr-2006 - 1.01 - First results of the analysis added
    • 19-apr-2006 - 1.02 - Comments added
    • 19-apr-2006 - 1.03 - One patch for an Oracle Spatial bug solves only parts of the problems
    • 20-apr-2006 - 1.04 - Advisory from Argeniss added, Exploit for dbms_export_extension added
    • 21-apr-2006 - 1.05 - CVE numbers added, Details bug 7520291 added, Details Oracle XE added

    2006 by Red-Database-Security GmbH - last update 21-apr-2006