Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Not to the Black
Details Oracle Critical Patch Update January 2006 - V1.10

If you are interested to get the latest information of the Oracle CPU January 2006
you can now subscribe our newsletter .
More detailed information will be available soon.
  • A summary of changes in the Oracle data dictionary after appling the patches for CPU January 2006 is available as PDF file.
  • The most dangerous bug is DB18 because DB18 is easy to exploit and all versions are affected. Exploits are already available.


With this CPU Oracle fixed 82 security bugs in various products and components:
Database 29
FORMS 2
REPORTS 6
WF 3
OCS 15
APPS 19
DBC 2
Peoplesoft 1
JDEdwards 1
OHS 2
JavaNet 1
Portal 1
82

Fixed security vulnerabilities in Oracle PL/SQL-Packages and Java classes:

Package

Function/Procedure

Granted to

Vulnerability / Change

KUPV$FT ATTACH_JOB Parameter user_name and job_name vulnerable against SQL Injection
KUPV$FT HAS_PRIVS Parameter linkname vulnerable against SQL Injection
KUPV$FT OPEN_JOB Parameter user_name, job_name, operation, job_mode vulnerable against SQL Injection
KUPV$FT_INT ACTIVE_JOB Parameter user_name, job_name vulnerable against SQL Injection
KUPV$FT_INT ATTACH_POSSIBLE Parameter user_name, job_name vulnerable against SQL Injection
KUPV$FT_INT ATTACH_TO_JOB Parameter jobid vulnerable against SQL Injection
KUPV$FT_INT CREATE_NEW_JOB Parameter user_name, job_name vulnerable against SQL Injection
KUPV$FT_INT DELETE_JOB Parameter user_name, job_name vulnerable against SQL Injection
KUPV$FT_INT DELETE_MASTER_TABLE Parameter user_name, job_name vulnerable against SQL Injection
KUPV$FT_INT DETACH_JOB Parameter handle vulnerable against SQL Injection
KUPV$FT_INT GET_JOB_INFO Parameter handle, job_id vulnerable against SQL Injection
KUPV$FT_INT GET_JOB_INFO (2nd function) Parameter user_name, job_name vulnerable against SQL Injection
KUPV$FT_INT GET_JOB_QUEUES Parameter handle, job_id vulnerable against SQL Injection
KUPV$FT_INT GET_JOB_QUEUES (2nd function) Parameter user_name, job_name vulnerable against SQL Injection
KUPV$FT_INT GET_SOLE_JOBNAME Parameter user_name is vulnerable against SQL Injection
KUPV$FT_INT MASTER_TBL_LOCK Parameter user_name, job_name, master_objid vulnerable against SQL Injection
KUPV$FT_INT SET_EVENT Parameter event_number, level vulnerable against SQL Injection
KUPV$FT_INT VALID_HANDLE Parameter handle vulnerable against SQL Injection
KUPV$FT_INT UPDATE_JOB Parameter user_name, job_name vulnerable against SQL Injection
DBMS_DATAPUMP (DB06) GENERATE_JOB_NAME Parameter operation, job_mode vulnerable against SQL Injection
DBMS_DATAPUMP (DB06)
DBMS_DATAPUMP (DB06) GET_WORKERSTATUSLIST1010 Parameter job_rec.mt_name vulnerable against SQL Injection
DBMS_DATAPUMP (DB06) GET_PARAMVALUES1010 Parameter job_rec.mt_name vulnerable against SQL Injection
DBMS_DATAPUMP (DB06) GET_DUMPFILESET1010 Parameter job_rec.mt_name vulnerable against SQL Injection
DBMS_DATAPUMP (DB06) GET_JOBSTATUS1010 Parameter job_rec.mt_name vulnerable against SQL Injection
DBMS_DATAPUMP (DB06) ATTACH Parameter job_name vulnerable against SQL Injection
DBMS_DATAPUMP (DB06) ESTABLISH_REMOTE_CONTEXT Parameter remote_link vulnerable against SQL Injection
DBMS_REGISTRY (DB28) IS_COMPONENT Parameter SYS_CONTEXT('REGISTRY$CTX','NAMESPACE') vulnerable against SQL Injection
DBMS_REGISTRY (DB28) GET_COMP_OPTION Parameter SYS_CONTEXT('REGISTRY$CTX','NAMESPACE') vulnerable against SQL Injection
DBMS_REGISTRY (DB28) DISABLE_DDL_TRIGGERS Parameter DBMS_REGISTRY.SCHEMA(), TRIGGER_NAME vulnerable against SQL Injection
DBMS_REGISTRY (DB28) SCRIPT_EXISTS Parameter path vulnerable against SQL Injection
DBMS_REGISTRY (DB28) COMP_PATH Parameter SYS_CONTEXT('REGISTRY$CTX','NAMESPACE') vulnerable against SQL Injection
DBMS_REGISTRY (DB28) GATHER_STATS Parameter comp_id vulnerable against SQL Injection
DBMS_REGISTRY (DB28) NOTHING_SCRIPT Parameter SYS_CONTEXT('REGISTRY$CTX','NAMESPACE') vulnerable against SQL Injection
DBMS_REGISTRY (DB28) VALIDATE_COMPONENTS SQL Injection via REGISTRY$.VPROC possible
DBMS_CDC_UTILITY (DB02) DROP_USER PUBLIC Parameter user_name vulnerable against SQL Injection
DBMS_CDC_UTILITY (DB02) CDC_ALLOCATE_LOCK PUBLIC Parameter lockname vulnerable against SQL Injection
DBMS_CDC_PUBLISH (DB25) SET_DIRECTORY_ROOT Parameter root_directory vulnerable against SQL Injection
DBMS_METADATA_UTIL (DB05) LONG2VARCHAR Parameter col, tab vulnerable against SQL Injection
DBMS_METADATA_UTIL (DB05) LONG2VCMAX Parameter col, tab vulnerable against SQL Injection
DBMS_METADATA_UTIL (DB05) LONG2VCNT Parameter col, tab vulnerable against SQL Injection
DBMS_METADATA_UTIL (DB05) LONG2CLOB PUBLIC Parameter col, tab vulnerable against SQL Injection
DBMS_METADATA_INT (DB05) MAKE_FILTER PUBLIC T_MF_FILTER(I_MF),T_MF_ATTRNAME(I_MF) vulnerable against SQL Injection
DBMS_METADATA_INT (DB05) FETCH_VIEWS_ERROR PUBLIC CONTEXT_LIST(IND).OBJECT_TYPE, CONTEXT_LIST(IND).OBJECT_TYPE, CONTEXT_LIST(IND).MODEL, VSN vulnerable against SQL Injection
DBMS_METADATA_INT (DB05) FETCH_FILTERS Parameter name, vulnerable against SQL Injection
DBMS_METADATA_INT (DB05) FETCH_VIEWS CONTEXT_LIST(IND).OBJECT_TYPE, CONTEXT_LIST(IND).MODEL, name vulnerable against SQL Injection
DBMS_METADATA_INT (DB05) SET_FILTER_COMMON Parameter text_value, vulnerable against SQL Injection
DBMS_METADATA_INT (DB05) DO_FILTER_SCRIPT CONTEXT_LIST(IND).OBJECT_TYPE, CONTEXT_LIST(IND).MODEL vulnerable against SQL Injection
DBMS_METADATA_INT (DB05) SET_TABLE_FILTERS FILTER_LIST(NAME_IND).TEXT_VALUE, FILTER_LIST(SCHEMA_IND).TEXT_VALUE vulnerable against SQL Injection
DBMS_METADATA_INT (DB05) MAKE_FILTER_TEXT Parameter OBJNUM_FUNCTION, SORTOBJNUM_FUNCTION vulnerable against SQL Injection
DBMS_METADATA (DB05) GET_PREPOST_TABLE_ACT PUBLIC SQL Injection
CTXSYS.DRILOAD (DB17) VALIDATE_STATEMENT PUBLIC Parameter sqlstmt vulnerable against SQL Injection
CTXSYS.DRILOAD (DB17) BUILD_DML LV_INDEX.IDX_OWNER, LV_INDEX.IDX_TABLE vulnerable against SQL Injection
CTXSYS.DRIDML (DB17) CLEAN_DML username, tablename vulnerable against SQL Injection
CTXSYS.CTX_DOC (DB17) GET_ROWID PUBLIC Parameter P_IDX (Record) vulnerable against SQL Injection
CTXSYS.CTX_QUERY (DB17) BROWSE_WORDS PUBLIC Parameter RESTAB vulnerable against SQL Injection
CATINDEXMETHODS (DB17) ODCIINDEXTRUNCATE Parameter IA.INDEXSCHEMA, IA.INDEXNAME vulnerable against SQL Injection
CATINDEXMETHODS (DB17) ODCIINDEXDROP Parameter IA.INDEXSCHEMA, IA.INDEXNAME vulnerable against SQL Injection
CATINDEXMETHODS (DB17) ODCIINDEXDELETE Parameter IA.INDEXSCHEMA, IA.INDEXNAME vulnerable against SQL Injection
DBMS_XMLSCHEMA (DB29) GENERATESCHEMA PUBLIC Parameter SCHEMANAME and TYPENAME vulnerable against Buffer Overflow
DBMS_XMLSCHEMA (DB29) GENERATESCHEMAS PUBLIC Parameter SCHEMANAME and TYPENAME vulnerable against Buffer Overflow
DBMS_XMLSCHEMA_INT (DB29) GENERATESCHEMA Parameter SCHEMANAME and TYPENAME vulnerable against Buffer Overflow
DBMS_XMLSCHEMA_INT (DB29) GENERATESCHEMAS Parameter SCHEMANAME and TYPENAME vulnerable against Buffer Overflow


Security vulnerabilities in Oracle Features and Components:

Product

Version

Severity

Vulnerability

Oracle Database 10.2.0.1 Critical Event 10053 logs TDE wallet password in cleartext (DB07)
Oracle Database 10.2.0.1 Critical The key for the TDE wallet is stored unencrypted in cleartext (DB27)
Oracle Application Server - Reports 1.0.2.x - 10.1.0.2 Critical Read parts of any XML-file via Oracle Reports (REP04)
Oracle Application Server - Reports 1.0.2.x - 10.1.0.2 Critical Read parts of any file via Oracle Reports (REP05)
Oracle Application Server - Reports 1.0.2.x - 10.1.0.2 Critical Overwrite any file via Oracle Reports (REP06)
Oracle Application Server - Reports 1.0.2.x - 10.1.0.2 Critical Run any OS command via Oracle Reports (REP03)
Oracle Application Server - Forms 1.0.2.x - 10.1.0.2 Critical Run any OS command via Oracle Reports (FORMS02)


The following table contains a mapping of Oracle vuln

Oracle Vuln

CVE#

Vulnerability-Type

Affected Version

DB01 CVE-2006-0256    
DB02 CVE-2006-0257 SQL Injection DBMS_CDC_UTILITY  
DB03 CVE-2006-0258    
DB04 CVE-2006-0259    
DB05 CVE-2006-0260 SQL Injection DBMS_METADATA, DBMS_METADATA_INT, DBMS_METADATA_UTIL  
DB06 CVE-2006-0259 SQL Injection DBMS_DATAPUMP  
DB07 CVE-2006-0261 Infomation disclosure TDE 10g Rel. 2 only
DB08 CVE-2006-0262    
DB09 CVE-2006-0263    
DB10 CVE-2006-0264    
DB11      
DB12 CVE-2006-0263    
DB13 CVE-2006-0263    
DB14 CVE-2006-0261    
DB15 CVE-2006-0260    
DB16      
DB17 CVE-2006-0265 SQL Injection CTXSYS.DRILOAD, CTXSYS.DRIDML, CTXSYS,CTX_DOC, CTX_CTX_QUERY , CATINDEXMETHODS  
DB18 CVE-2006-0265 Privilege escalation This is a really critical security issue and affects all versions of Oracle. Exploits for DB18 for this vulnerability are already available !!!. Please patch as soon as possible.
DB19 CVE-2006-0266    
DB20 CVE-2006-0267    
DB21 CVE-2006-0268    
DB22 CVE-2006-0260    
DB23 CVE-2006-0260    
DB24 CVE-2006-0260    
DB25 CVE-2006-0269 SQL Injection DBMS_CDC_PUBLISH  
DB26 CVE-2006-0260    
DB27 CVE-2006-0270 Infomation disclosure TDE 10g Rel. 2 only
DB28 CVE-2006-0271 SQL Injection dbms_registry  
DB29 CVE-2006-0272 Buffer Overflow in dbms_xmlschema and dbms_xmlschema_int Exploits for dbms_xmlschema and dbms_xmlschema_int available on the web
       
DBC01 CVE-2006-0282    
DBC02 CVE-2006-0283 Buffer Overflow Client Tool 10g Rel. 1 client tools
JN01 CVE-2006-0285    
OHS01 CVE-2006-0286    
OHS02 CVE-2006-0287    
WF01 CVE-2006-0290    
WF02 CVE-2006-0291    
WF03 CVE-2006-0291    
       
AS01 CVE-2006-0273    
FORM01 CVE-2006-0284    
FORM02 CVE-2006-0284   All versions of Forms
REP01 CVE-2006-0288    
REP02 CVE-2006-0288    
REP03 CVE-2006-0274   All versions of Reports
REP04 CVE-2006-0275   All versions of Reports
REP05 CVE-2006-0289   All versions of Reports
REP06 CVE-2006-0289   All versions of Reports
       
OCS01 CVE-2006-0276    
OCS02 CVE-2006-0276    
OCS03 CVE-2006-0276    
OCS04 CVE-2006-0276    
OCS05 CVE-2006-0276    
OCS06 CVE-2006-0276    
OCS07 CVE-2006-0276    
OCS08 CVE-2006-0276    
OCS09 CVE-2006-0276    
OCS10 CVE-2006-0276    
OCS11 CVE-2006-0276    
OCS12 CVE-2006-0276    
OCS13 CVE-2006-0276    
OCS14 CVE-2006-0276    
OCS15 CVE-2006-0276    


With this CPU Oracle delivers a so-called password checking tool (Patch 4926128). This tool is just a SQL-Select statement which checks the existance of some password hashes. This SELECT statement is incomplete. You should always access the table SYS.USER$ to avoid hidden users (details see Oracle rootkits ).
----------------Oracle Password Checking Tool ------------------

SELECT username "Account Name", account_status "Account Status"
FROM dba_users
WHERE (username, password) IN (
('SYS',                         '5638228DAF52805F'),
('SYS',                         'D4C5016086B2DC6A'),
('SYSTEM',                      'D4DF7931AB130E37'),
('CTXSYS',                      '24ABAB8B06281B4C'),
('DBSNMP',                      'E066D214D5421CCC'),
('MDSYS',                       '72979A94BAD2AF80'),
('MDSYS',                       '9AAEB2214DCC9A31'),
('OUTLN',                       '4A3BA55E08595C81'),
('SCOTT',                       'F894844C34402B67'),
('ORDCOMMON',			'9B616F5489F90AD7'))
AND account_status <> 'EXPIRED \& LOCKED'
ORDER BY username;
----------------Oracle Password Checking Tool ------------------

If you need a good, free and fast password checker you could use checkpwd from Red-Database-Security GmbH. Checkpwd is a real password checker.



Some hints before applying the patches
  • 8.1.7.4: set NLS_LANG=AMERICAN_AMERICA before running the @catcpu.sql script (==> loop) to avoid the error "PLS-00553: Zeichensatzname nicht erkannt" during the installation
  • 10.1.0.4: download a new version of opatch
  • 10.2.0.1: download a new version of opatch

References

History
  • 17-jan-2006 - 1.00 - Initial version
  • 17-jan-2006 - 1.01 - # of total bugs added
  • 17-jan-2006 - 1.02 - Comment Oracle Password Checking Tool and analysis of SYS.KUPV$FT and SYS.KUPV$FT_INT added
  • 17-jan-2006 - 1.03 - Analysis of SYS. , SYS. , SYS. and SYS. added
  • 17-jan-2006 - 1.04 - Some hints added
  • 19-jan-2006 - 1.05 - Mapping to Oracle Vuln# added if possible
  • 19-jan-2006 - 1.06 - Additional information (e.g. CVE#) added
  • 23-jan-2006 - 1.07 - Integrigy analysis and additional commtens for DB18 added
  • 23-jan-2006 - 1.08 - PDF-file with changes in the data dictionary added
  • 27-jan-2006 - 1.09 - Advisory and Exploits from Argeniss added added
  • 02-feb-2006 - 1.10 - Detail and link for exploit DB18 added

2006 by Red-Database-Security GmbH - last update 2-feb-2006