Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Details Oracle Critical Patch Update July 2006 - V1.03

If you are interested to get the latest information of the Oracle CPU July 2006
you can now subscribe our newsletter .

Additional information will be added soon.


CHANGE !!! IMPORTANT

Oracle does NOT fixed the "Modify Data via Views" bug.

The 0day vulnerability for dbms_export_extension which was released on Full-Disclosure Mailing list in April 2006 and many more vulnerabilities like SQL Injection, Buffer overflows, Cross Site Scripting, ...

With this CPU Oracle has fixed 65 security bugs in various products and components.

Patches for Oracle Express Edition are currently not available:

Database 23
Client 4
OAS 10
OCS 1
APPS 20
EM 4
PSE 2
JDE 1


Fixed security vulnerabilities in Oracle PL/SQL-Packages and Java classes:

Package

Function/Procedure

Granted to

Vulnerability/ Change

SYS.DBMS_STAT_FUNCS

(belongs to DBMS_STATS)

KOLMOGOROV_SMIRNOV, SHAPIRO_WILKS, ANDERSON_DARLING, CHI_SQUARED_CONTINUOUS, CHI_SQUARED_DISCRETE, SUMMARY, NORMAL_DIST_FIT, UNIFORM_DIST_FIT, POISSON_DIST_FIT, WEIBULL_DIST_FIT, EXPONENTIAL_DIST_FIT PUBLIC SQL Injection [DB21], 10.1
SYS.DBMS_UPGRADE SQL Injection [DB22]
SYS.DBMS_CDC_IMPDP IMPORT_CHANGE_SET, IMPORT_CHANGE_TABLE, IMPORT_CHANGE_COLUMN, IMPORT_SUBSCRIBER, IMPORT_SUBSCRIBED_TABLE, IMPORT_SUBSCRIBED_COLUMN, VALIDATE_IMPORT, VALIDATE_CHANGE_SET, VALIDATE_CHANGE_TABLE, VALIDATE_SUBSCRIPTION PUBLIC SQL Injection [DB01],10.1
SYS.DBMS_CDC_ISUBSCRIBE GET_SUBSCRIPTION_HANDLE, SUBSCRIBE, PREPARE_SUBSCRIBER_VIEW, DROP_SUBSCRIBER_VIEW   SQL Injection [DB01], 10.1
SYS.DBMS_EXPDP DUMP_CHANGE_SET, DUMP_CHANGE_TABLE, DUMP_CHANGE_COLUMN, DUMP_SUBSCRIBER, DUMP_SUBSCRIBED_TABLE, DUMP_SUBSCRIBED_COLUMN, SCHEMA_INFO_EXP   SQL Injection [DB01], 10.1
SYS.KUPW$WORKER MAIN PUBLIC SQL Injection [DB03], 10.1
SYS.DBMS_DDL PUBLIC (?) [DB05], 10.1
SYS.DBMS_EXPORT_EXTENSION GET_DOMAIN_INDEX_METADATA, GET_DOMAIN_INDEX_TABLES, GET_V2_DOMAIN_INDEX_TABLES PUBLIC SQL Injection [DB06], 10.1
ORDSYS.ORDIMGIDXMETHODS   PUBLIC Buffer Overflow, [DB07], 10.1
SYS.DBMS_XRWMV   PUBLIC Buffer Overflow, [DB16],10.1
SYS.DBMS_XDBZ0 ENABLE_HIERARCHY_INTERNAL, DISABLE_HIERARCHY_INTERNAL   SQL Injection , 10.1
SYS.DBMS_ADVISOR GEN_SHRINK_DDL PUBLIC SQL Injection , 10.2
SYS.DBMS_METADATA OKTOEXP_2NDARY_TABLE PUBLIC Check for user L_INDEX_SCHEMA, 10.2
SYS.DBMS_ODCI     Additional Security checks for ODCI function call,10.2
       
       




The following table contains a mapping of Oracle vuln to the CVE numbers.

Oracle Vuln

CVE#

Vulnerability-Type

DB01 CVE-2006-3698
SQL Injection
DB02 CVE-2006-3699  
DB03 CVE-2006-3698
SQL Injection
DB04 CVE-2006-3700 SQL Injection (?)
DB05 CVE-2006-3701 Buffer Overflow
DB06 CVE-2006-3702 SQL Injection
DB07 CVE-2006-3703 Buffer Overflow
DB08 CVE-2006-3702 ??
DB09 CVE-2006-3702  
DB10 CVE-2006-3702  
DB11 CVE-2006-3702  
DB12 CVE-2006-3702  
DB13 CVE-2006-3702  
DB14 CVE-2006-3702  
DB15 CVE-2006-3704  
DB16 CVE-2006-3702  
DB17 CVE-2006-3702  
DB18 CVE-2006-3702  
DB19 CVE-2006-3702  
DB20 CVE-2006-3702  
DB21 CVE-2006-3705 SQL Injection
DB22 CVE-2006-3705 SQL Injection
DB23 CVE-2006-3700  
DBC01 CVE-2006-3702 Buffer Overflow (?)
DBC02 CVE-2006-3702 Buffer Overflow (?)
DBC03 CVE-2006-3702 Buffer Overflow (?)
DBC04 CVE-2006-3702 Buffer Overflow (?)
AS01 CVE-2006-3706  
AS02 CVE-2006-3707  
AS03 CVE-2006-3708  
AS04 CVE-2006-3709 Cross Site Scripting RequestInfoExample (?)
AS05 CVE-2006-3710 Cross Site Scripting SnoopServlet (?)
AS06 CVE-2006-3711  
AS07 CVE-2006-3712  
AS08 CVE-2006-3710  
AS09 CVE-2006-3713  
AS10 CVE-2006-3714  
OCS1 CVE-2006-3715  
APPS01 CVE-2006-3716  
APPS02 CVE-2006-3716  
APPS03 CVE-2006-3717  
APPS04 CVE-2006-3717  
APPS05 CVE-2006-3716  
APPS06 CVE-2006-3716  
APPS07 CVE-2006-3716  
APPS08 CVE-2006-3716  
APPS09 CVE-2006-3716  
APPS10 CVE-2006-3716  
APPS11 CVE-2006-3716  
APPS12 CVE-2006-3716  
APPS13 CVE-2006-3716  
APPS14 CVE-2006-3716  
APPS15 CVE-2006-3716  
APPS16 CVE-2006-3718  
APPS17 CVE-2006-3718  
APPS18 CVE-2006-3716  
APPS19 CVE-2006-3716  
APPS20 CVE-2006-3717  
EM01 CVE-2006-3719  
EM02 CVE-2006-3720  
EM03 CVE-2006-3721  
EM04 CVE-2006-3721  
PSE01 CVE-2006-3722  
PSE02 CVE-2006-3723  
JDE01 CVE-2006-3724  

Comments:

The package DBMS_CDC_DPUTIL contains a new debug message. If you find "this is a test" in your tracefile it's from the package DBMS_CDC_DPUTIL.
[...]
DBMS_SYSTEM.KSDWRT(DBMS_SYSTEM.TRACE_FILE, 'this is a test ');
[...]
Debug code (and especially useless debug code) is never a good idea.



References

History
  • 18-jul-2006 - 1.00 - Initial version
  • 19-jul-2006 - 1.01 - More details after analysis of PL/SQL packages added
  • 19-jul-2006 - 1.02 - CVEs for Oracle July CPU added. Thank you Steven M. Christey for this information
  • 24-jul-2006 - 1.03 - Change Data via View bug is NOT fixed.

2006 by Red-Database-Security GmbH - last update 24-jul-2006