Red-Database-Security GmbH is specialized in Oracle Security

Products
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security
Details Oracle Critical Patch Update October 2006 - V1.02

If you are interested to get the latest information of the Oracle CPU October 2006
you can now subscribe to our newsletter .

Additional information will be added soon.




With this CPU Oracle has fixed 101 security bugs in various products and components:

The Oracle database patches are fixing 10 Oracle Spatial, 6 Change Data Capture, 3 XMLDB, 2 Database Core and 1 database Scheduler.

Oracle fixed some really old cross site scripting bugs in Oracle Reports. Finally Oracle fixed these reports vulnerbilities after 1056 (!!!) days. It seems that Oracle is now fixing also old bugs.

The analysis of the 35 APEX/HTMLDB security vulnerabilities shows that most of the vulnerabilities were already fixed with earlier versions (e.g. 2.0, 2.1 and 2.2). The Upgrade to 2.2.1 contains only a few security fixes (see section APEX in this analysis).

Database 22
OHS 8
APEX 35
OAS 14
OCS 12
APPS 21
OPA 1
Peoplesoft 8
JD Edwards 1


Fixed security vulnerabilities in Oracle PL/SQL-Packages and Java classes:

Package

Function/Procedure

Granted to

Vulnerability/ Change

xdb.dbms_xdbz0 enable_hierarchy_internal, disable_hierarchiy_internal DB01
DB02
mdsys.md2 DB03
sys.dbms_cdc_impdp DB04
sys.dbms_cdc_ipublish DB05
sys.dbms_cdc_isubscribe DB06
sys.dbms_cdc_isubscribe DB07
sys.dbms_cdc_isubscribe DB08
DB09
sys.dbms_sqltune _internal i_set_tuning_parameter, i_update_sqlset DB10
mdsys.sdo_geom DB11
mdsys.sdo.geor_int DB12
mdsys.sdo_lrs convert_to_lrs_layer DB13
DB14
xdb.dbms_xdbz0 DB15
sys.dbms_cdc_isubscribe DB16
DB17
mdsys.sdo_tune DB18
sys.dbms_scheduler DB19
mdsys.sdo_3gl DB20
mdsys.sdo_cs DB21
mdsys.sdo_geom DB22




The following table contains a mapping of Oracle vuln to the CVE numbers.



Oracle Vuln

CVE#

Vulnerability-Type

DB01 CVE-2006-5332 SQL Injection
DB02 CVE-2006-5333 SQL Injection
DB03 CVE-2006-5334 SQL Injection
DB04 CVE-2006-5335 SQL Injection
DB05 CVE-2006-5336 SQL Injection
DB06 CVE-2006-5336 SQL Injection
DB07 CVE-2006-5335 SQL Injection
DB08 CVE-2006-5335 SQL Injection
DB09 CVE-2006-5337 Modifying (Insert/Update/Delete) data without privileges
DB10 CVE-2006-5338 SQL Injection
DB11 CVE-2006-5339 Length Check
DB12 CVE-2006-5335 SQL Injection
DB13 CVE-2006-5340 SQL Injection
DB14 CVE-2006-5341 SQL Injection
DB15 CVE-2006-5341 SQL Injection
DB16 CVE-2006-5335 SQL Injection
DB17 CVE-2006-5340 SQL Injection
DB18 CVE-2006-5342  
DB19 CVE-2006-5343  
DB20 CVE-2006-5344 Buffer Overflow
DB21 CVE-2006-5344 SQL Injection
DB22 CVE-2006-5345 Length Check

Oracle HTTP Server (OHS)

Oracle Vuln

CVE#

Vulnerability-Type

OHS01 CVE-2006-3747 Bypass Restriction and possible code execution
OHS02 CVE-2005-1344 Buffer Overflow in htdigest
OHS03 CVE-2005-0525 and CVE-2005-0524 Denial of Service in PHP image handling
OHS04 CVE-2002-1157 Cross-Site-Scripting XSS
OHS05 CVE-2005-2700 Bypass restriction
OHS06 CVE-2006-3918 Cross-Site-Scripting XSS
OHS07   HP/UX only
OHS08 CVE-2005-0109 Hyperthreading cryptography crypto attack


Oracle Reports

Oracle Vuln

CVE#

Vulnerability-Type

REP01 Cross-Site-Scripting
REP02 Cross-Site-Scripting


Oracle APEX/HTMLDB

Oracle Vuln

CVE#

Vulnerability-Type

APEX CVE-2006-5351 Cross-Site-Scripting
APEX CVE-2006-5351 Cross-Site-Scripting
APEX CVE-2006-5351 SQL Injection

Modified items after upgrading to Apex 2.2.1

The following table shows a report and analysis (using Repscan and a PL/SQL Unwrapper) of the modified database objects after upgrading to Apex 2.2.1. It seems that most of the 35 security bugs were already fixed with older versions of HTMLDB/APEX. Especially if your are using an older version (< 2.1) of APEX/HTMLDB it is highly recommended to upgrade to 2.2.1. Keep in mind that only 2.2.0 is only running on Oracle Express Edition or 10.2.0.3.

Modification type Owner Type Name new MD5-checksum Security Modification
modified FLOWS_020200 FUNCTION WWV_FLOWS_RELEASE 0e04aa3b11d13b3817f41fb71f089ee1 No Reduce length of deinstall_script to 30000
modified FLOWS_020200 PACKAGE BODY WWV_EXECUTE_IMMEDIATE d93b2bb92815f13dcb7a2c717e895783 No Exception added
modified FLOWS_020200 PACKAGE BODY WWV_FLOW 8ffb3b9030a0ec53ede8d2c1c223d03b No  
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_CALENDAR3 34bc685b5819d33c1a8fd3f4a91712b2 No  
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_COPY_PAGE a923bbe09bc172083a32f08152d6d1be No Procedure list, get_sc_name modified
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_DISP_PAGE_PLUGS 485a2fb6ea8510d7302c66c1308ce648 No Procedure populate_plug_query_info modified
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_DML 7b17c81a2886ccd7dcceb3024ab5f194 No Procedure fetch_row, insert_row modified
added FLOWS_020200 PACKAGE BODY WWV_FLOW_DYNSQL_PARSE 89ef494debb9223255f9c53d1da220ab No  
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_DYNSQL_UTIL 10db3f244d8f36cf6d04f09c4d1f791e Yes? Procedure run_block/parse_block_vc2/parse_block_arr modified for Oracle XE/10.2.03
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_F4000_UTIL d43915fe4a4659c71ebe67665e76e488 No Procedure copy_list,copy_list_from_app modified
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_FORMS 4ba4d980eb07f75b0353601b8f41e3aa Yes? Procedure display_positional_form
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_GENERATE_DDL 4d2b6df9e376e088643009baa813077e No Change Foreign-Key-Handling in function get_ddl
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_GEN_API2 1d1d1e15e325802dbaf21a320a0be717 No Procedure create_install modified from 32767 to 30000
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_INSTALL_WIZARD 60e248d2e19fa73c2960e1d9cf44c195 No Procedure set_sub_strings modified
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_ITEM 48248f419eef9a157085c3770d42e891 No Now support for timestamp added
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_ITEM_HELP 2f11e8cb2cffbc0bc9b262c7933ee065 Yes Procedure show_help modified, Step_id truncated
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_LOAD_EXCEL_DATA 86763b4270e8af1d36b6896a6d7f278f No Procedure run_ddl modified for Oracle XE/10.2.03
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_REGION_LAYOUT 081704d87947175d8c57e15d01472106 No Procedure show_page_buttons modified. Do not show rows if number of rows is 0.
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_RENDER_QUERY 845ee6c94c3818a1d394dfcce86b2975 No Procedure get_dbms_sql_cursor modified for Oracle XE/10.2.03
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_SW_API fcc1f4f7e0f3131e40354ddb1a885978 Yes Function valid_workspace_schema added Procedure create_plan_table is now using wwv_flow_sw_util instead of wwv_execute_immediate Procedure run_sql_arr modified for Oracle XE/10.2.03
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_SW_UTIL e736155f9464a5d3f33f9f6ddaac0f44 Yes Procedure run_block, run_ddl,create_package modified for Oracle XE/10.2.03 Function get_table_ddl, get_sequence_ddl, get_trigger_ddl, get_foreign_key_ddl, get_composite_primary_key_ddl wwv_execute_immediate replaced by run_block, SQL Injection in P_SCHEMA/P_TABLE_NAME
modified FLOWS_020200 PACKAGE BODY WWV_FLOW_UTILITIES b53627c25d1f1b66742e67bcbc6309ca Yes XSS BUG fixed in P_LANG and hidden value P_DD in procedure show_as_popup_calendar
XSS BUG fixed in P_FILTER in procedure gen_popup_list
Function DB_EDITION_IS_XE added
modified FLOWS_020200 PACKAGE BODY WWV_RENDER_REPORT3 2d1f6ac115afb2c29afd640768b9e39d No Procedure show modified
added FLOWS_020200 PACKAGE WWV_FLOW_DYNSQL_PARSE 864417827b2ec63e8cfe1d484333a8e6 No  
modified FLOWS_020200 PACKAGE WWV_FLOW_FORMS 7280d0d00bdc882810f4f6055acee3b4 No  
modified FLOWS_020200 PACKAGE WWV_FLOW_SW_API bd757d29967dbfd0ee6e37da2b003a85 No  
modified FLOWS_020200 PACKAGE WWV_FLOW_UTILITIES 858c1383df38c25810b8b2777e37bb3d No  
modified FLOWS_020200 VIEW APEX_APPLICATION_BUILD_OPTIONS e60cc7606c2bd0c84d794c9a6304c4e1 No  
modified FLOWS_020200 VIEW APEX_APPLICATION_PAGE_ITEMS c55c033264b1c93824e8c1f4ceb97fd5 No  
modified FLOWS_020200 VIEW APEX_APPLICATION_PAGE_RPT_COLS 6e10da488f16aebe25eee02d30a89732 No  
modified FLOWS_020200 VIEW APEX_APPLICATION_PAGE_VAL 5b5265987577c2dcd66211ddabca9c83 No  
added FLOWS_020200 VIEW APEX_WORKSPACE_CLICKS 2cfda6e7b6fa256f8ada6c13035f3342 No  
added PUBLIC SYNONYM APEX_WORKSPACE_CLICKS 62d1a602093a2a47df7e21d85756108f No  



References
  • 18-oct-2006 - 1.00 - Initial version
  • 20-oct-2006 - 1.01 - Analysis APEX 2.2.1 and Map of Public Vulnerability added
  • 23-oct-2006 - 1.02 - US-Cert URL added, CVE added

© 2006 by Red-Database-Security GmbH - last update 23-oct-2006