Services
Oracle Audit / Hardening
Security Training
Consulting

Information
Oracle Security Blog
Published AlertsRSS Published Alerts
Upcoming AlertsRSS Published Alerts
Patch Information
Whitepaper
Presentations
Oracle Fact Sheets
Exploits
Tutorials
Videos
Scripts

News & Events
Events
News

Company
Contact
People
Partner
Impressum
Sitemap


Search



Search Red-Database-Security

Published Oracle Security Alerts RSS Published Alerts




This page contains advisories about already published Oracle security issues.

2009

 

27-jul-2009 PL/SQL Injection in dbms_export_extension [CVE-2009-1021] (fixed in CPUJul2009) new
27-jul-2009 Password Hashes in Oracle Audit Trail [CVE-2009-1969] (fixed in CPUJul2009) new
14-apr-2009 SQL Injection in DBMS_AQIN [CVE-2009-0992] (fixed in CPUApr2009)
14-apr-2009 SQL Injection in DBMS_AQADM_SYS [CVE-2009-0977] (fixed in CPUApr2009)
14-apr-2009 Unprivileged database users can see APEX password hashes [CVE-2009-0981] (fixed in CPUApr2009)
15-jan-2009 Bypass Auditing using dbms_ijob [CVE-2008-5437] (fixed in CPUJan2009)
15-jan-2009 Plaintext Password in JDeveloper (fixed in CPUJan2009) [CVE-2008-2623]
15-jan-2009 SQL Injection in DBMS_STREAMS_AUTH (fixed in CPUJan2009) [CVE-2008-4015]





2008

 

15-oct-2008 SQL Injection in upgrade script EXFEAPVS.SQL [CVE-2008-3980] (fixed in CPUOct2008)
15-oct-2008 OLAP_USER has create public synonym [CVE-2008-2624] (fixed in CPUOct2008)
15-oct-2008 jdeveloper: plaintext password in IDEConnections.xml [CVE-2008-2588] (fixed in CPUOct2008)
15-oct-2008 Sutdown any unprotected TNS Listener via Reports Servlet [CVE-2008-2619] (fixed in CPUOct2008)
15-jul-2008 DBMS_IAS_INST_UTL.GEN_DBLINKS_DDL saves plaintext passwords when tracing enable [CVE-2008-2587] (fixed in CPUJul2008)
15-apr-2008 SQL Injection in SDO_UTIL [DB05] (fixed in CPUApr2008)
15-apr-2008 SQL Injection in SDO_GEOM [DB06] (fixed in CPUApr2008)
15-apr-2008 SQL Injection in SDO_IDX [DB07] (fixed in CPUApr2008)
15-apr-2008 Password Change/Reset of OUTLN [DB13] (fixed in CPUApr2008)
15-apr-2008 Create View Problem (fixed in CPUApr2008) [DB10]
15-apr-2008 Inline View Problem (fixed in CPUApr2008) [DB10]
15-apr-2008 SQL Injection in SYS.DBMS_PRVTAQIM (fixed in CPUJan2008)
15-apr-2008 SQL Injection in MDSYS.SDO_CATALOG (fixed in CPUJan2008)
15-apr-2008 SQL Injection in upgrade script A0902000.SQL (fixed in CPUJan2008)
15-apr-2008 Multiple SQL Injections in upgrade script A10000000.sql (fixed in CPUJan2008)
15-apr-2008 Multiple SQL Injections in upgrade script C09020000.sql (fixed in CPUJan2008)
15-apr-2008 Multiple SQL Injections in upgrade script E09020000.sql (fixed in CPUJan2008)
15-apr-2008 Multiple SQL Injections in upgrade script E10010000.sql (fixed in CPUJan2008)





2007

 

16-oct-2007 Privilege Escalation via FBI [DB01] (fixed in CPUOct2007)
17-jul-2007 SQL Injection in DBMS_PRVTAQIS [DB02] (fixed in CPUJul2007)
17-jul-2007 Insert/Update/Delete data via specially crafted views [DB17] (fixed in CPUJul2007)
17-jul-2007 SQL Injection in APEX CHECK_DB_PASSWORD [APEX01] (fixed in CPUJul2007)
17-apr-2007 Bypass Logon Trigger [DB05] (fixed in CPUApr2007)
17-apr-2007 SQL Injection in DBMS_UPGRADE_INTERNAL [DB07] (fixed in CPUApr2007)
17-apr-2007 SQL Injection in DBMS_AQADM_SYS [DB04] (fixed in CPUApr2007)
17-apr-2007 XSS in Oracle Secure Enterprise Search [SES01] (fixed in CPUApr2007)
17-apr-2007 Shutdown unprotected TNS Listener via Oracle Discoverer Servlet [AS01] (fixed in CPUApr2007)
16-jan-2007 Remote Exploitable Buffer Overflow in Oracle Notification Service (ONS) [OPMN01] (fixed in CPUJan2007)
16-jan-2007 SQL Injection in DBMS_AQ_INV [DB01] (fixed in CPUJan2007)
16-jan-2007 XSS in XMLDB [DB06] (fixed in CPUJan2007)





2006

 

18-oct-2006 XSS in Oracle Reports [REP01]/[REP02] (fixed in CPUOct2006)
18-oct-2006 XSS in APEX NOTIFICATION_MSG (fixed in APEX 2.2.1)
18-oct-2006 XSS in APEX WWV_FLOW_ITEM_HELP (fixed in APEX 2.2.1)
18-oct-2006 SQL Injection in APEX WWV_FLOW_UTILITIES (fixed in APEX 2.2.1)
18-oct-2006 Modify data via inline view [DB09] (fixed in CPUOct2006)
18-oct-2006 SQL Injection in SYS.DBMS_CDC_IMPDP [DB04] (fixed in CPUOct2006)
18-oct-2006 SQL Injection in SYS.DBMS_XDBZ0 [DB01]/[DB15] (fixed in CPUOct2006)
18-oct-2006 SQL Injection in SYS.DBMS_SQLTUNE_INTERNAL [DB10] (fixed in CPUOct2006)
18-oct-2006 SQL Injection in MDSYS.SDO_LRS [DB13] (fixed in CPUOct2006)
18-jul-2006 SQL Injection in SYS.DBMS_STATS (fixed in CPUJul2006)
18-jul-2006 SQL Injection in SYS.DBMS_UPGRADE (fixed in CPUJul2006)
18-jul-2006 SQL Injection in SYS.DBMS_CDC_IMPDP (fixed in CPUJul2006)
18-jul-2006 SQL Injection in SYS.KUPW$WORKER (fixed in CPUJul2006)
25-apr-2006 SQL Injection in SYS.KUPV$FILE (fixed in CPUOct2005)
25-apr-2006 SQL Injection in SYS.DBMS_METADATA (fixed in CPUJan2005)
20-apr-2006 Analysis Oracle CPU April 2006
18-apr-2006 SQL Injection in SYS.DBMS_LOGMNR_SESSION (DB06)
10-apr-2006 Read-only user can modify data via views
17-jan-2006 Various SQL Injection in SYS.DBMS_METADATA_UTIL (DB05)
17-jan-2006 Various SQL Injection in SYS.KUPV$FT in Oracle 10g. Rel. 1
17-jan-2006 Various SQL Injection in SYS.KUPV$FT_INT in Oracle 10g. Rel. 1
17-jan-2006 Event 10053 logs wallet password in cleartext in Oracle 10g Rel. 2 (DB07)
17-jan-2006 The key for the TDE wallet is stored unencrypted in the SGA in Oracle 10g Rel.2 (DB27)
17-jan-2006 Read parts of any XML-file on the application server via Oracle Reports (REP04)
17-jan-2006 Read parts of any file on the application server via Oracle Reports (REP05)
17-jan-2006 Overwrite any file on the application server via Oracle Reports (REP06)


2005

20-oct-2005 Cross-Site-Scripting in Oracle Workflow wf_route
20-oct-2005 Cross-Site-Scripting in Oracle Workflow wf_monitor
7-oct-2005 Shutdown listener via iSQL*Plus
7-oct-2005 Shutdown listener via Forms Servlet
7-oct-2005 Plaintext Passwords logged during Installation of Oracle HTMLDB
7-oct-2005 Cross-Site-Scripting Vulnerabilities in Oracle HTMLDB
7-oct-2005 Cross-Site-Scripting Vulnerabilities in Oracle iSQL*Plus
7-oct-2005 Cross-Site-Scripting Vulnerabilities in Oracle XMLDB
19-jul-2005 Various Cross-Site-Scripting Vulnerabilities in Oracle Report
19-jul-2005 Read parts of any XML-file on the application server via Oracle Report
19-jul-2005 Read parts of any file on the application server via Oracle Report
19-jul-2005 Overwrite any file on the application server via Oracle Report
19-jul-2005 Run any OS Command via uploaded Oracle Report from any directory
19-jul-2005 Run any OS Command via uploaded Oracle Forms from any directory
12-jul-2005 Oracle JDeveloper passes plaintext password
12-jul-2005 Plaintext password in Oracle JDeveloper
12-jul-2005 Unsecure temp file handling in Oracle Formsbuilder
12-jul-2005 Unsecure temp file handling in Oracle Forms
02-may-2005 Fine Grained Auditing issue in Oracle 9i / 10g
02-may-2005 DBMS_SCHEDULER 10g SELECT user issue in Oracle 10g
26-apr-2005 Webcache Client Requests bypasses OHS mod_access Restrictions
26-apr-2005 File append vulnerability in Webcache Admin Console
26-apr-2005 CSS in Webcache Admin Console
25-apr-2005 CSS in BEA admin console
12-apr-2005 SQL Injection in Oracle Forms
18-jan-2005 Buffer Overflow in Create Database Link in Oracle8i - 9i



2004

 

03-sep-2004 Buffer Overflow in DBMS_SYSTEM.KSDWRT() in Oracle8i - 9i
03-sep-2004 Buffer Overflow in SYS_CONTEXT()in Oracle 9i Rel.2
03-sep-2004 SQL Injection via CTXSYS.DRILOAD
19-jan-2004 Multiple security vulnerabilities in Oracle9i Lite 5


Related Information



© 2005-2009 by Red-Database-Security GmbH - last update: 27-jul-2009

Oracle Patch Policy

Vulnerability Fixing Order of Oracle Vulnerabilities

  • Main line of Code
  • New Products (e.g. 11g Rel. 1)
  • Patchsets for older products (e.g. 9.2.0.8)
  • Critical Patch Update

More information available on Oracle OTN:

Security Vulnerability Fixing Policy and Process