Oracle Database Multiple Vulnerabilities
Release Date : 2012-04-18
Criticality level : Moderately critical
Impact : Manipulation of data
Exposure of sensitive information
Where : From remote
Solution Status : Vendor Patch
Software: Oracle Database 10.x
Oracle Database 11.x
Multiple vulnerabilities have been reported in Oracle Database, which can be exploited by malicious users to compromise a vulnerable system, by malicious users and malicious people to disclose potentially sensitive information and manipulate certain data, and by malicious people to cause a DoS (Denial of Service).
1) An error in the Oracle Spatial component can be exploited by authenticated users to execute arbitrary code.
Successful exploitation of this vulnerability requires Create session, create index, alter index, and create table privileges.
2) An error in the Core RDBMS component can be exploited by authenticated users to execute arbitrary code.
Successful exploitation of this vulnerability requires create library and create procedure privileges.
3) Another error in the Core RDBMS component can be exploited to manipulate certain Core RDBMS accessible data and cause a DoS.
4) An error in the OCI component can be exploited to disclose or manipulate certain data.
5) Some errors exist within Enterprise Manager Grid Control.
6) An error in the Application Express component can be exploited to manipulate certain data.
7) An error within the RDBMS Core component can be exploited by authenticated users to manipulate certain data.
Successful exploitation of this vulnerability requires Create Session privileges.
The vulnerabilities are reported in the following products and versions:
* Oracle Database 11g Release 2 versions 184.108.40.206 and 220.127.116.11
* Oracle Database 11g Release 1 version 18.104.22.168
* Oracle Database 10g Release 2 versions 10.2.0.3, 10.2.0.4, and 10.2.0.5
Apply patches (please see the vendor's advisory for details).
Provided and/or discovered by:
It is currently unclear who reported these vulnerabilities as the Oracle Critical Patch Update for April 2012 only provides a bundled list of credits. This section will be updated when/if the original reporter provides more information.
Was this reply helpful? (0) (0)