CRIME FW: US-CERT Technical Cyber Security Alert TA04-160A -- SQL Injection Vulnerabilities in Oracle E-Business Suite

From: George Heuston (GeorgeH@private)
Date: Tue Jun 08 2004 - 14:19:03 PDT

  • Next message: George Heuston: "CRIME FW: [Information_technology] Daily News 06/08/04" 

    -----Original Message-----
From: US-CERT Technical Alerts [mailto:technical-alerts@us-cert.gov] 
Sent: Tuesday, June 08, 2004 11:37 AM
To: technical-alerts@us-cert.gov
Subject: US-CERT Technical Cyber Security Alert TA04-160A -- SQL
Injection Vulnerabilities in Oracle E-Business Suite 


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

            Technical Cyber Security Alert TA04-160A
     SQL Injection Vulnerabilities in Oracle E-Business Suite

   Original release date: June 8, 2004
   Last revised: --
   Source: US-CERT

Systems Affected

     * Oracle Applications 11.0 (all releases)
     * Oracle E-Business Suite 11i, 11.5.1 through 11.5.8

Overview

   A vulnerability in the Oracle's E-Business Suite allows a remote
   attacker to execute arbitrary script on a vulnerable database system.
   Exploitation may lead to compromise of the database application, data
   integrity, or underlying operating system.

I. Description

   Oracle E-Business Suite is a set of applications and modules that
   enables an organization to manage customer interactions, deliver
   services, manufacture products, ship orders, collect payments, and
   other tasks using a single database model.

   According to the Oracle Security Alert 67, Oracle Applications 11.0
   (all releases) and Oracle E-Business Suite Release 11i, 11.5.1
through
   11.5.8 are vulnerable to SQL injection vulnerabilities. Oracle
   E-Business Suite Release 11.5.9 and later are not vulnerable. This
   vulnerability is not platform specific. Integrigy Corporation has
also
   released an alert about these vulnerabilities.

   Note that no authentication mechanisms of Oracle E-Business Suite
will
   mitigate exploitation of the attack.

   US-CERT is tracking this issue as VU#961579.

II. Impact

   An unauthenticated attacker could exploit this vulnerability to
   execute arbitrary SQL statements on the vulnerable system with the
   privileges of the Oracle server process. In addition to compromising
   the integrity of the database information, this may lead to the
   compromise of the database application and the underlying operating
   system.

III. Solution

   Apply Patch or Upgrade

     According to the Oracle Security Alert 67, patches and related
     information are available from:

     http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocumen
     t?p_database_id=NOT&p_id=274375.1

Appendix B. References

     * http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf
     * http://www.integrigy.com/alerts/OraAppsSQLInjection.htm
     * http://www.kb.cert.org/vuls/id/961579
  _________________________________________________________________

   US-CERT thanks Stephen Kost of Integrigy Corporation for reporting
   this problem and for information used to construct this advisory.
  _________________________________________________________________

   Feedback can be directed to the author: Jason A. Rafail
  _________________________________________________________________

   The latest version of this document can be found at:
   
     <http://www.us-cert.gov/cas/techalerts/TA04-160A.html>
  _________________________________________________________________
   
   Copyright 2004 Carnegie Mellon University.
     
   Terms of use:
     
     <http://www.us-cert.gov/legal.html>  
  _________________________________________________________________
   
   Revision History

   June 8, 2004: Initial release

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFAxgVFXlvNRxAkFWARAiZSAKCsoyCrmSth7nWRX62FPnYZRUXp3QCeI5f+
gOYuIony8dN59HQ+63PUiMw=
=k4uL
-----END PGP SIGNATURE-----

    This archive was generated by hypermail 2b30 : Tue Jun 08 2004 - 14:53:09 PDT