Integrigy Security Advisory ______________________________________________________________________ Multiple High Risk Vulnerabilities in Oracle E-Business Suite 11i Oracle Critical Patch Update - July 2005 July 12, 2005 ______________________________________________________________________ Summary: Oracle today will be releasing its third Critical Patch Update (July 2005). The patches contained in the Critical Patch Update will correct numerous security bugs in the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. A number of high risk SQL injection and parameter manipulation security vulnerabilities in the Oracle E-Business Suite are corrected by the security patches released today. Customers with Internet-facing implementations of the Oracle E-Business Suite should consider applying these patches as soon as possible. It is possible that an attacker with only a web browser and a network connection (either internally or externally) to Oracle E-Business Suite web application servers can execute malicious SQL statements in the database as the APPS database account. The Oracle E-Business Suite patches involved with this Critical Patch Update are much more complex as compared to the previous CPUs and will require additional functional testing in our opinion. In addition, the Oracle E-Business Suite security patches are not cumulative, therefore, all the patches specified in this CPU and previous CPUs must be applied. Integrigy will be releasing more detailed guidance in the near future in order to assist our clients in determining the relevance and priority of patches for their Oracle E-Business Suite implementations. The Integrigy analysis for this Critical Patch Update will be posted at http://www.integrigy.com/analysis.htm when it is available. ______________________________________________________________________ For more information or questions regarding this security advisory, please contact us at alerts@private Integrigy has included checks for these vulnerabilities in AppSentry, a vulnerability scanner for Oracle Applications, and AppDefend, an application intrusion prevention system for Oracle Applications. Credit: The vulnerabilities referenced in this advisory were discovered and reported to Oracle by Stephen Kost of Integrigy Corporation. ______________________________________________________________________ About Integrigy Corporation (www.integrigy.com) Integrigy Corporation is a leader in application security for large enterprise, mission critical applications. Our application vulnerability assessment tool, AppSentry, assists companies in securing their largest and most important applications. AppDefend is an intrusion prevention system for Oracle Applications and blocks common types of attacks against application servers. Integrigy Consulting offers security assessment services for leading ERP and CRM applications. For more information, visit www.integrigy.com.
This archive was generated by hypermail 2.1.3 : Wed Jul 13 2005 - 08:20:44 PDT