Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Oracle Enterprise Manager Has Local Vulnerabilities With Unspecified Impact
|
|
SecurityTracker Alert ID: 1011110
|
|
SecurityTracker URL: http://securitytracker.com/id?1011110
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: Aug 31 2004
|
Impact: Not specified
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): 10g, version 10.1.0.2
|
Description: Some vulnerabilities were reported in Oracle Enterprise Manager. A local user can exploit these flaws. The impact was not specified.
The vendor reported that the Oracle Enterprise Manager Grid Control and Oracle Enterprise Manager Database Control products contain
several vulnerabilities. Oracle characterizes the exposure risk as high.
A local user on the Enterprise Manager host can exploit
these flaws.
No details were provided.
|
Impact: The impact was not specified.
|
Solution: Oracle has issued a fix. Patch information is provided in MetaLink Document ID 281189.1, available at:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocu
ment?p_database_id=NOT&p_id=281189.1
A fix will be included as part of the future 10.1.0.3 release.
|
Vendor URL: www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf (Links to External Site)
|
Cause: Not specified
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 31 Aug 2004 16:28:32 -0400
Subject: http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
|
> August 31st, 2004
> Severity: 1
> Alert #68: Oracle Security Update
Oracle issued a security alert covering multiple flaws in multiple Oracle server
products.
The following versions are affected:
• Oracle Database 10g Release 1, version 10.1.0.2
• Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
• Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
• Oracle8i Database Server Release 3, version 8.1.7.4
• Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
• Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
• Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
• Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
• Oracle9i Application Server Release 1, version 1.0.2.2
The vulnerabilities and their severity ratings (as assigned by Oracle) are listed
below:
Oracle Database Server Vulnerabilities:
Vulnerabilities exist in in the Database Server and the Listener. Exposure risk is
high. Network access is required, but a valid user account is not required.
Oracle Application Server Vulnerabilities:
Vulnerabilities exist in the Portal and iSQL*Plus components of Oracle Application
Server. Exposure risk is high. Network access is required to exploit some of these
flaws, but a valid user account is not required.
Oracle Enterprise Manager Vulnerabilities:
Vulnerabilities exist in Oracle Enterprise Manager. Exposure risk is high. A local
user on the Enterprise Manager host can exploit these flaws.
Oracle Collaboration Suite Impact:
The vendor advises all Collaboration Suite customers to apply the Oracle Database
patches to their Information Storage database and the Oracle Application
Server-embedded database. Customers should also apply the application server patch to
the Oracle Application Server infrastructure installation and to each Collaboration
Suite middle tier installation.
Information Storage database customers running Oracle Database 10g Release 1, version
10.1.0.2 should also apply the Enterprise Manager patch.
E-Business Suite 11i Impact:
The vendor advises E-Business Suite Release 11i customers to apply the available Oracle
Database patches to their current Oracle Database Servers:
• Oracle8i Database Server Release 3, version 8.1.7.4
• Oracle9i Database Server Release 2, version 9.2.0.4
• Oracle9i Database Server Release 2, version 9.2.0.5
E-Business Suite 11i customers should also apply the Oracle Application Server patch
to their current Oracle Application Server releases:
• Oracle9i Application Server Release 1, version 1.0.2.2
• Oracle Application Server 10g (9.0.4), version 9.0.4.0
Patch information is provided in MetaLink Document ID 281189.1, available at:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=28118
9.1
Oracle has listed the following URLs are references for this alert:
• http://www.appsecinc.com/resources/alerts/oracle/
• http://www.integrigy.com/resources.htm
• http://www.nextgenss.com/advisory.htm
• http://www.pentest.co.uk/cgi-bin/viewcat.cgi?cat=alerts§ion=00
• http://www.petefinnigan.com/alerts.htm
• http://www.qinetiq.com/home/case_studies/security.html
• http://www.red-database-security.com/
• http://www.securityfocus.com/bid/10871
• http://www.kb.cert.org/vuls/id/316206
Oracle credits a long list of people with reporting these vulnerabilities:
Cesar Cerrudo, Pete Finnigan, Jonathan Gennick, Alexander Kornbrust of Red Database
Security, Stephen Kost of Integrigy, David Litchfield of NGSS Limited, Matt Moore of
PenTest Limited, Aaron Newman of Application Security Inc., Andy Rees of QinetiQ,
and Christian Schaller of Siemens CERT.
|
|
Go to the Top of This SecurityTracker Archive Page
|
