Oracle CPU October 2007 - 14 Bugs reported by RDS (updated)

16 Okt 2007 von Alexander Kornbrust.

I just arrived in Munich. Wednesday and Thursday I will give an Oracle Hacker Training for the Oracle University.

Oracle just released the Oracle Critical Patch Update for October with fixes for 51 vulnerabilities in various products. The CPU for the database contains fixes are 27.

14 of them were reported by Red-Database-Security. The vulnerabilities were reported by the usual suspects (David, Esteban, Joxean, Johannes Greil and me).
Oracle is fixing 11 bugs in Workspace Manager, 3 in Oracle Text and 3 in Oracle Spatial. There are also some bugs in Advanced Queueing, XMLDB, OID and ASO). There are 2 bugs in Import/Export. The Import bug (DB01, reported by us) is the most critical bug with a rating of 6.5 (CVSS 2.0 rating) and affects all versions of Oracle. Some of our bugs in Database Vault (DB21) and Enterprise Manager (EM01) are remote exploitable.

The bugs in the database (AFAIK) are SQL Injection (Workspace Manager, Spatial), Buffer Overflows, Privilege Escalation.

More details soon.

Geschrieben in CPUOct2007, Oracle Security | 1 Kommentar »