Sie befinden sich aktuell in den Alexander Kornbrust Oracle Security Blog Blog-Archiven für den folgenden Tag 27 Jul 2009.
- 11g (12)
- Allgemein (29)
- David Litchfield (7)
- Exploit (23)
- Forensics (7)
- Oracle Security (105)
- passwords (8)
- Repscan (1)
- Security (22)
- Sentrigo (5)
- software (9)
- source code audit (5)
- SQL Injection (24)
- Tools (24)
- Trainings (3)
- Tutorial (2)
- 18 Nov 2011: DOAG 2011 Presentation "Best of Oracle Security 2011"
- 15 Okt 2011: Oracle Critical Patch Update Pre-Release Announcement - October 2011
- 17 Sep 2011: Disable Auditing and running OS commands using oradebug
- 13 Apr 2011: Blackhat Training "HACKING AND SECURING ORACLE (2 days) "
- 2 Apr 2011: Oracle Database 11.2 Express Edition Beta comes with weak default password
- 23 Mrz 2011: McAfee acquires Sentrigo
- 12 Okt 2010: TDE decrypt utilities and TDE/Password flash demo
- 22 Sep 2010: Marcell published "Writing your own password cracker" presentation
- 21 Sep 2010: Laszlo's presentation "Oracle Post Exploitation Techniques" and Marcel's Sybase ASE Password Cracker
- 10 Sep 2010: Update of "Project Lockdown" released
Oracle Security
SQL Injection
- November 2011
- Oktober 2011
- September 2011
- April 2011
- März 2011
- Oktober 2010
- September 2010
- August 2010
- April 2010
- März 2010
- Februar 2010
- Januar 2010
- Dezember 2009
- November 2009
- Oktober 2009
- September 2009
- August 2009
- Juli 2009
- Mai 2009
- April 2009
- März 2009
- Februar 2009
- Januar 2009
- Dezember 2008
- November 2008
- Oktober 2008
- August 2008
- Juli 2008
- Mai 2008
- April 2008
- März 2008
- Februar 2008
- Januar 2008
- Dezember 2007
- November 2007
- Oktober 2007
- September 2007
- August 2007
- Juli 2007
- Juni 2007
- Mai 2007
Archive für 27 Jul 2009
6 Advisories (2 from RDS) for Oracle CPU July 2009 posted
27 Jul 2009 von Alexander Kornbrust.
I just posted 2 new advisories for the July 2009 CPU from Oracle on my website.
The first advisory (CVE-2009-1021) is about PL/SQL Injection vulnerabilities in the package DBMS_EXPORT_EXTENSION. In July 2006 Oracle fixed already vulnerabilities in this package but the bugfix was not implemented properly.
The second advisory (CVE-2009-1969) is about an information disclosure problem in Oracle audit logs. In some cases these audit logs can contain password hashes.
Last Friday Denis Yurichev released 4 new advisories concerning the TNS Listener in Oracle 10g/11g. All advisories are explained with a proof-of-concept code.
The first and most critical bug (CVSS 9.0 Win/6.5 Linux) advisory (CVE-2009-1020) is remote exploitable but requires an authentication. All databases (9.2.08, 10.1.0.5, 10.2.0.4 and 11.1.0.7) are affected.
The second advisory (CVE-2009-1019) is remote exploitable without authentication. The P.o.C.of Denis creates a denial of service against the database. All databases (9.2.08, 10.1.0.5, 10.2.0.4 and 11.1.0.7) are affected.
The third advisory (CVE-2009-1963) is remote exploitable with authentication. The P.o.C.of Denis creates a denial of service against the database. 11.1.0.7 is affected.
The fourth advisory (CVE-2009-1970), remote exploitable without authentication, is a denial of service vulnerability against the database. Oracle 10.1.0.5, 10.2.0.4 and 11.1.0.6 are affected.
Geschrieben in Oracle Security | Drucken | Keine Kommentare »