Sie befinden sich in den Archiven der Kategorie CPUJan2008.
| M | D | M | D | F | S | S |
|---|---|---|---|---|---|---|
| « Mai | ||||||
| 1 | 2 | 3 | 4 | 5 | 6 | |
| 7 | 8 | 9 | 10 | 11 | 12 | 13 |
| 14 | 15 | 16 | 17 | 18 | 19 | 20 |
| 21 | 22 | 23 | 24 | 25 | 26 | 27 |
| 28 | 29 | 30 | 31 | |||
- 10.2.0.4 (1)
- 11g (3)
- Allgemein (10)
- checkpwd (4)
- CPUApr2008 (3)
- CPUJan2008 (2)
- CPUJul2007 (3)
- CPUOct2007 (1)
- Database Vault (1)
- David Litchfield (4)
- Exploit (4)
- Forensics (3)
- Inguma (2)
- MacOS (1)
- Mary Ann (1)
- Oracle (2)
- Oracle Security (45)
- passwords (3)
- Podcast (1)
- rootkits (1)
- Security (9)
- Security Book (1)
- Sentrigo (1)
- software (2)
- Source Code Analysis (1)
- source code audit (3)
- SQL Injection (4)
- Trainings (1)
- 8 Mai 2008: Checkpwd 1.23 for MacOS Intel native released
- 16 Apr 2008: Oracle CPU April 2008 - Update
- 15 Apr 2008: Oracle Critical Patch Update April 2008 is out
- 11 Apr 2008: Looking Glass and Oracle 11g
- 11 Apr 2008: Oracle Critical Patch Update Pre-Release Announcement - April 2008
- 4 Mrz 2008: We proudly present: Anna Marie Kornbrust
- 4 Mrz 2008: Corba Exploit for VisiBroker published
- 25 Feb 2008: Oracle Patchset 10.2.0.4 is out
- 31 Jan 2008: First exploits for CPUJan2008 published
- 15 Jan 2008: Oracle Patch CPU January 2008 is out...
Archiv der Kategorie CPUJan2008
First exploits for CPUJan2008 published
31 Jan 2008 von Alexander Kornbrust.
The first exploits for CPU January 2008 were published on milw0rm.com.
Alexandr Polyakov from Digital Security published 4 exploits for XMLDB. Alexandr found and reported these vulnerabilities mid of december 2007 to Oracle. It seems that someone else reported these errors before because Oracle NEVER fixes vulnerabilities within less than a month.
- SQL Injection in PITRIG_DROP (1)
- SQL Injection in PITRIG_DROP (2)
- SQL Injection in PITRIG_TRUNCATE (1)
- SQL Injection in PITRIG_TRUNCATE (2)
Geschrieben in CPUJan2008, Exploit, SQL Injection | 7 Kommentare »
Oracle Patch CPU January 2008 is out…
15 Jan 2008 von Alexander Kornbrust.
Oracle just released their latest Oracle Critical Patch Update (CPU) January 2008. As promised in the prelease announcement the patch contains 8 fixes for the database itself. As usual most of the vulnerabilities are coming from the usual suspects (Esteban, Joxean, David, Alex) and some other people like Pete Finnigan, Mariano Nunez Di Croce, Ali Kumcu and Alexandr Polyakov.
According to an email from Oracle secalert they fixed 7 of my vulnerabilities (tracking numbers: 6980733, 7520291, 9675443, 9675563, 9675681, 9675695, 9675857) but they mapped them to DB05, DB04 and DB02.
The highest database CVSS rating of 6.5 has DB01.
DB02, DB03, DB04 and DB05 are SQL Injection vulnerabilities allowing privilege escalation.
The highest application server CVSS ratings of 9.3 are 2 bugs (AS01, AS02) in Oracle Jinitiator 1.1.8.26 and 1.3.1.27 and affects clients only.
Other interesting information are described in the Metalink note 466757.1. With this CPU it is necessary to recompile ALL Views to fix the “VIEW” problems fixed with Oracle CPU July/October 2007.
Geschrieben in CPUJan2008, Oracle Security | 1 Kommentar »