| VID |
25035 |
| Severity |
40 |
| Port |
1521, ... |
| Protocol |
TCP |
| Class |
DB |
| Detailed Description |
The Oracle Database Server, according to its version number, is vulnerable to multiple remote command execution vulnerabilities.
Several vulnerabilities have been reported in Oracle's Database Server, Application Server, and Enterprise Manager software. Oracle's Collaboration Suite and E-Business Suite 11i contain the vulnerable software and are affected as well. Oracle has released Oracle Security Alert #68 (pdf) to address the following vulnerabilities:
1. Unprivileged database users may execute arbitrary commands as the DBA, allowing compromise of the database.
2. Remote authorized database users may execute arbitrary code in the context of the server or cause a denial of service.
* Note: This check solely relied on the version number of the remote Oracle Listener to assess this vulnerability, so this might be a False Positive. If the server already has been patched, then ignore this alert.
* References:
http://www.kb.cert.org/vuls/id/170830
http://www.kb.cert.org/vuls/id/316206
http://www.kb.cert.org/vuls/id/435974
http://www.oracle.com/technology/deploy/security/alerts.htm
http://www.securitytracker.com/alerts/2004/Aug/1011110.html
http://secunia.com/advisories/12409/
* Platforms Affected:
Oracle Database 10g Release 1, version 10.1.0.2
Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
Oracle8i Database Server Release 3, version 8.1.7.4
Oracle Enterprise Manager Grid Control 10g, version 10.1.0.2
Oracle Enterprise Manager Database Control 10g, version 10.1.0.2
Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
Oracle9i Application Server Release 1, version 1.0.2.2
Any operating system Any version |
| Recommendation |
Apply the appropriate patch or upgrade as specified in the Oracle Security Alert #68 (pdf) at http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf |
| Related URL |
CVE-2004-0637,CVE-2004-0638 (CVE) |
| Related URL |
11099,11100 (SecurityFocus) |
| Related URL |
(ISS) |
|
