Date: Tue, 8 Jun 2004 14:40:30 -0400
From: CERT Advisory <[email protected]>
To: [email protected]Subject: US-CERT Technical Cyber Security Alert TA04-160A -- SQL Injection Vulnerabilities in Oracle E-Business Suite
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Technical Cyber Security Alert TA04-160A
SQL Injection Vulnerabilities in Oracle E-Business Suite
Original release date: June 8, 2004
Last revised: --
Source: US-CERT
Systems Affected
* Oracle Applications 11.0 (all releases)
* Oracle E-Business Suite 11i, 11.5.1 through 11.5.8
Overview
A vulnerability in the Oracle's E-Business Suite allows a remote
attacker to execute arbitrary script on a vulnerable database system.
Exploitation may lead to compromise of the database application, data
integrity, or underlying operating system.
I. Description
Oracle E-Business Suite is a set of applications and modules that
enables an organization to manage customer interactions, deliver
services, manufacture products, ship orders, collect payments, and
other tasks using a single database model.
According to the Oracle Security Alert 67, Oracle Applications 11.0
(all releases) and Oracle E-Business Suite Release 11i, 11.5.1 through
11.5.8 are vulnerable to SQL injection vulnerabilities. Oracle
E-Business Suite Release 11.5.9 and later are not vulnerable. This
vulnerability is not platform specific. Integrigy Corporation has also
released an alert about these vulnerabilities.
Note that no authentication mechanisms of Oracle E-Business Suite will
mitigate exploitation of the attack.
US-CERT is tracking this issue as VU#961579.
II. Impact
An unauthenticated attacker could exploit this vulnerability to
execute arbitrary SQL statements on the vulnerable system with the
privileges of the Oracle server process. In addition to compromising
the integrity of the database information, this may lead to the
compromise of the database application and the underlying operating
system.
III. Solution
Apply Patch or Upgrade
According to the Oracle Security Alert 67, patches and related
information are available from:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocumen
t?p_database_id=NOT&p_id=274375.1
Appendix B. References
* http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf
* http://www.integrigy.com/alerts/OraAppsSQLInjection.htm
* http://www.kb.cert.org/vuls/id/961579
_________________________________________________________________
US-CERT thanks Stephen Kost of Integrigy Corporation for reporting
this problem and for information used to construct this advisory.
_________________________________________________________________
Feedback can be directed to the author: Jason A. Rafail
_________________________________________________________________
The latest version of this document can be found at:
<http://www.us-cert.gov/cas/techalerts/TA04-160A.html>
_________________________________________________________________
Copyright 2004 Carnegie Mellon University.
Terms of use:
<http://www.us-cert.gov/legal.html>
_________________________________________________________________
Revision History
June 8, 2004: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
iD8DBQFAxgVFXlvNRxAkFWARAiZSAKCsoyCrmSth7nWRX62FPnYZRUXp3QCeI5f+
gOYuIony8dN59HQ+63PUiMw=
=k4uL
-----END PGP SIGNATURE-----