Date: 7 Jun 2004 18:59:09 +0200
From: SecuriTeam <[email protected]>
To: [email protected]Subject: [NEWS] Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities
------------------------------------------------------------------------
SUMMARY
Multiple SQL injection vulnerabilities exist in the Oracle E-Business
Suite 11i and Oracle Applications 11.0. These vulnerabilities can be
remotely exploited simply using a browser and sending a specially crafted
URL to the web server. ?A mandatory patch from Oracle is required to solve
these security issues.
DETAILS
Vulnerable Systems:
* Oracle E-Business Suite versions 11.0.x, 11.5.1 up to 11.5.8
Integrigy has discovered multiple SQL injection vulnerabilities in almost
all supported versions of Oracle Applications (11.0 and 11i). Because
Oracle Applications 11i installs code for all product modules, all Oracle
Applications 11i customers are vulnerable to these SQL injection issues.
A SQL injection vulnerability allows an attacker to execute SQL statements
or database functions by inserting SQL code fragments into input fields of
a web page. Due to the design of Oracle Applications, a SQL injection
attack can easily and effectively compromise the entire database and
application.
Customers with Internet facing application servers are most vulnerable
since these vulnerabilities can be exploited remotely using a browser.
Since attacks can be specially crafted for Oracle Applications and an
attack may only be a single HTTP Get or Post, successful attacks can be
easily designed that will evade most intrusion detection and prevention
systems.
Solution:
Oracle has released a patch for Oracle Applications 11.0 and the Oracle
E-Business Suite 11i to correct these vulnerabilities.
The following Oracle patches must be applied --
Version Patch
------- -----
11i 3644626 (11.5.1 - 11.5.8)
11.0 3648066 (all versions)
The patch availability matrix is available in Oracle Metalink Note ID
274375.1.
Oracle Applications 11i customers that have applied both the Report
Manager Mini-pack B (11i.FRM.B) or greater AND Marketing Suite Family Pack
B (11i.MKT_PF.B) do NOT need to apply a patch for these vulnerabilities -
these patch levels are included in 11.5.9.
All Oracle Applications customers should consider this vulnerability
extremely high risk and apply the above patch at the earliest possible
opportunity. Customers with Internet facing application servers should
apply the patch immediately.
Appropriate testing and backups should be always performed before applying
any patches.
Additional Information:
<http://www.integrigy.com/resources.htm>;
http://www.integrigy.com/resources.htm
<http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf>;
http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf
Metalink Note ID 274356.1 (Oracle Security Alert)
Metalink Note ID 274375.1 (Patch Availability Matrix)
ADDITIONAL INFORMATION
The information has been provided by <mailto:[email protected]>
Integrigy Security.
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: [email protected]
In order to subscribe to the mailing list, simply forward this email to: [email protected]
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
