From: "Integrigy Security" <alerts@integrigy.com.>
To: <bugtraq@securityfocus.com.>
Subject: Multiple High Risk Vulnerabilities in Oracle E-Business Suite 11i - Critical Patch Update July 2005
Date: Tue, 12 Jul 2005 14:27:41 -0500
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_0072_01C586ED.E4861210"
thread-index: AcWHF7V1/wG3ze4iQ+SBfX5femgWjQ==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
X-MS-TNEF-Correlator: 00000000382ECCB30A40F24B9E2E03556E5931F6447F7D00
Message-Id: <20050712193026.3A3734162@mail.integrigy.com.>
X-Virus-Scanned: antivirus-gw at tyumen.ru
This is a multi-part message in MIME format.
------=_NextPart_000_0072_01C586ED.E4861210
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Integrigy Security Advisory
______________________________________________________________________
Multiple High Risk Vulnerabilities in Oracle E-Business Suite 11i
Oracle Critical Patch Update - July 2005
July 12, 2005
______________________________________________________________________
Summary:
Oracle today will be releasing its third Critical Patch Update (July 2005).
The patches contained in the Critical Patch Update will correct numerous
security bugs in the Oracle Database, Oracle Application Server, and Oracle
E-Business Suite.
A number of high risk SQL injection and parameter manipulation security
vulnerabilities in the Oracle E-Business Suite are corrected by the security
patches released today. Customers with Internet-facing implementations of
the Oracle E-Business Suite should consider applying these patches as soon
as possible. It is possible that an attacker with only a web browser and a
network connection (either internally or externally) to Oracle E-Business
Suite web application servers can execute malicious SQL statements in the
database as the APPS database account.
The Oracle E-Business Suite patches involved with this Critical Patch Update
are much more complex as compared to the previous CPUs and will require
additional functional testing in our opinion. In addition, the Oracle
E-Business Suite security patches are not cumulative, therefore, all the
patches specified in this CPU and previous CPUs must be applied.
Integrigy will be releasing more detailed guidance in the near future in
order to assist our clients in determining the relevance and priority of
patches for their Oracle E-Business Suite implementations. The Integrigy
analysis for this Critical Patch Update will be posted at
http://www.integrigy.com/analysis.htm when it is available.
______________________________________________________________________
For more information or questions regarding this security advisory, please
contact us at [email protected].
Integrigy has included checks for these vulnerabilities in AppSentry, a
vulnerability scanner for Oracle Applications, and AppDefend, an application
intrusion prevention system for Oracle Applications.
Credit:
The vulnerabilities referenced in this advisory were discovered and reported
to Oracle by Stephen Kost of Integrigy Corporation.
______________________________________________________________________
About Integrigy Corporation (www.integrigy.com)
Integrigy Corporation is a leader in application security for large
enterprise, mission critical applications. Our application vulnerability
assessment tool, AppSentry, assists companies in securing their largest and
most important applications. AppDefend is an intrusion prevention system for
Oracle Applications and blocks common types of attacks against application
servers. Integrigy Consulting offers security assessment services for
leading ERP and CRM applications.
For more information, visit www.integrigy.com.
------=_NextPart_000_0072_01C586ED.E4861210
Content-Type: application/ms-tnef;
name="winmail.dat"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="winmail.dat"
eJ8+IjYTAQaQCAAEAAAAAAABAAEAAQeQBgAIAAAA5AQAAAAAAADoAAEIgAcAGAAAAElQTS5NaWNy
b3NvZnQgTWFpbC5Ob3RlADEIAQOQBgD0CgAAIwAAAAsAAgABAAAAAwAmAAAAAAAeAHAAAQAAAGQA
AABNdWx0aXBsZSBIaWdoIFJpc2sgVnVsbmVyYWJpbGl0aWVzIGluIE9yYWNsZSBFLUJ1c2luZXNz
IFN1aXRlIDExaSAtIENyaXRpY2FsIFBhdGNoIFVwZGF0ZSBKdWx5IDIwMDUAAgFxAAEAAAAWAAAA
AcWHF7V1/wG3ze4iQ+SBfX5femgWjQAACwABDgAAAAACAQoOAQAAABgAAAAAAAAAOC7MswpA8kue
LgNVblkx9sKAAAADABQOAQAAAB4AKA4BAAAAMQAAADAwMDAwMDFlAWFsZXJ0c0BpbnRlZ3JpZ3ku
Y29tAUludGVncmlneSAtIEFsZXJ0cwAAAAAeACkOAQAAADEAAAAwMDAwMDAxZQFhbGVydHNAaW50
ZWdyaWd5LmNvbQFJbnRlZ3JpZ3kgLSBBbGVydHMAAAAAAgEJEAEAAACFBgAAgQYAAGoNAABMWkZ1
x474dQMACgByY3BnMTI14jIDQ3RleAVBAQMB908KgAKkA+MCAGNoCsBz8GV0MCAHEwKAD/MAUH8E
VghVB7IRxQ5RAwEQxzL3BgAGwxHFMwRGEMkS2xHT2wjvCfc7GL8OMDURwgxgzmMAUAsJAWQzNhFQ
C6YUIEkCMGUJwGlneRUGUWMIcXQeEEFkdtsEAAWweQqiCoBfH68gvzshzyLfXx9ECuMKgE11hGx0
BSBsZSBIHfBGaAfwBABrIFYk4G5/BJABoAMQHoAIkAQgC4AgCk8mUGMlMUUtQnVnAJAmMAQRU3Ue
gCVAMe4xAKAfUyc1Qx5xDeAHQBAgUGF0EOAgVXAGZCpQJUBcJzk2IM5KJOAeEAHQMDUfRCtj/Q4g
LCupIv8ujy+fMK8j7W0oUG0AwB8gOi0kKOt0rQRwYR4QA/BsAyBiJUCrGMAlMGEn4Wcm8HQEILh0
aGkLICmvKrQoK2fIKS4gOKBUaCVACrD/KmEHkQWgAjALcQmAJvI2IF8pnyqlNMMFoRjAYwVAbj8y
wASQCGAEIBEgHlVide5nJuM6Yic1RCpQAaA1gOZlLMAnNUFwC1A64SUA+wIgBlJ2BJAswABwNmAn
P3coRDiRMzpBPMI1EAXAbzxmIDYwJYEFECXRU1F6TCbxajyRQLJBcgqxYf8HgA6wBcADgQUgJOBA
lD1n/nYmHz5qJ68KwCVAPFU6Af5iHhA6Yj1nORY1RDoBNGP9OJFDJ9A0YDzxBCAD8DYgZx2DBKAR
MC1mANA1o23/JSEHgDmxQKIEIEShSc8oCfRzaAhgbDZgOZEAkASB+0FgQEF5NaI6YREgOQc1gE09
UG9GIgQgcG8EEGn7AmBDEkkFQAQAVuc2ESpQ70FhQWACQADQaxMhT5MCIGUrgWE0sGViNQADYHff
ESBUsUGBWkBQMXcFsCXg5zmRJjBF9ChlT6ETIQuAv1ACB0ArgQWxDsFdZSk0Uf9STyg2WmJU0kB2
WuFBITlx/wORDsAeQSiBAMBAYUCwPTH/RXJPECrRUTI+JyrBP1NWMrE6YkFQUAXwZMhjBaD+dQIw
OJAkCzjSXw8oRTkW/QuAdgbwQSA2YE+TNiEEIPc6ryrDS4JtG3AlkARgS5N9UPJ4VjJtskuBTlI6
U3DHGMAe4D0iQ1BVViFBgRs0wxjAcShgS5FhZGT3JqECICoRZmbgRfMqEQ6w308QNaMDoAhhRJBw
C4BAsf9XckYxcWUswFIfUypM7kuC/G5vBUAeUG0QR5JBIHTzfxjAAhAYwEFRNOFvIzklc/5wBZAG
kAiQOhVrQnAARkT/b3ttEE8QNQJgwwmAOJJDS38dmDTPbVQBADnBJTA2YGf/KGAqwHIgJUA6NSYw
CsFyAP50CHCCYwWwVJJe0TWAAJB/fXFzYnWACJBkFYFhBJBt93PBVTQ1M3aCM3w0QLAec/9EoTkW
eXE6UjZAdU8oNlDt3ziRONIdmABwB0B5hJGI5b9rTzuLNRFW8UwiWLFoAkCgcDovL3eRIC5dMlUd
0y5tsS+NFi6QsG3ff+A44AOgHoBXwmGHEAMQ/wGgV1EtL5Vvln+XjzFvlIL+RgWxbWMLgHlxAMBA
owWx73DwcsJRohjAZwsRVSRX0f89Z3FQHuQswCUhZRI5kzyhzz0xWLIlMAAgc0CRa5RV3yRlHZgQ
8CbiicB1AQBUIf844FlQiNdVkUifA6BAMQZg/wIwnfJaQKQqHhAE8ABwJjHfiOM/zwCAQVRAMUQB
EAnw7mRBUmC7XTFyJ9FAwW9i/1FBR8ONUGPRp3+ohaDMjjD/CYAegDMlZ5mkLnlReUGCQf97WJ2W
WlGBMgQABaBBIZBSf0GBGMBW8AAgbsSJlUxhU/UOsHCTIkuQIUSSHZgIUP5ytKFAk5RfuT+6T7tf
mJ9fQ8QG4GKAtt9AlCiRLyn3oN++f5ODIDVhVJInAWDM5x5ViPILYHJnJUBRQQSQ/4exP4KGIFcR
QMEFAY5kYMn9i/FPc3FgyqYshHEoEVEy/zRRBvAswKVahINuRQMAJtT/PWRVNIlhxXN9cUFyBGB9
cf9Q4RhhAHBYwce7qVeTg6rf36vvrP8GMUFyAmBvo0JtsfsEYDpBeXrgUcNZFFYhnDD/C4DOsmDf
i/HBmgCAJOI1sf9EoLGhnOrKeGGCDeCIxcNCETWiRVJQQWNDUk3/x5yZL5o+LMAe4ZNhv6+4NQW4
RH3jkAAAAAMA3j+fTgAAAwAJWQEAAAALABOACCAGAAAAAADAAAAAAAAARgAAAAADhQAAAAAAAAMA
FYAIIAYAAAAAAMAAAAAAAABGAAAAABCFAAAAAAAAAwAygAggBgAAAAAAwAAAAAAAAEYAAAAAAYUA
AAAAAABAADOACCAGAAAAAADAAAAAAAAARgAAAABghQAAAHCaSjIAAAALAEuACCAGAAAAAADAAAAA
AAAARgAAAAAGhQAAAAAAAAsAT4AIIAYAAAAAAMAAAAAAAABGAAAAAA6FAAAAAAAAAwBSgAggBgAA
AAAAwAAAAAAAAEYAAAAAGIUAAAAAAAACAVmACCAGAAAAAADAAAAAAAAARgAAAABAhQAAAQAAAEIA
AAADAQEAAABFAAAACAAAAAAABgBOAFMALgBLAGUAeQAGTlMuS2V5AAAAAAAAAAANAAAABk4AUwAu
AEsAZQB5AAAAAAAAAAsAZ4AIIAYAAAAAAMAAAAAAAABGAAAAAIKFAAABAAAAHgCeiCkDAgAAAAAA
wAAAAAAAAEYBAAAADgAAAE4AUwAuAEsAZQB5AAAAAAABAAAACwAAADExMDAyMjgzMjAAAAsAHw4B
AAAAAgH4DwEAAAAQAAAAOC7MswpA8kueLgNVblkx9gIB+g8BAAAAEAAAADguzLMKQPJLni4DVW5Z
MfYDAP4PBQAAAAMADTT9PwMAAwAPNP0/AwACARQ0AQAAABAAAABOSVRB+b+4AQCqADfZbgAAAgF/
AAEAAAAxAAAAMDAwMDAwMDAzODJFQ0NCMzBBNDBGMjRCOUUyRTAzNTU2RTU5MzFGNjQ0N0Y3RDAw
AAAAAAMABhB1cAtqAwAHEOUIAAADABAQAAAAAAMAERABAAAAHgAIEAEAAABlAAAASU5URUdSSUdZ
U0VDVVJJVFlBRFZJU09SWU1VTFRJUExFSElHSFJJU0tWVUxORVJBQklMSVRJRVNJTk9SQUNMRUUt
QlVTSU5FU1NTVUlURTExSU9SQUNMRUNSSVRJQ0FMUEFUQwAAAABaMQ==
------=_NextPart_000_0072_01C586ED.E4861210--
