From: Shatter <shatter@appsecinc.com.>
To: Bugtraq <bugtraq@securityfocus.com.>,
Date: Mon, 3 Aug 2009 19:31:16 -0400
Subject: Team SHATTER Security Advisory: Multiple SQL Injection
vulnerabilities in Oracle Enterprise Manager
Thread-Topic: Team SHATTER Security Advisory: Multiple SQL Injection
vulnerabilities in Oracle Enterprise Manager
Thread-Index: AcoUkn8SlmOFy8/ZSZuoZyCM/+0cRA==
Message-ID: <BB184445F393D244AEB0312F069BAAB10808F40D7D@mxe1.nycapt35k.com.>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
acceptlanguage: en-US
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Virus-Scanned: antivirus-gw at tyumen.ru
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Team SHATTER Security Advisory
Multiple SQL Injection vulnerabilities in Oracle Enterprise Manager
July 22, 2009
Risk Level:
High
Affected versions:
Oracle Enterprise Manager Database Control 11 (11.1.0.6, 11.1.0.7) and Orac=
le Enterprise Manager 10g Grid Control 10.2.0.4 (and previous patchsets)=20
Remote exploitable:
Yes (Authentication is needed)
Credits:=20
This vulnerability was discovered and researched by Esteban Mart=EDnez Fay=
=F3 of Application Security Inc.=20
Details:=20
SQL Injection works by attempting to modify the parameters passed to an app=
lication to change the SQL statements that are passed to a database. SQL in=
jection can be used to insert additional SQL statements to be executed.
The 'Type', 'snapshot' and 'table' parameters used in web page /em/console/=
ecm/history/configHistory and 'fConfigGuid' parameter used in /em/console/e=
cm/config/compare/compareWizSecondConfig are vulnerable to SQL Injection at=
tacks. These web pages are part of Oracle Enterprise Manager web applicatio=
n. It may be possible for a malicious user to execute a function with the e=
levated privileges of the SYSMAN database user in the repository database. =
This user has the DBA role granted.
Impact:
This vulnerability allow a Oracle Enterprise Manager user with VIEW (or mor=
e) privileges to execute a function call with the elevated privileges of th=
e SYSMAN database user.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
There is no workaround for this issue.
Fix:
Apply Oracle Critical Patch Update July 2009 available at Oracle Metalink.
CVE:
CVE-2009-1966, CVE-2009-1967
Links:
Application Security, Inc advisory: http://www.appsecinc.com/resources/aler=
ts/oracle/2009-04.shtml
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpu=
jul2009.html
Timeline:
Vendor Notification - 7/11/2008
Vendor Response - 7/14/2008
Fix - 7/14/2009
Public Disclosure - 7/22/2009
Application Security, Inc's database security solutions have helped over 1,=
600 organizations secure their databases from all internal and external thr=
eats while also ensuring that those organizations meet or exceed regulatory=
compliance and audit requirements.
Disclaimer: The information in the advisory is believed to be accurate at t=
he time of publishing based on currently available information. Use of the =
information constitutes acceptance for use in an AS IS condition. There are=
no warranties with regard to this information. Neither the author nor the =
publisher accepts any liability for any direct, indirect, or consequential =
loss or damage arising from use of, or reliance on, this information.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0
iD8DBQFKd3Mm9EOAcmTuFN0RAsvtAKCy63s4g+vP3NMNgY/cH3Yk7IJXhwCdFxkI
x3i+U89DFXpEf/UHUalXsnc=3D
=3DD60y
-----END PGP SIGNATURE-----
