Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities - oracle-l

Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities

From: Jared.Still@xxxxxxxxxxx
To: oracle-l@xxxxxxxxxxxxx
Date: Mon, 7 Jun 2004 16:10:14 -0700
The following security advisory is sent to the securiteam mailing list, 
and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html 

- - - - - - - - -



  Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities
------------------------------------------------------------------------


SUMMARY

Multiple SQL injection vulnerabilities exist in the Oracle E-Business 
Suite 11i and Oracle Applications 11.0. These vulnerabilities can be 
remotely exploited simply using a browser and sending a specially crafted 
URL to the web server. ?A mandatory patch from Oracle is required to solve 

these security issues.

DETAILS

Vulnerable Systems:
 * Oracle E-Business Suite versions 11.0.x, 11.5.1 up to 11.5.8

Integrigy has discovered multiple SQL injection vulnerabilities in almost 
all supported versions of Oracle Applications (11.0 and 11i).  Because 
Oracle Applications 11i installs code for all product modules, all Oracle 
Applications 11i customers are vulnerable to these SQL injection issues.
 
A SQL injection vulnerability allows an attacker to execute SQL statements 

or database functions by inserting SQL code fragments into input fields of 

a web page.  Due to the design of Oracle Applications, a SQL injection 
attack can easily and effectively compromise the entire database and 
application.
 
Customers with Internet facing application servers are most vulnerable 
since these vulnerabilities can be exploited remotely using a browser. 
Since attacks can be specially crafted for Oracle Applications and an 
attack may only be a single HTTP Get or Post, successful attacks can be 
easily designed that will evade most intrusion detection and prevention 
systems.
 
Solution:
Oracle has released a patch for Oracle Applications 11.0 and the Oracle 
E-Business Suite 11i to correct these vulnerabilities.
 
The following Oracle patches must be applied --
      Version     Patch
      -------     -----
      11i         3644626     (11.5.1 - 11.5.8)
      11.0        3648066     (all versions)

The patch availability matrix is available in Oracle Metalink Note ID 
274375.1.
 
Oracle Applications 11i customers that have applied both the Report 
Manager Mini-pack B (11i.FRM.B) or greater AND Marketing Suite Family Pack 

B (11i.MKT_PF.B) do NOT need to apply a patch for these vulnerabilities - 
these patch levels are included in 11.5.9.
 
All Oracle Applications customers should consider this vulnerability 
extremely high risk and apply the above patch at the earliest possible 
opportunity.  Customers with Internet facing application servers should 
apply the patch immediately.
 
Appropriate testing and backups should be always performed before applying 

any patches.
 
Additional Information:
 <http://www.integrigy.com/resources.htm> 
http://www.integrigy.com/resources.htm
 <http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf> 
http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf
Metalink Note ID 274356.1 (Oracle Security Alert)
Metalink Note ID 274375.1 (Patch Availability Matrix)


ADDITIONAL INFORMATION

The information has been provided by  <mailto:alerts@xxxxxxxxxxxxx> 
Integrigy Security.
Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities

Other related posts:
