__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle E-Business Suite SQL Injection Vulnerability [Oracle Security Alert 67] June 7, 2004 17:00 GMT Number O-153 ______________________________________________________________________________ PROBLEM: Oracle E-Business Suite contains input validation security vulnerabilities. PLATFORM: Oracle E-Business Suite Release 11i, 11.5.1 through 11.5.8 Release 11.5.9 and later releases are not affected. Oracle Applications 11.0, All releases DAMAGE: A remote attacker may execute arbitrary SQL commands and compromise the database and application. SOLUTION: Oracle E-Business Suite customers must apply the patch Listed in the Patch Availability Matrix for their Release of E-Business Suite. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. The vulnerabilities may allow an attacker ASSESSMENT: to execute unauthorized procedures or SQL inside the database. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-153.shtml ORIGINAL BULLETIN: http://otn.oracle.com/deploy/security/pdf/2004alert67.pdf ______________________________________________________________________________ [***** Start Oracle Security Alert 67 *****] Oracle Security Alert 67 Dated: 3 June 2004 Severity: 1 Unauthorized Access Vulnerabilities in Oracle EBusiness Suite Description Security vulnerabilities have been discovered in Oracle EBusiness Suite. These vulnerabilities may allow a knowledgeable and malicious user to execute unauthorized procedures or SQL inside the database. Supported Products Affected · Oracle EBusiness Suite Release 11i, 11.5.1 through 11.5.8 Release 11.5.9 and later releases are not affected. · Oracle Applications 11.0, All Releases Previous products and releases have not been tested for the presence of this vulnerability because, in accordance with the following document: http://metalink.oracle.com/metalink/plsql/showdoc?db=Not&id=226571.1 they are no longer being patched. Oracle EBusiness Suite Oracle EBusiness Suite customers must apply the patch listed in the Patch Availability Matrix for their release of EBusiness Suite. Platforms Affected All platforms. Required Conditions for Exploit An unauthenticated user with browser access to a web server hosting the EBusiness Suite application. Risk to Exposure Risk to exposure is high, as any user with browser access and specialized knowledge can exploit these vulnerabilities. How to Minimize Risk There is no workaround that fully addresses the security vulnerabilities described in this Alert. Ramification for Customer Customers are vulnerable unless the patch is applied. Oracle strongly recommends that customers review the severity rating for this Alert and patch accordingly. See http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf for a definition of severity ratings. Patch Availability Please see MetaLink Document ID 274375.1: http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument? p_database_id=NOT&p_id=274375.1 for the patch download procedures and for the Patch Availability Matrix for this Oracle Security Alert. Please review MetaLink, or check with Oracle Support Services periodically for patch availability if the patch for your platform is unavailable. Oracle strongly recommends that you comprehensively test the stability of your system upon application of any patch prior to deleting any original files that are replaced by the patch. References General Oracle Security Resources · Security Alert FAQ, MetaLink Document ID 237007.1 · http://otn.oracle.com/products/ias/pdf/best_practices/security_ best_practices.pdf · http://otn.oracle.com/deploy/security/oracle9ias/ · http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf · http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf · http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf Credits Oracle Corporation thanks Stephen Kost of Integrigy for discovering and bringing these potential security vulnerabilities to Oracle’s attention. Modification History 03JUN2004: Initial release, version 1 [***** End Oracle Security Alert 67 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Oracle for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-143: Gnome Toolkit (GTK+) Support Libraries Vulnerability O-144: Sun ypserv and ypxfrd Vulnerabilities O-145: Red Hat Updated Kernel Packages for Enterprise Linux 3 O-146: kdelibs Package Vulnerabilities O-147: Linux CVS Server Heap Overflow Vulnerability O-148: Linux Neon and Cadaver Buffer Overflow Vulnerability O-149: Norton AntiVirus 2004 ActiveX Control Vulnerability O-150: Multiple Security Problems in Ethereal 0.10.3 O-151: Apple Mac OS X Help Viewer Vulnerability O-152: HP OpenView Select Access Remote Unauthorized Access