Detalji

Otkriveni su brojni sigurnosni propusti vezani uz Oracle Database. Radi se o popularnom sustavu za upravljanje relacijskim bazama podataka, a nudi skalabilnost, visoku raspoloživost i automatizaciju upravljanja potrebne za uspostavljanje infrastruktura za grid računarstvo u velikim poslovnim okruženjima. Propusti su uzrokovani pogreškama u brojnim komponentama (npr. Client System Analyzer, Cluster Verify Utility, Database Vault). Napadač može iskoristiti propuste za izvođenje napada uskraćivanja usluge, neovlašten pristup osjetljivim informacijama te pokretanje proizvoljnog programskog koda. Budući da je dostupna odgovarajuća nadogradnja, svi se korisnici upućuju na njenu primjenu. 

Oracle Database Multiple Code Execution and Information Disclosure

VUPEN ID 	VUPEN/ADV-2011-0139
CVE ID 	CVE-2010-3590 - CVE-2010-3600 - CVE-2010-4413 - CVE-2010-4420 - CVE-2010-4421 - CVE-2010-4423
 
CWE ID 	Available in VUPEN VNS Customer Area
CVSS V2 	Available in VUPEN VNS Customer Area
Rated as 	High Risk 
Impact 	Available in VUPEN VNS Customer Area
Authentication Level 	Available in VUPEN VNS Customer Area
Access Vector 	Available in VUPEN VNS Customer Area
Release Date 	2011-01-19

Technical Description
Multiple vulnerabilities have been identified in Oracle Database, which could be exploited by attackers or malicious users to cause a denial of service, gain knowledge of sensitive information or execute arbitrary code. These issues are caused by errors in the Client System Analyzer, Cluster Verify Utility, Database Vault, Oracle Spatial, and Scheduler Agent components, which could be exploited to compromise a vulnerable database.

Affected Products
Oracle Database 11g Release 2 version 11.2.0.1
Oracle Database 11g Release 1 version 11.1.0.7
Oracle Database 10g Release 2 version 10.2.0.3
Oracle Database 10g Release 2 version 10.2.0.4
Oracle Database 10g Release 2 version 10.2.0.5
Oracle Database 10g Release 1 version 10.1.0.5

Solution 
Apply Oracle Critical Patch Update - January 2011 :
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html

References
http://www.vupen.com/english/advisories/2011/0139
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html

Credits 
Vulnerabilities reported by Alexander Kornbrust (Red Database Security), Alexandr Polyakov (Digital Security), Alexey Sintsov (Digital Security Research Group), Andrea Micalizzi aka rgod (TippingPoint Zero Day Initiative), Andrey Labunets (Digital Security Research Group), Cris Neckar (Neohapsis, Inc.), Daniel Fahlgren, Esteban Martinez Fayo (Application Security, Inc.), Evdokimov Dmitriy (Digital Security Research Group), Karan Saberwal, Laszlo Toth, Maksymilian Arciemowicz (SecurityReason), Martin Rakhmanov (Application Security, Inc.), Matt Parcell (Accuvant), Monarch2020 (unsecurityresearch.com), Robert Clugston (Accuvant), Roberto Suggi Liverani (Security-Assessment.com), Rodrigo Rubira Branco (BSDaemon) via TippingPoint Zero Day Initiative, and Sumit Siddharth (7safe).

Changelog 
2011-01-19 : Initial release

Idi na vrh