Vigil@nce: Oracle Database, several vulnerabilities of October 2008
October 2008 by Vigil@nce
SYNTHESIS
Several vulnerabilities are corrected by the CPU of October 2008.
Gravity: 2/4
Consequences: privileged access/rights, data reading, data
creation/edition
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 15
Creation date: 15/10/2008
IMPACTED PRODUCTS
– Oracle Database
DESCRIPTION
The CPU (Critical Patch Update) of October 2008 corrects several
vulnerabilities of Oracle Database. Oracle’s announce contains a
detailed table, summarized below.
An attacker (via Oracle Net, authenticated, with the EXECUTE
privilege on DMSYS.ODM_MODEL_UTIL) can obtain information, alter
information or create a denial of service via a vulnerability of
Oracle Data Mining. [grav:2/4; CVE-2008-3989]
An attacker (via Oracle Net, authenticated, with the Create Public
Synonym privilege) can obtain information, alter information or
create a denial of service via a vulnerability of Oracle OLAP.
[grav:2/4; CVE-2008-2624]
An attacker (via Oracle Net, authenticated, with the EXECUTE
privilege on DBMS_CDC_PUBLISH) can obtain or alter information via
a vulnerability of Change Data Capture. [grav:2/4; CVE-2008-3995]
An attacker (via Oracle Net, authenticated, with the EXECUTE
privilege on DBMS_CDC_IPUBLISH) can obtain or alter information
via a vulnerability of Change Data Capture. [grav:2/4;
CVE-2008-3996]
An attacker (via Oracle Net, authenticated, with the EXECUTE
privilege on DMSYS.DBMS_DM_EXP_INTERNAL) can obtain or alter
information via a vulnerability of Oracle Data Mining. [grav:2/4;
CVE-2008-3992]
An attacker (via Oracle Net, authenticated, allowed to create a
session) can obtain or alter information via a vulnerability of
Oracle Spatial. [grav:2/4; CVE-2008-3976]
An attacker (via Oracle Net, authenticated, with the EXECUTE
privilege on SYS.LT or WMSYS.LT) can obtain or alter information
via a vulnerability of Workspace Manager. [grav:2/4; CVE-2008-3982]
An attacker (via Oracle Net, authenticated, with the EXECUTE
privilege on SYS.LT or WMSYS.LT) can obtain or alter information
via a vulnerability of Workspace Manager. [grav:2/4; CVE-2008-3983]
An attacker (via Oracle Net, authenticated, with the EXECUTE
privilege on SYS.LT or WMSYS.LT) can obtain or alter information
via a vulnerability of Workspace Manager. [grav:2/4; CVE-2008-3984]
An attacker (via Oracle Net, authenticated, with the EXECUTE
privilege on WMSYS.LTADM) can obtain or alter information via a
vulnerability of Workspace Manager. [grav:2/4; CVE-2008-3994]
An attacker (via Oracle Net, authenticated, allowed to create a
trigger) can obtain or alter information via a vulnerability of
Upgrade. [grav:2/4; CVE-2008-3980]
An attacker (via Oracle Net, authenticated, allowed to create a
session) can obtain information, alter information or create a
denial of service via a vulnerability of Oracle Application
Express. [grav:2/4; CVE-2008-4005]
An attacker (via Oracle Net, not authenticated) can obtain or
alter information via a vulnerability of Core RDBMS. This
vulnerability can be used by an attacker to connect to the server
without authenticating. [grav:2/4; CVE-2008-2625]
An attacker (via Oracle Net, authenticated, with the EXECUTE
privilege on OLAPSYS.CWM2_OLAP_AW_AWUTIL) can obtain information,
alter information or create a denial of service via a
vulnerability of Oracle OLAP. [grav:2/4; CVE-2008-3990]
An attacker (via Oracle Net, authenticated, with the EXECUTE
privilege on OLAPSYS.CWM2_OLAP_AW_AWUTIL) can obtain information,
alter information or create a denial of service via a
vulnerability of Oracle OLAP. [grav:1/4; CVE-2008-3991]
CHARACTERISTICS
Identifiers: CPUOct2008, CVE-2008-2624, CVE-2008-2625,
CVE-2008-3976, CVE-2008-3980, CVE-2008-3982, CVE-2008-3983,
CVE-2008-3984, CVE-2008-3989, CVE-2008-3990, CVE-2008-3991,
CVE-2008-3992, CVE-2008-3994, CVE-2008-3995, CVE-2008-3996,
CVE-2008-4005, VIGILANCE-VUL-8178