Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

Vigil@nce: Oracle Database, several vulnerabilities of July 2008

July 2008 by Vigil@nce

SYNTHESIS

Several vulnerabilities are corrected by the CPU of July 2008.

Gravity: 2/4

Consequences: administrator access/rights, privileged
access/rights, user access/rights, data reading, data
creation/edition, data deletion, denial of service of service
Provenance: user account

Means of attack: no proof of concept, no attack

Ability of attacker: expert (4/4)

Confidence: confirmed by the editor (5/5)

Diffusion of the vulnerable configuration: high (3/3)

Creation date: 16/07/2008

Identifier: VIGILANCE-VUL-7949

IMPACTED PRODUCTS

 Hewlett-Packard OpenView
 Oracle Database [confidential versions]

DESCRIPTION

The CPU (Critical Patch Update) of July 2008 corrects several
vulnerabilities of Oracle Database. Oracle’s announce contains a
detailed table, summarized below.

An attacker (via Oracle Net, authenticated and with the execute on
SYS.DBMS_AQELM privilege) can create an overflow in order to
obtain information, alter information or create a denial of
service via a vulnerability of Oracle Net Services. [grav:2/4;
CVE-2008-2607]

An attacker (lcoal, authenticated and member of oinstall group)
can use a vulnerability of a suid root program of Database
Scheduler in order to execute privileged code. [grav:2/4;
CVE-2008-2613]

An attacker (via Oracle Net, authenticated and with the execute on
SYS.DBMS_DEFER_SYS privilege) can obtain or alter information via
a vulnerability of Advanced Replication. [grav:2/4; CVE-2008-2592]

An attacker (via Oracle Net and authenticated) can obtain or alter
information via a vulnerability of Authentication. [grav:2/4;
CVE-2008-2604]

An attacker (via Oracle Net, authenticated and with the Create
Public Synonym privilege) can obtain or alter information via a
vulnerability of Oracle Database Vault. [grav:2/4; CVE-2008-2591]

An attacker (via Oracle Net, authenticated and with the execute on
SYS.DBMS_TOPO_MAP privilege) can obtain or alter information via a
vulnerability of Oracle Spatial. [grav:2/4; CVE-2008-2600]

An attacker (via Oracle Net, authenticated and with the
IMP_FULL_DATABASE role) can obtain information, alter information
or create a denial of service via a vulnerability of Data Pump.
[grav:2/4; CVE-2008-2602]

An attacker (via Oracle Net and authenticated) can obtain
information via a vulnerability of Authentication. [grav:1/4;
CVE-2008-2605]

An attacker (via Oracle Net, authenticated and with the Create
Table privilege) can create a denial of service via a
vulnerability of Core RDBMS. [grav:1/4; CVE-2008-2611]

An attacker (via Oracle Net, authenticated and with the Execute on
SYS.KUPF$FILE_INT privilege) can create a denial of service via a
vulnerability of Data Pump. [grav:1/4; CVE-2008-2608]

An attacker (via Oracle Net, authenticated and with a valid
session) can alter information via a vulnerability of Instance
Management. [grav:2/4; CVE-2008-2590]

An attacker (via Oracle Net, authenticated and with a valid
session) can alter information via a vulnerability of Resource
Manager. [grav:2/4; CVE-2008-2603]

An attacker (via Oracle Net, authenticated and who can read trace
files) can obtain information via a vulnerability of Advanced
Replication. [grav:1/4; CVE-2008-2587]

CHARACTERISTICS

Identifiers: c00727143, CVE-2008-2587, CVE-2008-2590, CVE-2008-2591, CVE-2008-2592, CVE-2008-2600, CVE-2008-2602, CVE-2008-2603, CVE-2008-2604, CVE-2008-2605, CVE-2008-2607, CVE-2008-2608, CVE-2008-2611, CVE-2008-2613, ERR-2008-1666, HPSBMA02133, SSRT061201, VIGILANCE-VUL-7949

https://vigilance.aql.fr/tree/1/7949


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts