Vigil@nce: Oracle Database, several vulnerabilities of April 2009
April 2009 by Vigil@nce
Several vulnerabilities are corrected by the CPU of April 2009.
– Severity: 2/4
– Consequences: user access/rights, data reading, data
creation/edition, denial of service of service
– Provenance: user account
– Means of attack: 1 attack
– Ability of attacker: technician (2/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Number of vulnerabilities in this bulletin: 16
– Creation date: 15/04/2009
– Revision date: 21/04/2009
IMPACTED PRODUCTS
– Oracle Database
– Oracle Net Services
– Oracle SQL*Net
DESCRIPTION OF THE VULNERABILITY
The CPU (Critical Patch Update) of April 2009 corrects several
vulnerabilities of Oracle Database. Oracle’s announce contains a
detailed table, summarized below.
An attacker can obtain or alter information or create a denial of
service via a vulnerability of Resource Manager. [grav:2/4;
CVE-2009-0979]
An attacker can obtain or alter information or create a denial of
service via a vulnerability of Core RDBMS. [grav:2/4;
CVE-2009-0985]
An attacker can obtain or alter information or create a denial of
service via a vulnerability of Workspace Manager. [grav:2/4;
CVE-2009-0972]
An attacker can inject SQL in the GRANT_TYPE_ACCESS procedure of
the DBMS_AQADM_SYS package of Advanced Queuing. [grav:2/4;
CVE-2009-0977]
An attacker can inject SQL in the DEQ_EXEJOB procedure of the
DBMS_AQIN package of Advanced Queuing. [grav:2/4; CVE-2009-0992]
An attacker can obtain or alter information via a vulnerability of
Database Vault. [grav:2/4; CVE-2009-0984]
An attacker can alter information or create a denial of service
via a vulnerability of SQLX Functions. [grav:2/4; CVE-2009-0980]
An attacker can obtain or alter information via a vulnerability of
Workspace Manager. [grav:2/4; CVE-2009-0975]
An attacker can obtain or alter information via a vulnerability of
Workspace Manager. [grav:2/4; CVE-2009-0976]
An attacker can obtain or alter information via a vulnerability of
Workspace Manager. [grav:2/4; CVE-2009-0978]
An attacker can obtain or alter information or create a denial of
service via a vulnerability of Workspace Manager. [grav:2/4;
CVE-2009-0986]
An attacker can create a denial of service via a vulnerability of
Cluster Ready Services. [grav:2/4; CVE-2009-0973]
An attacker can create a denial of service via a vulnerability of
Listener. [grav:2/4; CVE-2009-0991]
An attacker can obtain APEX password hashes. [grav:2/4;
CVE-2009-0981]
An attacker can obtain or alter information via a vulnerability of
Database Vault. [grav:2/4; CVE-2009-0997]
An attacker can obtain or alter information via a vulnerability of
Password Policy. [grav:2/4; CVE-2009-0988]
CHARACTERISTICS
– Identifiers: CPUapr2009, CVE-2009-0972, CVE-2009-0973,
CVE-2009-0975, CVE-2009-0976, CVE-2009-0977, CVE-2009-0978,
CVE-2009-0979, CVE-2009-0980, CVE-2009-0981, CVE-2009-0984,
CVE-2009-0985, CVE-2009-0986, CVE-2009-0988, CVE-2009-0991,
CVE-2009-0992, CVE-2009-0997, VIGILANCE-VUL-8635
– Url: http://vigilance.fr/vulnerability/Oracle-Database-several-vulnerabilities-of-April-2009-8635