Vigil@nce: Oracle Database, several vulnerabilities of July 2009
July 2009 by Vigil@nce
Several vulnerabilities are corrected by the CPU of July 2009.
Severity: 2/4
Consequences: privileged access/rights, data reading, data
creation/edition, denial of service of service
Provenance: user account
Means of attack: 1 attack
Ability of attacker: technician (2/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: high (3/3)
Number of vulnerabilities in this bulletin: 12
Creation date: 15/07/2009
IMPACTED PRODUCTS
– Oracle Database
– Oracle Net Services
– Oracle SQL*Net
DESCRIPTION OF THE VULNERABILITY
The CPU (Critical Patch Update) of July 2009 corrects several
vulnerabilities of Oracle Database. Oracle’s announce contains a
detailed table, summarized below.
An attacker can obtain or alter information or create a denial of
service via a vulnerability of Network Foundation. [grav:2/4;
BID-35684, CVE-2009-1020]
An attacker can obtain or alter information or create a denial of
service via a vulnerability of Network Authentication. [grav:2/4;
BID-35680, CVE-2009-1019]
An attacker can alter information or create a denial of service
via a vulnerability of Network Foundation. [grav:1/4; BID-35677,
CVE-2009-1963]
An attacker can obtain or alter information via a vulnerability of
Advanced Replication. [grav:2/4; BID-35685, CVE-2009-1021]
An attacker can obtain or alter information via a vulnerability of
Config Management. [grav:2/4; BID-35676, CVE-2009-1966]
An attacker can obtain or alter information via a vulnerability of
Config Management. [grav:2/4; BID-35692, CVE-2009-1967]
An attacker can obtain or alter information via a vulnerability of
Upgrade. [grav:2/4; BID-35679, CVE-2009-0987]
An attacker can obtain or alter information via a vulnerability of
Virtual Private Database. [grav:2/4; BID-35687, CVE-2009-1973]
An attacker can create a denial of service via a vulnerability of
Listener. [grav:2/4; BID-35683, CVE-2009-1970]
An attacker can generate a Cross Site Scripting in the
/search/query/search page of Secure Enterprise Search. [grav:2/4;
BID-35681, CVE-2009-1968, DSECRG-09-025]
An attacker can alter information via a vulnerability of Core
RDBMS. [grav:2/4; BID-35682, CVE-2009-1015]
An attacker can obtain information via a vulnerability of
Auditing. [grav:1/4; BID-35689, CVE-2009-1969]
CHARACTERISTICS
Identifiers: BID-35676, BID-35677, BID-35679, BID-35680,
BID-35681, BID-35682, BID-35683, BID-35684, BID-35685, BID-35687,
BID-35689, BID-35692, cpujul2009, CVE-2009-0987, CVE-2009-1015,
CVE-2009-1019, CVE-2009-1020, CVE-2009-1021, CVE-2009-1963,
CVE-2009-1966, CVE-2009-1967, CVE-2009-1968, CVE-2009-1969,
CVE-2009-1970, CVE-2009-1973, DSECRG-09-025, VIGILANCE-VUL-8865
http://vigilance.fr/vulnerability/Oracle-Database-several-vulnerabilities-of-July-2009-8865