Actu
Vigil@nce: Oracle, multiple vulnerabilities
August 2008 by Vigil@nce
SYNTHESIS
Several vulnerabilities of Oracle products can be used by an
attacker to execute code on victim’s computer.
Gravity: 3/4
Consequences: administrator access/rights, data reading, data
creation/edition
Provenance: user shell
Means of attack: no proof of concept, no attack
Ability of attacker: expert (4/4)
Confidence: confirmed by the editor (5/5)
Diffusion of the vulnerable configuration: medium (2/3)
Creation date: 05/08/2008
Identifier: VIGILANCE-VUL-7996
IMPACTED PRODUCTS
– Oracle Application Server [confidential versions]
– Oracle Database [confidential versions]
– Oracle WebLogic Server [confidential versions]
DESCRIPTION
Exploiting a website vulnerability, a non authenticated attacker
can take the control of Oracle Database. [grav:3/4]
An attacker can steal administrator’s session cookies via an XSS
(cross-site scripting), and thus usurpate his identity. [grav:2/4;
CVE-2008-2603]
An attacker with execution rights on SYS.DBMS_DEFER_SYS package
can execute SQL commands with system privileges. [grav:2/4;
CVE-2008-2592]
CHARACTERISTICS
Identifiers: CVE-2008-2592, CVE-2008-2603, VIGILANCE-VUL-7996
