http://www.integrigy.com daily 1 2006-07-18T19:54:09Z http://www.integrigy.com/security-resources/advisories/Integrigy_Encrypted_Password_Disclosure.pdf An undisclosed security vulnerability exists in Oracle Applications 11i that may allow an unauthenticated, internal attacker to obtain Oracle Applications' user account encrypted password strings, which in turn can be decrypted using previously published information. An attacker can potentially obtain either any user's password or the Oracle Applications' main database account password (APPS). The attacker must have direct SQL*Net access to the database (e.g., SQL*Plus) and to exploit the vulnerability neither of the Oracle Applications security features "Managed SQL*Net Access" and "Server Security" can be enabled. The underlying issue is that Oracle Applications passwords can be easily decrypted using methods previously published. All Oracle Applications implementations should enable at least "Server Security" and preferably also enable "Managed SQL*Net Access". No publisher ploneadmin Oracle E-Business Suite 2007-04-12T13:37:35Z File http://www.integrigy.com/security-resources/advisories/oracle-cpu-october-2005 Oracle today released its fourth Critical Patch Update (October 2005). The patches contained in the Critical Patch Update will correct numerous security bugs in the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. Some of the vulnerabilities in the Critical Patch Update are high risk and a few can be exploited remotely using a web browser. Almost all the security bugs fixed in this Critical Patch Update are exploitable in Oracle E-Business Suite environments and the appropriate patches should be applied as soon as possible. Patches for the Oracle Database, Oracle Application Server, Oracle Developer 6i, and Oracle E-Business Suite 11i must be applied -- almost all implementations will have to apply at least 12 patches. Customers with Internet-facing implementations of the Oracle E-Business Suite are at most risk and should consider applying these patches quickly. No publisher ploneadmin Risk: High SQL Injection Buffer Overflow Oracle E-Business Suite 2006-07-18T02:20:06Z Page http://www.integrigy.com/security-resources/advisories/oracle-cpu-july-2005 Oracle today will be releasing its third Critical Patch Update (July 2005). The patches contained in the Critical Patch Update will correct numerous security bugs in the Oracle Database, Oracle Application Server, and Oracle E-Business Suite. A number of high risk SQL injection and parameter manipulation security vulnerabilities in the Oracle E-Business Suite are corrected by the security patches released today. Customers with Internet-facing implementations of the Oracle E-Business Suite should consider applying these patches as soon as possible. It is possible that an attacker with only a web browser and a network connection (either internally or externally) to Oracle E-Business Suite web application servers can execute malicious SQL statements in the database as the APPS database account. No publisher ploneadmin Risk: High SQL Injection Oracle E-Business Suite 2006-07-18T02:20:13Z Page http://www.integrigy.com/security-resources/advisories/oracle-cpu-january-2005 Oracle has released the its first Critical Patch Update (January 2005) and fixes 23 vulnerabilities in the Oracle Database, Oracle Application Server, and Oracle E-Business Suite - Integrigy discovered 5 of these vulnerabilities. The vulnerabilities in the Oracle Database and Oracle E-Business Suite should be considered high risk and organizations should work to apply the necessary patches at the earliest possible opportunity. No publisher ploneadmin Risk: High Oracle E-Business Suite Oracle Critical Patch Update 2006-07-18T02:20:20Z Page http://www.integrigy.com/security-resources/advisories/oracle-alert-68 Oracle has released a set of security patches for the Oracle Database and Oracle Application Server that fix a large number of serious security vulnerabilities. The majority of these vulnerabilities can be exploited in all Oracle Applications implementations, therefore, these patches must be applied. No publisher ploneadmin Risk: High SQL Injection Oracle E-Business Suite 2006-07-18T02:20:28Z Page http://www.integrigy.com/security-resources/advisories/oracle-function-buffer-overflows-apps Buffer overflows have been discovered in a number of Oracle Database functions. An attacker can readily exploit these buffer overflows to gain access unauthorized access to the database server or cause a denial of service attack against Oracle Applications. Oracle Application is especially susceptible to these vulnerabilities since they can be exploited using the APPLSYSPUB database account or using a SQL injection attack. No publisher ploneadmin Risk: High Buffer Overflow Oracle E-Business Suite Oracle Database 2006-07-18T02:20:36Z Page http://www.integrigy.com/security-resources/advisories/oracle-buffer-overflows-sql-injection The short-term future of SQL injection attacks is exploitation of the numerous buffer overflows in standard Oracle database functions. These buffer overflows greatly reduce the complexity of finding and executing SQL injection attacks against web applications. The new attack paradigm will be to simply test repeatedly a few attack strings and wait for a hung web page or session lost error message. Almost all the security advisories related to these buffer overflows miss the fact that these buffer overflows can be exploited via SQL injection attacks. No publisher ploneadmin SQL Injection Buffer Overflow Oracle Database 2006-07-18T02:20:43Z Page http://www.integrigy.com/security-resources/advisories/oracle-function-buffer-overflows Buffer overflows have been discovered in a number of Oracle standard database functions. An attacker can readily exploit these buffer overflows to gain access unauthorized access to the database server or cause a denial of service attack against the database. The buffer overflows can be exploited either through a database session or through a web application using a SQL injection attack. Almost all the security advisories related to these buffer overflows miss the fact that these buffer overflows can be exploited via SQL injection attacks. No publisher ploneadmin SQL Injection Buffer Overflow Oracle Database 2006-07-18T02:20:52Z Page http://www.integrigy.com/security-resources/advisories/sql-injection-attack-functions Many web applications are vulnerable to SQL injection attacks that make use of database functions. Any dynamic SQL statement that uses un-validated end-user string input can be exploited by this type of SQL injection attack. This specific type of SQL injection is not new, however it is not well understood by many application developers. Our audits of web applications reveal many are vulnerable to database function injection attacks, but most are well protected against other variations of SQL injection attacks. We believe next generation automated attack tools and even possibly worms will leverage function-based SQL injection attacks because a single injection string can be used repeatedly against every input field of a web application in order to locate vulnerabilities. Since the databases for many web applications are located behind firewalls, these automated attacks can be used to launch attacks on internal networks. No publisher ploneadmin SQL Injection Oracle Database 2006-07-18T02:21:00Z Page http://www.integrigy.com/security-resources/advisories/database-buffer-overflows Several buffer overflows have been discovered in the Oracle database. These buffer overflows can be exploited from within the Oracle E-Business Suite. All Oracle E-Business Suite implementations should apply the patches described in Oracle Security Alerts 48, 49, 50, and 51. No publisher ploneadmin Risk: High Oracle E-Business Suite Oracle Database 2006-07-18T02:21:11Z Page http://www.integrigy.com/security-resources/advisories/fndgfm-vulnerability A coding error in the FND_GFM database package permits anyone access to execute any SQL statements or database packages under the APPS account. No publisher ploneadmin Risk: High Oracle E-Business Suite 2006-07-18T02:21:20Z Page