Red-Database-Security GmbH ist Spezialist für Oracle Security

Produkte
Repscan 2.5
Hedgehog Enterprise
Checkpwd (free)

Dienstleistungen
Oracle Audit / Hardening (Härten)
Security Schulungen
Consulting

Informationen
Oracle Sicherheit Blog
Veröffentlichte Alerts RSS Published Alerts
Gemeldete Alerts RSS Upcoming Alerts
Patch Informationen
Whitepaper
Präsentationen
Fakten
Exploits
Tutorials
Videos
Skripte

Neuigkeiten/Termine
Termine
Neuigkeiten

Firma
Kontakt
Mitarbeiter
Partner
Impressum
Sitemap

Neuigkeiten/Termine
Termine
Neuigkeiten

Firma
Kontakt
Mitarbeiter
Partner
Impressum
Sitemap


Suchen



Search Red-Database-Security

Veröffentlichte Oracle Security Alerts RSS Published Alerts




Diese Seite enthält Informationen über bereits veröffentlichte Oracle Security Probleme.

2009

 
14-apr-2009 SQL Injection in DBMS_AQIN [CVE-2009-0992] (fixed in CPUApr2009) new
14-apr-2009 SQL Injection in DBMS_AQADM_SYS [CVE-2009-0977] (fixed in CPUApr2009) new
14-apr-2009 Unprivileged database users can see APEX password hashes [CVE-2009-0981] (fixed in CPUApr2009) new
15-jan-2009 Bypass Auditing using dbms_ijob [CVE-2008-5437] (fixed in CPUJan2009)
15-jan-2009 Plaintext Password in JDeveloper (fixed in CPUJan2009) [CVE-2008-2623]
15-jan-2009 SQL Injection in DBMS_STREAMS_AUTH (fixed in CPUJan2009) [CVE-2008-4015]





2008

 
15-oct-2008 SQL Injection in upgrade script EXFEAPVS.SQL [CVE-2008-3980] (fixed in CPUOct2008)
15-oct-2008 OLAP_USER has create public synonym [CVE-2008-2624] (fixed in CPUOct2008)
15-oct-2008 jdeveloper: plaintext password in IDEConnections.xml [CVE-2008-2588] (fixed in CPUOct2008)
15-oct-2008 Sutdown any unprotected TNS Listener via Reports Servlet [CVE-2008-2619] (fixed in CPUOct2008)
15-jul-2008 DBMS_IAS_INST_UTL.GEN_DBLINKS_DDL saves plaintext passwords when tracing enable [CVE-2008-2587] (fixed in CPUJul2008)
15-apr-2008 SQL Injection in SDO_UTIL [DB05] (fixed in CPUApr2008)
15-apr-2008 SQL Injection in SDO_GEOM [DB06] (fixed in CPUApr2008)
15-apr-2008 SQL Injection in SDO_IDX [DB07] (fixed in CPUApr2008)
15-apr-2008 Password Change/Reset of OUTLN [DB13] (fixed in CPUApr2008)
15-apr-2008 Create View Problem (fixed in CPUApr2008) [DB10]
15-apr-2008 Inline View Problem (fixed in CPUApr2008) [DB10]
15-apr-2008 SQL Injection in SYS.DBMS_PRVTAQIM (fixed in CPUJan2008)
15-apr-2008 SQL Injection in MDSYS.SDO_CATALOG (fixed in CPUJan2008)
15-apr-2008 SQL Injection in upgrade script A0902000.SQL (fixed in CPUJan2008)
15-apr-2008 Multiple SQL Injections in upgrade script A10000000.sql (fixed in CPUJan2008)
15-apr-2008 Multiple SQL Injections in upgrade script C09020000.sql (fixed in CPUJan2008)
15-apr-2008 Multiple SQL Injections in upgrade script E09020000.sql (fixed in CPUJan2008)
15-apr-2008 Multiple SQL Injections in upgrade script E10010000.sql (fixed in CPUJan2008)





2007

 
16-oct-2007 Privilege Escalation via FBI [DB01] (fixed in CPUOct2007)
17-jul-2007 SQL Injection in DBMS_PRVTAQIS [DB02] (fixed in CPUJul2007)
17-jul-2007 Insert/Update/Delete data via specially crafted views [DB17] (fixed in CPUJul2007)
17-jul-2007 SQL Injection in APEX CHECK_DB_PASSWORD [APEX01] (fixed in CPUJul2007)
17-apr-2007 Bypass Logon Trigger [DB05] (fixed in CPUApr2007)
17-apr-2007 SQL Injection in DBMS_UPGRADE_INTERNAL [DB07] (fixed in CPUApr2007)
17-apr-2007 SQL Injection in DBMS_AQADM_SYS [DB04] (fixed in CPUApr2007)
17-apr-2007 XSS in Oracle Secure Enterprise Search [SES01] (fixed in CPUApr2007)
17-apr-2007 Shutdown unprotected TNS Listener via Oracle Discoverer Servlet [AS01] (fixed in CPUApr2007)
16-jan-2007 Remote Exploitable Buffer Overflow in Oracle Notification Service (ONS) [OPMN01] (fixed in CPUJan2007)
16-jan-2007 SQL Injection in DBMS_AQ_INV [DB01] (fixed in CPUJan2007)
16-jan-2007 XSS in XMLDB [DB06] (fixed in CPUJan2007)





2006

 
18-oct-2006 XSS in Oracle Reports [REP01]/[REP02] (fixed in CPUOct2006)
18-oct-2006 XSS in APEX NOTIFICATION_MSG (fixed in APEX 2.2.1)
18-oct-2006 XSS in APEX WWV_FLOW_ITEM_HELP (fixed in APEX 2.2.1)
18-oct-2006 SQL Injection in APEX WWV_FLOW_UTILITIES (fixed in APEX 2.2.1)
18-oct-2006 Modify data via inline view [DB09] (fixed in CPUOct2006)
18-oct-2006 SQL Injection in SYS.DBMS_CDC_IMPDP [DB04] (fixed in CPUOct2006)
18-oct-2006 SQL Injection in SYS.DBMS_XDBZ0 [DB01]/[DB15] (fixed in CPUOct2006)
18-oct-2006 SQL Injection in SYS.DBMS_SQLTUNE_INTERNAL [DB10] (fixed in CPUOct2006)
18-oct-2006 SQL Injection in MDSYS.SDO_LRS [DB13] (fixed in CPUOct2006)
18-jul-2006 SQL Injection in SYS.DBMS_STATS (fixed in CPUJul2006)
18-jul-2006 SQL Injection in SYS.DBMS_UPGRADE (fixed in CPUJul2006)
18-jul-2006 SQL Injection in SYS.DBMS_CDC_IMPDP (fixed in CPUJul2006)
18-jul-2006 SQL Injection in SYS.KUPW$WORKER (fixed in CPUJul2006)
25-apr-2006 SQL Injection in SYS.KUPV$FILE (fixed in CPUOct2005)
25-apr-2006 SQL Injection in SYS.DBMS_METADATA (fixed in CPUJan2005)
20-apr-2006 Analysis Oracle CPU April 2006
18-apr-2006 SQL Injection in SYS.DBMS_LOGMNR_SESSION (DB06)
10-apr-2006 Read-only user can modify data via views
17-jan-2006 Various SQL Injection in SYS.DBMS_METADATA_UTIL (DB05)
17-jan-2006 Various SQL Injection in SYS.KUPV$FT in Oracle 10g. Rel. 1
17-jan-2006 Various SQL Injection in SYS.KUPV$FT_INT in Oracle 10g. Rel. 1
17-jan-2006 Event 10053 logs wallet password in cleartext in Oracle 10g Rel. 2 (DB07)
17-jan-2006 The key for the TDE wallet is stored unencrypted in the SGA in Oracle 10g Rel.2 (DB27)
17-jan-2006 Read parts of any XML-file on the application server via Oracle Reports (REP04)
17-jan-2006 Read parts of any file on the application server via Oracle Reports (REP05)
17-jan-2006 Overwrite any file on the application server via Oracle Reports (REP06)


2005
20-oct-2005 Cross-Site-Scripting in Oracle Workflow wf_route
20-oct-2005 Cross-Site-Scripting in Oracle Workflow wf_monitor
7-oct-2005 Shutdown listener via iSQL*Plus
7-oct-2005 Shutdown listener via Forms Servlet
7-oct-2005 Plaintext Passwords logged during Installation of Oracle HTMLDB
7-oct-2005 Cross-Site-Scripting Vulnerabilities in Oracle HTMLDB
7-oct-2005 Cross-Site-Scripting Vulnerabilities in Oracle iSQL*Plus
7-oct-2005 Cross-Site-Scripting Vulnerabilities in Oracle XMLDB
19-jul-2005 Various Cross-Site-Scripting Vulnerabilities in Oracle Report
19-jul-2005 Read parts of any XML-file on the application server via Oracle Report
19-jul-2005 Read parts of any file on the application server via Oracle Report
19-jul-2005 Overwrite any file on the application server via Oracle Report
19-jul-2005 Run any OS Command via uploaded Oracle Report from any directory
19-jul-2005 Run any OS Command via uploaded Oracle Forms from any directory
12-jul-2005 Oracle JDeveloper passes plaintext password
12-jul-2005 Plaintext password in Oracle JDeveloper
12-jul-2005 Unsecure temp file handling in Oracle Formsbuilder
12-jul-2005 Unsecure temp file handling in Oracle Forms
02-may-2005 Fine Grained Auditing issue in Oracle 9i / 10g
02-may-2005 DBMS_SCHEDULER 10g SELECT user issue in Oracle 10g
26-apr-2005 Webcache Client Requests bypasses OHS mod_access Restrictions
26-apr-2005 File append vulnerability in Webcache Admin Console
26-apr-2005 CSS in Webcache Admin Console
25-apr-2005 CSS in BEA admin console
12-apr-2005 SQL Injection in Oracle Forms
18-jan-2005 Buffer Overflow in Create Database Link in Oracle8i - 9i



2004

 
03-sep-2004 Buffer Overflow in DBMS_SYSTEM.KSDWRT() in Oracle8i - 9i
03-sep-2004 Buffer Overflow in SYS_CONTEXT()in Oracle 9i Rel.2
03-sep-2004 SQL Injection via CTXSYS.DRILOAD
19-jan-2004 Multiple security vulnerabilities in Oracle9i Lite 5


Weitere Informationen



© 2006 by Red-Database-Security GmbH - last update: 15-apr-2009

Oracle Patch Policy

In welcher Reihenfolge werden Sicherheitslücken und Fehler geändert ?

  • 1. Im Sourcecode der aktuellen Entwicklung
  • 2. In den aktuellen Produkten (z.B.: 10g Rel. 2)
  • 3. In den Patchsets der älteren Produktversionen (z.B.: 9.2.0.7)
  • 4. In Critical Patch Updates für alle relevanten (und unterstützen) Produktversionen

Weitere Informationen finden Sie bei Oracle OTN:

Security Vulnerability Fixing Policy and Process