CVE-2006-0283
CVSS10.0
发布时间 :2006-01-18 06:03:00
修订时间 :2012-10-22 21:56:09
NMCOS    

[原文]Unspecified vulnerability in Oracle Database Server 10.1.0.4.2, Application Server 10.1.2.0.2, and Collaboration Suite Release 2, version 9.0.4.2 (Oracle9i) has unspecified impact and attack vectors, as identified by Oracle Vuln# DBC02 in the Reorganize Objects & Convert Tablespace component.


[CNNVD]Oracle 2006年1月更新修复多个安全漏洞(CNNVD-200601-237)

        Oracle Database是一款商业性质大型数据库系统。
        各种Oracle Database Server、Oracle Enterprise Manager、Oracle Application Server、Oracle Collaboration Suite、Oracle E-Business Suite、PeopleSoft Enterprise Portal、JD Edwards EnterpriseOne Tools、OneWorld Tools、Oracle Developer Suite和Oracle Workflow软件被发现多个漏洞影响。这些漏洞可能是本地或远程漏洞,影响Oracle产品的所有安全属性。攻击者可能利用这些漏洞破坏服务器的保密性、完整性或可用性,或执行任意代码。

- CVSS (基础分值)

CVSS分值: 10 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: NETWORK [攻击者不需要获取内网访问权或本地访问权]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)

cpe:/a:oracle:database_server:10.1.0.4.2Oracle Database Server 10g 10.1.0.4.2
cpe:/a:oracle:collaboration_suite:9.0.4.2:r2Oracle Oracle Collaboration Suite Release 2 9.0.4.2
cpe:/a:oracle:application_server:10.1.2.0.2Oracle Application Server 10g 10.1.2.0.2

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-0283
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2006-0283
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200601-237
(官方数据源) CNNVD

- 其它链接及资源

http://www.kb.cert.org/vuls/id/545804
(VENDOR_ADVISORY)  CERT-VN  VU#545804
http://securitytracker.com/id?1015499
(PATCH)  SECTRACK  1015499
http://secunia.com/advisories/18608
(VENDOR_ADVISORY)  SECUNIA  18608
http://xforce.iss.net/xforce/xfdb/24321
(UNKNOWN)  XF  oracle-january2006-update(24321)
http://www.vupen.com/english/advisories/2006/0323
(VENDOR_ADVISORY)  VUPEN  ADV-2006-0323
http://www.vupen.com/english/advisories/2006/0243
(VENDOR_ADVISORY)  VUPEN  ADV-2006-0243
http://www.securityfocus.com/bid/16287
(UNKNOWN)  BID  16287
http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html
(UNKNOWN)  CONFIRM  http://www.oracle.com/technetwork/topics/security/cpujan2006-082403.html
http://secunia.com/advisories/18493
(VENDOR_ADVISORY)  SECUNIA  18493

- 漏洞信息

Oracle 2006年1月更新修复多个安全漏洞
危急 资料不足
2006-01-18 00:00:00 2006-08-30 00:00:00
远程  
        Oracle Database是一款商业性质大型数据库系统。
        各种Oracle Database Server、Oracle Enterprise Manager、Oracle Application Server、Oracle Collaboration Suite、Oracle E-Business Suite、PeopleSoft Enterprise Portal、JD Edwards EnterpriseOne Tools、OneWorld Tools、Oracle Developer Suite和Oracle Workflow软件被发现多个漏洞影响。这些漏洞可能是本地或远程漏洞,影响Oracle产品的所有安全属性。攻击者可能利用这些漏洞破坏服务器的保密性、完整性或可用性,或执行任意代码。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复这个安全问题,厂商发布了相关更新。
        http://www1.itrc.hp.com/service/cki/docDisplay.do?hpweb_printable=true&docId=c00593668
        http://www.oracle.com/technology/deploy/security/pdf/cpujan2006.html?_template=/ocom/technology/cont

- 漏洞信息

22569
Oracle Reorganize Objects & Convert Tablespace Unspecified Local Issue
Vendor Verified

- 漏洞描述

Unknown or Incomplete

- 时间线

2006-01-17 Unknow
Unknow Unknow

- 解决方案

Currently, there are no known workarounds or upgrades to correct this issue. However, Oracle has released a patch (Jan2006 Critical Patch Update) to address this vulnerability.

- 相关参考

- 漏洞作者

Unknown or Incomplete

- 漏洞信息

Oracle January Security Update Multiple Vulnerabilities
Unknown 16287
Yes Yes
2006-01-17 12:00:00 2007-02-26 07:26:00
Some of these issues were discovered by Red-Database-Security and NGSSoftware. Esteban Martinez Fayo discovered the XDB.DBMS_XMLSCHEMA buffer overflow issue. The rest of these issues were disclosed by the vendor.

- 受影响的程序版本

PeopleSoft Enterprise Portal 8.9
PeopleSoft Enterprise Portal 8.8
PeopleSoft Enterprise Portal 8.4
Oracle Workflow 11.5.9 .5
Oracle Workflow 11.5.1
Oracle Oracle9i Standard Edition 9.2 .7
Oracle Oracle9i Standard Edition 9.2 .6
Oracle Oracle9i Enterprise Edition 9.0.1 .5 FIPS
Oracle Oracle9i Enterprise Edition 9.0.1 .5
Oracle Oracle9i Enterprise Edition 9.0.1 .4
Oracle Oracle9i Application Server 1.0.2 .2
Oracle Oracle8i Standard Edition 8.1.7 .4
Oracle Oracle8i Standard Edition 8.1.7 .4
Oracle Oracle8i Standard Edition 8.0.6 .3
Oracle Oracle8i Standard Edition 8.0.6
Oracle Oracle8i Enterprise Edition 8.1.7 .4.0
Oracle Oracle8 8.1.7 .4
Oracle Oracle8 8.0.6 .3
Oracle Oracle8 8.0.6
Oracle Oracle10g Standard Edition 10.2 .1
Oracle Oracle10g Standard Edition 10.1 .4.2
Oracle Oracle10g Standard Edition 10.1 .0.5
Oracle Oracle10g Standard Edition 10.1 .0.4
Oracle Oracle10g Standard Edition 10.1 .0.3
Oracle Oracle10g Personal Edition 10.1 .0.4
Oracle Oracle10g Personal Edition 10.1 .0.3
Oracle Oracle10g Enterprise Edition 10.1 .0.4
Oracle Oracle10g Enterprise Edition 10.1 .0.3
Oracle Oracle10g Application Server 10.1.2 .1.0
Oracle Oracle10g Application Server 10.1.2 .0.2
Oracle Oracle10g Application Server 10.1.2 .0.1
Oracle Oracle10g Application Server 10.1.2
Oracle Oracle10g Application Server 9.0.4 .2
Oracle Oracle10g Application Server 9.0.4 .1
Oracle Oracle 9i Application Server Release 1 1.0.2 .2
Oracle JD Edwards EnterpriseOne 8.95 _F1
Oracle JD Edwards EnterpriseOne SP23_L1
Oracle Enterprise Manager Grid Control 10g 10.1 .4
Oracle Enterprise Manager Grid Control 10g 10.1 .3
Oracle E-Business Suite 11i 11.5.10
Oracle E-Business Suite 11i 11.5.9
Oracle E-Business Suite 11i 11.5.8
Oracle E-Business Suite 11i 11.5.7
Oracle E-Business Suite 11i 11.5.6
Oracle E-Business Suite 11i 11.5.5
Oracle E-Business Suite 11i 11.5.4
Oracle E-Business Suite 11i 11.5.3
Oracle E-Business Suite 11i 11.5.2
Oracle E-Business Suite 11i 11.5.1
Oracle Developer Suite 10.1.2
Oracle Developer Suite 9.0.4 .2
Oracle Developer Suite 9.0.4 .1
Oracle Developer Suite 9.0.2 .1
Oracle Collaboration Suite Release 2 9.0.4 .2
Oracle Collaboration Suite Release 1 10.1.2
Oracle Collaboration Suite Release 1 10.1.1
Oracle Collaboration Suite Release 1
Oracle Application Server Release 2 10.1.2 .0.2
Oracle Application Server Release 2 10.1.2 .0.1
Oracle Application Server Release 2 10.1.2 .0.0
Oracle Application Server 10g 10.1.2
Oracle Application Server 10g 9.0.4 .2
Oracle Application Server 10g 9.0.4 .1
Oracle Application Server 10g 9.0.4
HP Oracle for OpenView 9.1.1
HP Oracle for OpenView 8.1.7
HP Oracle for OpenView 9.2

- 漏洞讨论

Various Oracle products -- Oracle Database Server, Oracle Enterprise Manager, Oracle Application Server, Oracle Collaboration Suite, Oracle E-Business Suite, PeopleSoft Enterprise Portal, JD Edwards EnterpriseOne Tools, OneWorld Tools, Oracle Developer Suite, and Oracle Workflow -- are prone to multiple vulnerabilities.

The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats.

Oracle has released a Critical Patch Update advisory for January 2006 to address these vulnerabilities. This Critical Patch Update addresses the vulnerabilities for supported releases. Earlier, unsupported releases are likely to be affected by the issues as well.

- 漏洞利用

An exploit is not required for some of these issues. Other issues would likely require exploit code.

Exploit code for issue DB29 is available by Esteban Martinez Fayo <esteban@argeniss.com> at:
http://www.argeniss.com/research/OraGENERATESCHEMAExploits.txt

Exploit code for issue DB05 is available by Andrea "bunker" Purificato:

- 解决方案

Oracle has released a critical patch update (Critical Patch Update - January 2006) to address these issues. Please see the referenced advisory for details on obtaining and applying the appropriate updates.

HP has released advisory HPSBMA02094 SSRT061104 rev.1 to address these issues in Oracle for OpenView. Please see the referenced advisory for further information.

- 相关参考

 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站