lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20050713200035.3E5C44161@mail.integrigy.com>
Date: Wed Jul 13 21:00:45 2005
From: alerts at integrigy.com (Integrigy Security)
Subject: Multiple High Risk Vulnerabilities in Oracle
	E-Business Suite 11i

Integrigy Security Advisory
______________________________________________________________________
 
Multiple High Risk Vulnerabilities in Oracle E-Business Suite 11i
Oracle Critical Patch Update - July 2005
July 12, 2005
______________________________________________________________________
 
Summary:

Oracle today will be releasing its third Critical Patch Update (July 2005).
The patches contained in the Critical Patch Update will correct numerous
security bugs in the Oracle Database, Oracle Application Server, and Oracle
E-Business Suite.  

A number of high risk SQL injection and parameter manipulation security
vulnerabilities in the Oracle E-Business Suite are corrected by the security
patches released today.  Customers with Internet-facing implementations of
the Oracle E-Business Suite should consider applying these patches as soon
as possible.  It is possible that an attacker with only a web browser and a
network connection (either internally or externally) to Oracle E-Business
Suite web application servers can execute malicious SQL statements in the
database as the APPS database account. 
 
The Oracle E-Business Suite patches involved with this Critical Patch Update
are much more complex as compared to the previous CPUs and will require
additional functional testing in our opinion.  In addition, the Oracle
E-Business Suite security patches are not cumulative, therefore, all the
patches specified in this CPU and previous CPUs must be applied.    

Integrigy will be releasing more detailed guidance in the near future in
order to assist our clients in determining the relevance and priority of
patches for their Oracle E-Business Suite implementations.  The Integrigy
analysis for this Critical Patch Update will be posted at
http://www.integrigy.com/analysis.htm when it is available.
______________________________________________________________________
 
For more information or questions regarding this security advisory, please
contact us at alerts@...egrigy.com.
 
Integrigy has included checks for these vulnerabilities in AppSentry, a
vulnerability scanner for Oracle Applications, and AppDefend, an application
intrusion prevention system for Oracle Applications.
 
Credit:
 
The vulnerabilities referenced in this advisory were discovered and reported
to Oracle by Stephen Kost of Integrigy Corporation.
______________________________________________________________________
 
About Integrigy Corporation (www.integrigy.com)
 
Integrigy Corporation is a leader in application security for large
enterprise, mission critical applications. Our application vulnerability
assessment tool, AppSentry, assists companies in securing their largest and
most important applications. AppDefend is an intrusion prevention system for
Oracle Applications and blocks common types of attacks against application
servers. Integrigy Consulting offers security assessment services for
leading ERP and CRM applications.
 
For more information, visit www.integrigy.com.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: winmail.dat
Type: application/ms-tnef
Size: 2854 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20050713/d294ea4d/winmail.bin

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ