From Zone-H.org:
09/01/2004

Summary:

Oracle has released a set of security patches for the Oracle Database and Oracle Application Server that fix a large number of serious security vulnerabilities. The majority of these vulnerabilities can be exploited in all Oracle Applications implementations, therefore, these patches must be applied.


Product: Oracle E-Business Suite
Versions: 11.0.x, 11.5.x
Platforms: All platforms
Risk Level: Critical

_____________________________________________________________________


Description:

Integrigy and other security researchers have discovered a number of critical security vulnerabilities in both the Oracle Database and Oracle Application Server. Since Oracle Applications uses both the database and application server, it is vulnerable to most of these security issues.

The vulnerabilities include buffer overflows, SQL injection issues, and denial of service problems – many of which are considered critical since an attacker can effectively gain control over an application or database server without a valid login.

Oracle Applications is especially vulnerable to many of these vulnerabilities since in most implementations anyone on the internal network can log into the database using the well known database account APPLSYSPUB. From an APPLSYSPUB login, any one of the buffer overflows in standard database functions can be exploited to gain access to the operating system or multiple SQL injection flaws can be used to manipulate any data in the database.


Solution:

All Oracle Applications customers should consider these vulnerabilities extremely high risk and apply the Oracle patches at the earliest possible opportunity. Customers with Internet facing application servers should consider applying these patches as soon as possible.

Patch Priority

In order to provide some guidance for system administrators and DBAs regarding the urgency and priority of these patches, we suggest the following timelines for typical implementations of Oracle Applications --

Internet Accessible:

1- Application Server Patch – As soon as possible
2- Database Patch – Next scheduled downtime

Non-Internet Accessible:

1- Database Patch – Next scheduled downtime
2- Application Server Patch – Next scheduled downtime

Large Internal User Community or Sensitive Data:

1- Database Patch – As soon as possible
2- Application Server Patch – Next scheduled downtime

Application Server Patches

11.5.7 – 11.5.9 Rapid Install :

Customers who have installed 11.5.7 to 11.5.9 using Rapid Install (not upgraded from prior to 11.5.7) will have Oracle 9iAS 1.0.2.2.2 installed and should apply patch 3835781 to all middle tier web servers.

11.5.7 – 11.5.9 Upgraded from prior to 11.5.7 :

Oracle 9iAS 1.0.2.2.2 is not installed automatically during an upgrade. Only by following the instructions in Oracle Metalink Note ID 146468.1 is the Oracle Application Server upgraded.

You may check the version of the Oracle Application Server by executing the following command on a middle tier web server –


$APACHE_TOP/Apache/bin/httpd -version

1.3.19 = Oracle 9iAS 1.0.2.2.2

1.3.12 or prior = Not Oracle 9iAS 1.0.2.2.2

If Oracle 9iAS 1.0.2.2.2 is installed and you should apply patch 3835781 to all middle tier web servers. Otherwise, Oracle has not released a patch for your version of Oracle Application Server.

11.5.1 – 11.5.6 Rapid Install or Upgrade :

Most likely Oracle 9iAS 1.0.2.2.2 is not installed. Only by following the instructions in Oracle Metalink Note ID 146468.1 is the Oracle Application Server upgraded.

You may check the version of the Oracle Application Server by executing the following command on a middle tier web server –


$APACHE_TOP/Apache/bin/httpd -version

1.3.19 = Oracle 9iAS 1.0.2.2.2

1.3.12 or prior = Not Oracle 9iAS 1.0.2.2.2

If Oracle 9iAS 1.0.2.2.2 is installed and you should apply patch 3835781 to all middle tier web servers. Otherwise, Oracle has not released a patch for your version of Oracle Application Server.

Oracle Application Server 10g :

Some customers may have installed Oracle Application Server 10g (9.0.4) on a separate application server in order to use the latest version of Single Signon, Oracle Portal, or Discoverer. Oracle Applications Server 10g should be patched with either 3828022 (9.0.4.0) or 3828024 (9.0.4.1).

Database Patches :

Apply one of the patches 3811838 (8.1.7.4), 3811887 (9.2.0.4), or 3811906 (9.2.0.5) that is appropriate for your UNIX operating system and database version. These patches are only applied to the database server.

The patches 3835952 (8.1.7.4), 3835963 (9.2.0.4), and 3835964 (9.2.0.5) are not relevant to most Oracle Applications 11i implementations installations. Unless you know that the Apache web server is running as part of the database installation (not a standard installation or configuration), these patches can be ignored.

Patch Testing :

Appropriate testing and backups should be always performed before applying any Oracle patches. Since Oracle has not publicly released details on the exact vulnerabilities fixed in the patches or components modified by the patches, customers must adequately test these patches before applying them to a production environment.

Application Server Patch :

The application server patches only affect the Oracle Web Gateway (modplsql), which is used for core functions and older self-service modules within Oracle Applications. Testing should concentrate on core functions like the signon process, on-line help, workflow, and older self-service modules (you will see /pls/ in the URL).

Database Server Patch :

The database server patches touch many parts of the database from core database functions to database triggers to the database listener (TNS) – resolving multiple buffer overflows, SQL injection issues, and denial of service problems. Fortunately, a number of the problems were in less used services like the Context Server and Oracle Spatial. Customers should consider this a minor database upgrade (e.g., 9.2.0.4 to 9.2.0.5) and perform similar testing as for such an upgrade.

Additional Information:

http://www.integrigy.com/resources.htm

http://otn.oracle.com/deploy/securit...004alert68.pdf

Metalink Note ID 281188.1 (Oracle Security Alert)

Metalink Note ID 281189.1 (Patch Availability Matrix)

For more information or questions regarding this security alert, please contact us at alerts@integrigy.com.

Integrigy has included checks for many of these vulnerabilities in AppSentry, a vulnerability scanner for Oracle Applications, and AppDefend, an application intrusion prevention system for Oracle Applications.

Credit:

A number of the vulnerabilities included in Oracle Security Alert #68 were discovered by Stephen Kost of Integrigy Corporation.