Vendor Status Note JVNCIAC-P-100

Oracle の複数の脆弱性

Oracle 製品のいくつかには、バッファオーバーフローなどの複数の脆弱性があります。

影響を受けるシステム
　- Oracle Database 10g Release 1, versions 10.1.0.2, 10.1.0.3 and 10.1.0.3.1 (supported for Oracle Application Server only)
　- Oracle9i Database Server Release 2, versions 9.2.0.4, 9.2.0.5, and 9.2.0.6
　- Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4 (9.0.1.5 FIPS)
　- Oracle8i Database Server Release 3, version 8.1.7.4
　- Oracle8 Database Release 8.0.6, version 8.0.6.3 (supported for E-Business Suite only)
　- Oracle Application Server 10g Release2 (10.1.2)
　- Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and 9.0.4.1
　- Oracle9i Application Server Release 2, versions 9.0.2.3 and 9.0.3.1
　- Oracle9i Application Server Release 1, version 1.0.2.2
　- Oracle Collaboration Suite Release 2, version 9.0.4.2
　- Oracle E-Business Suite and Applications Release 11i(11.5)
　- Oracle E-Business Suite and Applications Release 11.0

遠隔から第三者が Oracle 製品を実行しているユーザ (Unix/Linux なら oracle、Windows なら SYSTEM) の権限を取得するなどの様々な影響を受ける可能性があります。

ベンダ	リンク	更新日
オラクル	Critical Patch Update - January 2005

1. ISS X-Force Database: oracle-database-link-dos(18946)
   Oracle Database Servers create database link denial of service
2. ISS X-Force Database: oracle-olap-obtain-info(18957)
   Oracle Database Servers OLAP obtain information
3. ISS X-Force Database: oracle-utlfile-modify-data(18960)
   Oracle Database Servers UTL_FILE modify data
4. ISS X-Force Database: oracle-diagnostic-obtain-info(18961)
   Oracle Database Servers Diagnostic obtain information
5. ISS X-Force Database: oracle-dataguard-obtain-info(18964)
   Oracle Database Servers Dataguard obtain information
6. ISS X-Force Database: oracle-ohs-obtain-info(18969)
   Oracle Database Servers OHS obtain information
7. ISS X-Force Database: oracle-ebusiness-suite-sql-injection(18966)
   Oracle E-Business Suite SQL injection
8. ISS X-Force Database: oracle-report-server-obtain-info(18971)
   Oracle Database Servers Report Serverobtain information
9. ISS X-Force Database: oracle-e-business-sql-injection(18973)
   Oracle E-Business Suite SQL injection
10. ISS X-Force Database: oracle-calendar-obtain-info(18974)
    Oracle Database Servers Calendar obtain information