| 订阅 | 在线投稿
分享
 
 
 

Oracle 2008年7月紧急补丁更新修复多个漏洞

2008-07-23 06:30:16 编辑來源:互联网 国际版 评论
 
 
本文为【Oracle 2008年7月紧急补丁更新修复多个漏洞】的汉字拼音对照版显示拼音
  Oracle DatabaseshiyikuanshangyexingzhidaxingshujukuxitongOraclefabule2008nian7yuedejinjibudinggengxingonggaoxiufuleduogeOraclechanpinzhongdeduogeloudongzhexieloudongyingxiangOraclechanpindesuoyouanquanshuxingkedaozhibendiheyuanchengdeweixieqizhongyixieloudongkenengxuyaogezhongjibiedeshouquandanyeyouxiebuxuyaorenheshouquanzuiyanchongdeloudongkenengdaozhiwanquanruqinshujukuxitong

  faburiqi2008-07-15

  gengxinriqi2008-07-16

  shouyingxiangxitong

  Oracle Application Server 9.0.4.3

  Oracle Application Server 10.1.3.3.0

  Oracle Application Server 10.1.3.1.0

  Oracle Application Server 10.1.2.3.0

  Oracle Application Server 10.1.2.2.0

  Oracle E-Business Suite 12.0.4

  Oracle E-Business Suite 11.5.10.2

  Oracle Enterprise Manager Grid Control 10.1.0.6

  Oracle Enterprise Manager Grid Control 10.1.0.5

  Oracle PeopleSoft CRM 9.0

  Oracle PeopleSoft CRM 8.9

  Oracle Database 9.2.0.8DV

  Oracle Database 9.2.0.8

  Oracle Database 11.1.0.6

  Oracle Database 10.2.0.4

  Oracle Database 10.2.0.3

  Oracle Database 10.2.0.2

  Oracle Database 10.1.0.5

  Oracle PeopleSoft Enterprise PeopleTools 8.49.11

  Oracle PeopleSoft Enterprise PeopleTools 8.48.17

  Oracle TimesTen In-Memory Database 7.0.3.0.0

  Oracle Hyperion BI Plus 9.3.1.0

  Oracle Hyperion BI Plus 9.2.1.0

  Oracle Hyperion BI Plus 9.2.0.3

  Oracle Hyperion Performance Suite 8.5.0.3

  Oracle Hyperion Performance Suite 8.3.2.4

  Oracle Enterprise Manager Database Control 11.1.0.6

  Oracle Enterprise Manager Database Control 10.2.0.4

  Oracle Enterprise Manager Database Control 10.2.0.3

  Oracle Enterprise Manager Database Control 10.2.0.2

  Oracle Enterprise Manager Database Control 10.1.0.5

  Oracle WebLogic Server 9.2

  Oracle WebLogic Server 9.1

  Oracle WebLogic Server 9.0

  Oracle WebLogic Server 8.1

  Oracle WebLogic Server 7.0

  Oracle WebLogic Server 6.1

  Oracle WebLogic Server 10.0

  miaoshu

  -

  BUGTRAQ ID: 30177

  CVE(CAN) ID: CVE-2008-2607,CVE-2008-2613,CVE-2008-2592,CVE-2008-2604,CVE-2008-2591,CVE-2008-2600,CVE-2008-2602,CVE-2008-2605,CVE-2008-2611,CVE-2008-2608,CVE-2008-2590,CVE-2008-2603,CVE-2008-2587,CVE-2008-2597,CVE-2008-2598,CVE-2008-2599,CVE-2008-2589,CVE-2008-2594,CVE-2008-2609,CVE-2008-2595,CVE-2008-2612,CVE-2008-2614,CVE-2008-2583,CVE-2008-2593,CVE-2008-2596,CVE-2008-2601,CVE-2008-2586,CVE-2008-2606,CVE-2008-2610,CVE-2008-2615,CVE-2008-2622,CVE-2008-2616,CVE-2008-2617,CVE-2008-2618,CVE-2008-2620,CVE-2008-2621,CVE-2008-2579,CVE-2008-2581,CVE-2008-2582,CVE-2008-2577,CVE-2008-2578,CVE-2008-2576,CVE-2008-2580

  Oracle Databaseshiyikuanshangyexingzhidaxingshujukuxitong

  Oraclefabule2008nian7yuedejinjibudinggengxingonggaoxiufuleduogeOraclechanpinzhongdeduogeloudongzhexieloudongyingxiangOraclechanpindesuoyouanquanshuxingkedaozhibendiheyuanchengdeweixieqizhongyixieloudongkenengxuyaogezhongjibiedeshouquandanyeyouxiebuxuyaorenheshouquanzuiyanchongdeloudongkenengdaozhiwanquanruqinshujukuxitongmuqianyizhideloudongbaokuo

  OracleyingyongfuwuqizaihouduanshujukuanzhuangleyixiePLSQLruanjianbaoqizhongdeWWV_RENDER_REPORTruanjianbaocunzaiPLSQLzhuruloudongSHOWguochengqujiangyaozhixingdehanshumingchengzuoweiqidiergeshenshuergaishenshuweijingguolv便bianqianrulePLSQLdedongtaizhixingnimingkuaiyouyushinimingPLSQLkuaiyincigongjizhekeyitongguozaiexecute immediatezhongbaozhuangyujubingzhidingautonomous_transaction pragmalaizhixingrenyiSQLyuju

  LinuxheUnixpingtaideOracleshujukusuofabudeyigeset-uidchengxuzhongcunzaianquanloudongruguogaichengxujiazailebeitihuanguodemokuaidehuajiuhuidaozhiyirootyonghuquanxianzhixingrenyidaimaruguoyaoliyongzhegeloudonggongjizhebixukeyi访fangwenshujukusuoyouzhezhanghaotongchangweioraclehuoweioracleanzhuangzudechengyuantongchangweioinstall

  OracledeInternet DirectoryfuwuyoulianggejinchengzuchengyigeweichuliruzhanlianjiebingjianglianjiechuansonggeidiergejinchengdejiantingchengxulingyigeyongyuchuliqingqiuzaichulijixingdeLDAPqingqiushichulichengxukenenghuiyinyongkongzhizhendaozhijinchengbengkuiruguoyaoliyongzhegeloudonggongjizhebixunenggouzaiyouloudongdefuwuqishangchuangjianLDAPhuihuatongchangtongguoTCP 389duankouhuoqiyongleSSLdeTCP 636duankou

  OracleshujukuchanpinsuoanzhuangdeDBMS_AQELMruanjianbaomeiyouzhengquediyanzhengyonghushururuguoyuanchenggongjizhezaiqingqiuzhongtigonglechaochangzifuchuandehuajiukeyichufahuanchongquyichudaozhiyishujukuyonghudequanxianzhixingrenyidaimaruguoyaoliyongzhegeloudonggongjizhebixuyongyoukezhixingDBMS_AQELMruanjianbaoquanxiandeshujukuzhanghaomorenweiAQ_ADMINISTRATOR_ROLE

  <*laiyuanEsteban Martinez Fayo

  Alexander Kornbrust ak@red-database-security.com

  David Litchfield david@nextgenss.com

  lianjiehttp://marc.info/?l=full-disclosure&m=121615542720938&w=2

http://secunia.com/advisories/31087/

http://marc.info/?l=full-disclosure&m=121624986819068&w=2

http://www.oracle.com/technology/deploy/security/critical-patch-

  updates/cpujul2008.html?_template=/o

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=727

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=725

http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=726

  *>

  jianyi

  -

  changshangbuding

  Oracle

  

  Oracleyijingweicifabuleyigeanquangonggaocpujul2008yijixiangyingbuding:

  cpujul2008Oracle Critical Patch Update Advisory - July 2008

  lianjiehttp://www.oracle.com/technology/deploy/security/critical-patch-

  updates/cpujul2008.html?_template=/o原文
 
 
  Oracle Database是一款商业性质大型数据库系统。Oracle发布了2008年7月的紧急补丁更新公告,修复了多个Oracle产品中的多个漏洞。这些漏洞影响Oracle产品的所有安全属性,可导致本地和远程的威胁。其中一些漏洞可能需要各种级别的授权,但也有些不需要任何授权。最严重的漏洞可能导致完全入侵数据库系统。   发布日期:2008-07-15   更新日期:2008-07-16   受影响系统:   Oracle Application Server 9.0.4.3   Oracle Application Server 10.1.3.3.0   Oracle Application Server 10.1.3.1.0   Oracle Application Server 10.1.2.3.0   Oracle Application Server 10.1.2.2.0   Oracle E-Business Suite 12.0.4   Oracle E-Business Suite 11.5.10.2   Oracle Enterprise Manager Grid Control 10.1.0.6   Oracle Enterprise Manager Grid Control 10.1.0.5   Oracle PeopleSoft CRM 9.0   Oracle PeopleSoft CRM 8.9   Oracle Database 9.2.0.8DV   Oracle Database 9.2.0.8   Oracle Database 11.1.0.6   Oracle Database 10.2.0.4   Oracle Database 10.2.0.3   Oracle Database 10.2.0.2   Oracle Database 10.1.0.5   Oracle PeopleSoft Enterprise PeopleTools 8.49.11   Oracle PeopleSoft Enterprise PeopleTools 8.48.17   Oracle TimesTen In-Memory Database 7.0.3.0.0   Oracle Hyperion BI Plus 9.3.1.0   Oracle Hyperion BI Plus 9.2.1.0   Oracle Hyperion BI Plus 9.2.0.3   Oracle Hyperion Performance Suite 8.5.0.3   Oracle Hyperion Performance Suite 8.3.2.4   Oracle Enterprise Manager Database Control 11.1.0.6   Oracle Enterprise Manager Database Control 10.2.0.4   Oracle Enterprise Manager Database Control 10.2.0.3   Oracle Enterprise Manager Database Control 10.2.0.2   Oracle Enterprise Manager Database Control 10.1.0.5   Oracle WebLogic Server 9.2   Oracle WebLogic Server 9.1   Oracle WebLogic Server 9.0   Oracle WebLogic Server 8.1   Oracle WebLogic Server 7.0   Oracle WebLogic Server 6.1   Oracle WebLogic Server 10.0   描述:   —————————————————————————-   BUGTRAQ ID: 30177   CVE(CAN) ID: CVE-2008-2607,CVE-2008-2613,CVE-2008-2592,CVE-2008-2604,CVE-2008-2591,CVE-2008-2600,CVE-2008-2602,CVE-2008-2605,CVE-2008-2611,CVE-2008-2608,CVE-2008-2590,CVE-2008-2603,CVE-2008-2587,CVE-2008-2597,CVE-2008-2598,CVE-2008-2599,CVE-2008-2589,CVE-2008-2594,CVE-2008-2609,CVE-2008-2595,CVE-2008-2612,CVE-2008-2614,CVE-2008-2583,CVE-2008-2593,CVE-2008-2596,CVE-2008-2601,CVE-2008-2586,CVE-2008-2606,CVE-2008-2610,CVE-2008-2615,CVE-2008-2622,CVE-2008-2616,CVE-2008-2617,CVE-2008-2618,CVE-2008-2620,CVE-2008-2621,CVE-2008-2579,CVE-2008-2581,CVE-2008-2582,CVE-2008-2577,CVE-2008-2578,CVE-2008-2576,CVE-2008-2580   Oracle Database是一款商业性质大型数据库系统。   Oracle发布了2008年7月的紧急补丁更新公告,修复了多个Oracle产品中的多个漏洞。这些漏洞影响Oracle产品的所有安全属性,可导致本地和远程的威胁。其中一些漏洞可能需要各种级别的授权,但也有些不需要任何授权。最严重的漏洞可能导致完全入侵数据库系统。目前已知的漏洞包括:   Oracle应用服务器在后端数据库安装了一些PLSQL软件包,其中的WWV_RENDER_REPORT软件包存在PLSQL注入漏洞。SHOW过程取将要执行的函数名称作为其第二个参数,而该参数未经过滤便嵌入了PLSQL的动态执行匿名块。由于是匿名PLSQL块,因此攻击者可以通过在execute immediate中包装语句并指定autonomous_transaction pragma来执行任意SQL语句。   Linux和Unix平台的Oracle数据库所发布的一个set-uid程序中存在安全漏洞。如果该程序加载了被替换过的模块的话,就会导致以root用户权限执行任意代码。如果要利用这个漏洞,攻击者必须可以访问数据库所有者帐号(通常为oracle)或为oracle安装组的成员(通常为oinstall)。   Oracle的Internet Directory服务由两个进程组成,一个为处理入站连接并将连接传送给第二个进程的监听程序,另一个用于处理请求。在处理畸形的LDAP请求时,处理程序可能会引用空指针,导致进程崩溃。如果要利用这个漏洞,攻击者必须能够在有漏洞的服务器上创建LDAP会话,通常通过TCP 389端口或启用了SSL的TCP 636端口。   Oracle数据库产品所安装的DBMS_AQELM软件包没有正确地验证用户输入,如果远程攻击者在请求中提供了超长字符串的话就可以触发缓冲区溢出,导致以数据库用户的权限执行任意代码。如果要利用这个漏洞,攻击者必须拥有可执行DBMS_AQELM软件包权限的数据库帐号,默认为AQ_ADMINISTRATOR_ROLE。   <*来源:Esteban Martinez Fayo   Alexander Kornbrust ([url=mailto:ak@red-database-security.com]ak@red-database-security.com[/url])   David Litchfield ([url=mailto:david@nextgenss.com]david@nextgenss.com[/url])   链接:[url=http://marc.info/?l=full-disclosure&m=121615542720938&w=2]http://marc.info/?l=full-disclosure&m=121615542720938&w=2[/url]   [url=http://secunia.com/advisories/31087/]http://secunia.com/advisories/31087/[/url]   [url=http://marc.info/?l=full-disclosure&m=121624986819068&w=2]http://marc.info/?l=full-disclosure&m=121624986819068&w=2[/url]   [url=http://www.oracle.com/technology/deploy/security/critical-patch]http://www.oracle.com/technology/deploy/security/critical-patch[/url]-   updates/cpujul2008.html?_template=/o   [url=http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=727]http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=727[/url]   [url=http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=725]http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=725[/url]   [url=http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=726]http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=726[/url]   *>   建议:   —————————————————————————-   厂商补丁:   Oracle   ——   Oracle已经为此发布了一个安全公告(cpujul2008)以及相应补丁:   cpujul2008:Oracle Critical Patch Update Advisory - July 2008   链接:[url=http://www.oracle.com/technology/deploy/security/critical-patch]http://www.oracle.com/technology/deploy/security/critical-patch[/url]-   updates/cpujul2008.html?_template=/o
󰈣󰈤
 
 
>>返回首页<<
 为你推荐
 
 
 
 转载本文
 UBB代码 HTML代码
复制到剪贴板...
 
 
 热帖排行
 
 
王朝网络微信公众号
微信扫码关注本站公众号wangchaonetcn
 
  免责声明:本文仅代表作者个人观点,与王朝网络无关。王朝网络登载此文出于传递更多信息之目的,并不意味着赞同其观点或证实其描述,其原创性以及文中陈述文字和内容未经本站证实,对本文以及其中全部或者部分内容、文字的真实性、完整性、及时性本站不作任何保证或承诺,请读者仅作参考,并请自行核实相关内容。
 
 
©2005- 王朝网络 版权所有