Multiple High Risk Vulnerabilities in Oracle E-Business Suite 11i - Critical Patch Update July 2005

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Multiple High Risk Vulnerabilities in Oracle E-Business Suite 11i - Critical Patch Update July 2005
From: "Integrigy Security" <alerts@xxxxxxxxxxxxx>
Date: Tue, 12 Jul 2005 14:27:41 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcWHF7V1/wG3ze4iQ+SBfX5femgWjQ==

Integrigy Security Advisory
______________________________________________________________________
 
Multiple High Risk Vulnerabilities in Oracle E-Business Suite 11i
Oracle Critical Patch Update - July 2005
July 12, 2005
______________________________________________________________________
 
Summary:

Oracle today will be releasing its third Critical Patch Update (July 2005).
The patches contained in the Critical Patch Update will correct numerous
security bugs in the Oracle Database, Oracle Application Server, and Oracle
E-Business Suite.  

A number of high risk SQL injection and parameter manipulation security
vulnerabilities in the Oracle E-Business Suite are corrected by the security
patches released today.  Customers with Internet-facing implementations of
the Oracle E-Business Suite should consider applying these patches as soon
as possible.  It is possible that an attacker with only a web browser and a
network connection (either internally or externally) to Oracle E-Business
Suite web application servers can execute malicious SQL statements in the
database as the APPS database account. 
 
The Oracle E-Business Suite patches involved with this Critical Patch Update
are much more complex as compared to the previous CPUs and will require
additional functional testing in our opinion.  In addition, the Oracle
E-Business Suite security patches are not cumulative, therefore, all the
patches specified in this CPU and previous CPUs must be applied.    

Integrigy will be releasing more detailed guidance in the near future in
order to assist our clients in determining the relevance and priority of
patches for their Oracle E-Business Suite implementations.  The Integrigy
analysis for this Critical Patch Update will be posted at
http://www.integrigy.com/analysis.htm when it is available.
______________________________________________________________________
 
For more information or questions regarding this security advisory, please
contact us at alerts@xxxxxxxxxxxxxx
 
Integrigy has included checks for these vulnerabilities in AppSentry, a
vulnerability scanner for Oracle Applications, and AppDefend, an application
intrusion prevention system for Oracle Applications.
 
Credit:
 
The vulnerabilities referenced in this advisory were discovered and reported
to Oracle by Stephen Kost of Integrigy Corporation.
______________________________________________________________________
 
About Integrigy Corporation (www.integrigy.com)
 
Integrigy Corporation is a leader in application security for large
enterprise, mission critical applications. Our application vulnerability
assessment tool, AppSentry, assists companies in securing their largest and
most important applications. AppDefend is an intrusion prevention system for
Oracle Applications and blocks common types of attacks against application
servers. Integrigy Consulting offers security assessment services for
leading ERP and CRM applications.
 
For more information, visit www.integrigy.com.

<<attachment: winmail.dat>>

Prev by Date: Metasploit exploit for PHP XMLRPC
Next by Date: [FLSA-2005:155505] Updated php packages fix security issues
Previous by thread: Metasploit exploit for PHP XMLRPC
Next by thread: [FLSA-2005:155505] Updated php packages fix security issues
Index(es):
- Date
- Thread