Signature Detail

DB: Oracle Database SQL Compiler Access Control Security Bypass

This signature detects attempts to exploit a known security bypass vulnerability in the Oracle Database Server product. Specifically, it is due to improper enforcement of user permissions on data access to tables through certain types of views. A remote authenticated attacker can use this to perform UPDATE, DELETE and INSERT operations without having proper privileges. The data stored in the Oracle Database can be modified, deleted, and inserted by the attacker, thereby compromising the availability and integrity of data.

Extended Description

Oracle has released a Critical Patch Update advisory for July 2007 to address multiple vulnerabilities for supported releases. Earlier unsupported releases are likely to be affected by these issues as well. The issues identified by the vendor affect all security properties of the Oracle products and present local and remote threats. Various levels of authorization are needed to leverage some of the issues, but other issues do not require any authorization. The most severe of the vulnerabilities could possibly expose affected computers to complete compromise.

Affected Products

• HP Oracle for OpenView 8.1.7
• HP Oracle for OpenView 9.1.01
• HP Oracle for OpenView 9.2
• HP Oracle for OpenView for Linux LTU
• HP Oracle for OpenView for Linux LTU Service Bureaus
• Oracle Application Express 1.5
• Oracle Application Express 2.0
• Oracle Application Express 2.1
• Oracle Application Express 2.2
• Oracle Application Server 10g 9.0.4 .3
• Oracle Collaboration Suite Release 1 10.1.2
• Oracle E-Business Suite 11i 11.5.10
• Oracle E-Business Suite 11i 11.5.10 CU2
• Oracle E-Business Suite 11i 11.5.8
• Oracle E-Business Suite 11i 11.5.9
• Oracle E-Business Suite 12 12.0.0
• Oracle E-Business Suite 12 12.0.1
• Oracle Oracle10g Application Server 10.1.2 .0.1
• Oracle Oracle10g Application Server 10.1.2 .0.2
• Oracle Oracle10g Application Server 10.1.2 .1.0
• Oracle Oracle10g Application Server 10.1.2 .2.0
• Oracle Oracle10g Application Server 10.1.3 .0.0
• Oracle Oracle10g Application Server 10.1.3 .1.0
• Oracle Oracle10g Application Server 10.1.3 .2.0
• Oracle Oracle10g Application Server 10.1.3 .3.0
• Oracle Oracle10g Enterprise Edition 10.1.0 .5
• Oracle Oracle10g Enterprise Edition 10.2.0 .2
• Oracle Oracle10g Enterprise Edition 10.2.0 .3
• Oracle Oracle10g Personal Edition 10.1.0.5
• Oracle Oracle10g Personal Edition 10.2.0 .2
• Oracle Oracle10g Personal Edition 10.2.0 .3
• Oracle Oracle10g Standard Edition 10.1.0 .5
• Oracle Oracle10g Standard Edition 10.2.0 .2
• Oracle Oracle10g Standard Edition 10.2.0 .3
• Oracle Oracle9i Application Server 1.0.2 .2
• Oracle Oracle9i Enterprise Edition 9.0.1 .5 FIPS
• Oracle Oracle9i Enterprise Edition 9.2.0.7.0
• Oracle Oracle9i Enterprise Edition 9.2.0.8.0
• Oracle Oracle9i Enterprise Edition 9.2.0 .8DV
• Oracle Oracle9i Personal Edition 9.0.1 .5 FIPS
• Oracle Oracle9i Personal Edition 9.2.0 .7
• Oracle Oracle9i Personal Edition 9.2.0 .8
• Oracle Oracle9i Personal Edition 9.2.0 .8DV
• Oracle Oracle9i Standard Edition 9.0.1 .5 FIPS
• Oracle Oracle9i Standard Edition 9.2.0 .7
• Oracle Oracle9i Standard Edition 9.2.0.8
• Oracle Oracle9i Standard Edition 9.2.0 .8DV
• Oracle PeopleSoft Enterprise Customer Relationship Manage 8.9
• Oracle PeopleSoft Enterprise Customer Relationship Manage 9.0
• Oracle PeopleSoft Enterprise Human Capital Management 8.9
• Oracle PeopleSoft Enterprise Human Capital Management 9.0
• Oracle PeopleSoft Enterprise PeopleTools 8.22
• Oracle PeopleSoft Enterprise PeopleTools 8.47
• Oracle PeopleSoft Enterprise PeopleTools 8.48
• Oracle PeopleSoft Enterprise PeopleTools 8.49
• Oracle Secure Enterprise Search 10g Release 1 10.1.6
• Oracle Secure Enterprise Search 10g Release 1 10.1.8

References

• BugTraq: 24887
• CVE: CVE-2007-3855