CERTA-2004-AVI-046

Vulnerability from certfr_avis - Published: - Updated:

Une vulnérabilité a été découverte sur Oracle9i Application Server et Oracle9i Database Server qui permet à un utilisateur mal intentionné de réaliser un déni de service sur ces deux systèmes.

Description

Une vulnérabilité a été découverte dans l'analyse des données SOAP (Simple Object Access Protocol) des applications Oracle : Oracle9i Application Server et Oracle9i Database Server.

Un utilisateur mal intentionné peut, en envoyant une requête SOAP malicieusement construite, réaliser un déni de service des applications Oracle. Le risque est plus important pour les versions Oracle9i Application Server seconde édition version 9.2.0.1 et antérieures car l'authentification SOAP est désactivée par défaut.

Solution

Appliquer la mise à jour correspondant à votre version (cf. section documentation).

None
Impacted products
Vendor Product Description
Oracle Database Server Oracle9i Database Server seconde édition, version 9.2.0.2 ;
Oracle N/A Oracle9i Application Server seconde édition, versions 9.0.3.0 et 9.0.3.1 ;
N/A N/A Oracle9i Application Server seconde édition, version 9.0.2.1 et les versions antérieures ;
Oracle N/A Oracle9i Application Server première édition, version 1.0.2.2 ;
Oracle Database Server Oracle9i Database Server première édition, version 9.0.1.4.
References
Avis de sécurité 65 d'Oracle None vendor-advisory
Correctif Oracle : - other

Show details on source website
To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Oracle9i Database Server seconde \u00e9dition, version 9.2.0.2 ;",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle9i Application Server seconde \u00e9dition, versions 9.0.3.0 et 9.0.3.1 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle9i Application Server seconde \u00e9dition, version 9.0.2.1 et les versions ant\u00e9rieures ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle9i Application Server premi\u00e8re \u00e9dition, version 1.0.2.2 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle9i Database Server premi\u00e8re \u00e9dition, version 9.0.1.4.",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans l\u0027analyse des donn\u00e9es SOAP\n(Simple Object Access Protocol) des applications Oracle : Oracle9i\nApplication Server et Oracle9i Database Server.  \n  \nUn utilisateur mal intentionn\u00e9 peut, en envoyant une requ\u00eate SOAP\nmalicieusement construite, r\u00e9aliser un d\u00e9ni de service des applications\nOracle. Le risque est plus important pour les versions Oracle9i\nApplication Server seconde \u00e9dition version 9.2.0.1 et ant\u00e9rieures car\nl\u0027authentification SOAP est d\u00e9sactiv\u00e9e par d\u00e9faut.\n\n## Solution\n\nAppliquer la mise \u00e0 jour correspondant \u00e0 votre version (cf. section\ndocumentation).\n",
  "cves": [],
  "links": [
    {
      "title": "Correctif Oracle :",
      "url": "http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT\u0026p_id=259556.1"
    }
  ],
  "reference": "CERTA-2004-AVI-046",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2004-02-23T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte sur Oracle9i Application Server et\nOracle9i Database Server qui permet \u00e0 un utilisateur mal intentionn\u00e9 de\nr\u00e9aliser un d\u00e9ni de service sur ces deux syst\u00e8mes.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Oracle9i Application et Dabase Server",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Avis de s\u00e9curit\u00e9 65 d\u0027Oracle",
      "url": "http://otn.oracle.com/deploy/security/pdf/2004alert65.pdf"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.