Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Multiple Vulnerabilities in Oracle Databases

 

Systems Affected


Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2
MySQL Enterprise Monitor, version(s) 3.0.25 and prior, 3.1.2 and prior
MySQL Server, version(s) 5.5.48 and prior, 5.6.29 and prior, 5.7.11 and prior
Oracle Berkeley DB, version(s) 11.2.5.0.32, 11.2.5.1.29, 11.2.5.2.42, 11.2.5.3.28, 12.1.6.0.35, 12.1.6.1.26

Threat Level


High


Overview


Multiple vulnerabilities have been reported in Oracle Databases- Oracle Database Server, Oracle MySQL Server and Oracle Berkley DB which could be exploited by remote or local attackers to cause Disclosure or Modification of user and system information, Denial-of-Service(DoS) attack or Complete Takeover of the software component.


Description


1. Oracle Database Server Disclosure of Information vulnerability ( CVE-2016-0690 CVE-2016-0691 )
his vulnerability exists in RDBMS Security component of Oracle Database Server. A local attacker could exploit this vulnerability by gaining "Create Session" privileges and acquiring logon to the software infrastructure. Successful exploitation of this vulnerability can result in unauthorized read, update, insert or delete access to some of RDBMS Security accessible data.

2. Oracle MySQL Server Disclosure of Information vulnerability ( CVE-2016-0640 CVE-2016-0641 CVE-2016-0642 CVE-2016-0643 )
This vulnerability exists in DML, MyISAM and Federated sub-components of Oracle MySQL Server. A local attacker could exploit this vulnerability by gaining elevated privileges and acquiring logon to the software infrastructure. Successful exploitation of this vulnerability can result in unauthorized read, update, insert or delete access to component(s) accessible data.

3. Oracle Database Server Denial-of-Service vulnerability ( CVE-2016-0677 )
This vulnerability exists in RDBMS Security component of Oracle Database Server. A remote attacker could exploit this vulnerability by launching unauthenticated network attacks using Kerberos protocol. Successful exploitation of this vulnerability can result in unauthorized ability to cause a complete Denial-of-Service (DoS) of RDBMS Security.

4. Oracle MySQL Server Denial-of-Service vulnerability
This vulnerability exists in Security Encryption, DML, MyISAM, Federated, DDL, FTS, PS, Replication, Optimizer and InnoDB sub-components of Oracle MySQL Server. A local attacker could exploit this vulnerability by gaining elevated privileges and acquiring logon to the software infrastructure. A remote attacker could exploit this vulnerability by launching unauthenticated network attacks via multiple protocols.
Successful exploitation of this vulnerability can result in unauthorized ability to cause a complete Denial-of-Service (DoS) of MySQL Server.

5. Oracle Database Server Complete Takeover vulnerability ( CVE-2016-0681 CVE-2016-3454 )
This vulnerability exists in Oracle OLAP and Java components of Oracle Database Server. A local attacker could exploit this vulnerability by gaining "Execute on DBMS_AW" privileges and acquiring logon to the software infrastructure. A remote attacker could exploit this vulnerability by launching unauthenticated network attacks via multiple protocols.
Successful exploitation of this vulnerability can result in complete takeover of the component leading to significant security impacts.

6. Oracle MySQL Server Complete Takeover vulnerability ( CVE-2016-0639 CVE-2016-0705 CVE-2016-3461 CVE-2016-0657 CVE-2016-2047 )
This vulnerability exists in Packaging, Pluggable Authentication, Monitoring,JSON sub-components of Oracle MySQL Server. A remote attacker could exploit this vulnerability by launching network attacks via multiple protocols. Exploitation of some of these vulnerabilities need authentication while others do not.
Successful exploitation of this vulnerability can result in complete takeover of the component leading to significant security impacts.

7. Oracle Berkeley DB Complete Takeover Vulnerability
This vulnerability exists in Data Store component of Oracle Berkeley DB. A local attacker could exploit this vulnerability by launching unauthenticated attacks by acquiring logon to the software infrastructure. A successful attack would require human interaction from a person other than the attacker.
Successful exploitation of this vulnerability can result in complete takeover of the component leading to significant security impacts.


Impact



Solution/ Workarounds


Apply appropriate patches as mentioned in Oracle Security Bulletin April 2016
http://www.oracle.com/technetwork/security-advisory/cpuapr2016v3-2985753.html


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.