Business

News

 
More...

Alerts

 
More...

Events

 
More...
 
     
 

Multiple Vulnerabilities in Oracle Databases

 

Systems Affected


Oracle Database Server, version(s) 11.2.0.4, 12.1.0.1, 12.1.0.2
Oracle GoldenGate, version(s) 11.2, 12.1.2
Oracle MySQL Server, version(s) 5.5.46 and prior, 5.6.27 and prior, 5.7.9

Threat Level


High


Overview


Multiple vulnerabilities have been reported in Oracle Databases- Oracle Database Server and Oracle MySQL Server. Some of these vulnerabilities could be exploited by authenticated local or remote attackers while some of these vulnerabilities do not need authentication for their exploitation.

Successful exploitation of these vulnerabilities can cause Disclosure or Modification of user and system information, Denial-of-Service(DoS) attack or Arbitrary Code Execution.


Description


1. Oracle Database Server Disclosure of Information vulnerability ( CVE-2015-4921 CVE-2016-0467 )
These vulnerabilities exist in "Database Vault" and "Security" components of Oracle Database Server. A remote attacker could exploit these vulnerabilities by obtaining elevated privileges and launching authenticated network attacks via Oracle Net protocol.

Successful exploitation of these vulnerabilities can result in unauthorized update, insert, delete or read access to components accessible data.

2. Oracle MySQL Server Disclosure of Information vulnerability ( CVE-2015-7744 CVE-2016-0606 )
These vulnerabilities exist in "MySQL Server" component of Oracle MySQL. A remote attacker could exploit these vulnerabilities by launching network attacks via MySQL protocol. Exploitation of some of these vulnerabilities need authentication while others do not.

Successful exploitation of these vulnerabilities can result in unauthorized update, insert, delete or read access to components accessible data.

3. Oracle Database Server Denial-of-Service vulnerability ( CVE-2015-4923 CVE-2016-0461 CVE-2016-0472 CVE-2016-0450 )
These vulnerabilities exist in "XML Developer's Kit for C" and "XDB - XML Database" components of Oracle Database Server and "Oracle GoldenGate" component of Oracle GoldenGate Software Package. A remote attacker could exploit these vulnerabilities by launching network attacks via Oracle Net/HTTP/Golden Gate protocol. Exploitation of some of these vulnerabilities need authentication while others do not.

Successful exploitation of these vulnerabilities can result in unauthorized ability to cause a partial or complete Denial-of-Service (DoS) of the target component.

4. Oracle MySQL Server Denial-of-Service vulnerability
These vulnerabilities exist in "MySQL Server" component of Oracle MySQL. A remote attacker could exploit these vulnerabilities by launching authenticated network attacks via MySQL protocol.

Successful exploitation of these vulnerabilities can result in unauthorized ability to cause a partial or complete Denial-of-Service (DoS) of the target component.

5. Oracle Database Server Arbitrary Code Execution vulnerability ( CVE-2015-4925 CVE-2016-0499 CVE-2016-0451 CVE-2016-0452 )
These vulnerabilities exist in "Workspace Manager" and "Java VM" components of Oracle Database Server and "Oracle GoldenGate" components of Oracle GoldenGate software package. A remote attacker could exploit these vulnerabilities by launching network attacks via Oracle Net/Golden Gate or multiple other protocols. Exploitation of some of these vulnerabilities need authentication while others do not.

Successful exploitation of these vulnerabilities can result in unauthorized takeover of the component leading to arbitrary code execution within the component or Operating System takeover resulting in arbitrary code execution.

6. Oracle MySQL Server Arbitrary Code Execution vulnerability ( CVE-2015-0546 )

This vulnerability exists in "MySQL Server" component of Oracle MySQL. A local attacker could exploit this vulnerability by launching authenticated attacks via logging into the Operating System.
Successful exploitation of this vulnerability can result in unauthorized takeover of the Operating System leading to arbitrary code execution within the component.


Impact



Solution/ Workarounds


Apply appropriate patches as mentioned in Oracle Security Bulletin January 2016
http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html


References


http://www.cert-in.org.in/


Disclaimer


The information provided herein is on "as is" basis, without warranty of any kind.


 
     

© Copyright Sri Lanka CERT|CC. All Rights Reserved.