Team SHATTER Security Advisory: Multiple SQL Injection vulnerabilities in Oracle Enterprise Manager

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Team SHATTER Security Advisory

Multiple SQL Injection vulnerabilities in Oracle Enterprise Manager

July 22, 2009

Risk Level:
High

Affected versions:
Oracle Enterprise Manager Database Control 11 (11.1.0.6, 11.1.0.7) and Orac=
le Enterprise Manager 10g Grid Control 10.2.0.4 (and previous patchsets)=20

Remote exploitable:
Yes (Authentication is needed)

Credits:=20
This vulnerability was discovered and researched by Esteban Mart=EDnez Fay=
=F3 of Application Security Inc.=20

Details:=20
SQL Injection works by attempting to modify the parameters passed to an app=
lication to change the SQL statements that are passed to a database. SQL in=
jection can be used to insert additional SQL statements to be executed.
The Type, snapshot and table parameters used in web page /em/console/=
ecm/history/configHistory and fConfigGuid parameter used in /em/console/e=
cm/config/compare/compareWizSecondConfig are vulnerable to SQL Injection at=
tacks. These web pages are part of Oracle Enterprise Manager web applicatio=
n. It may be possible for a malicious user to execute a function with the e=
levated privileges of the SYSMAN database user in the repository database. =
This user has the DBA role granted.

Impact:
This vulnerability allow a Oracle Enterprise Manager user with VIEW (or mor=
e) privileges to execute a function call with the elevated privileges of th=
e SYSMAN database user.

Vendor Status:
Vendor was contacted and a patch was released.

Workaround:
There is no workaround for this issue.

Fix:
Apply Oracle Critical Patch Update July 2009 available at Oracle Metalink.

CVE:
CVE-2009-1966, CVE-2009-1967

Links:
Application Security, Inc advisory: http://www.appsecinc.com/resources/aler=
ts/oracle/2009-04.shtml
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpu=
jul2009.html


Timeline:
Vendor Notification - 7/11/2008
Vendor Response - 7/14/2008
Fix - 7/14/2009
Public Disclosure - 7/22/2009

Application Security, Incs database security solutions have helped over 1,=
600 organizations secure their databases from all internal and external thr=
eats while also ensuring that those organizations meet or exceed regulatory=
 compliance and audit requirements.

Disclaimer: The information in the advisory is believed to be accurate at t=
he time of publishing based on currently available information. Use of the =
information constitutes acceptance for use in an AS IS condition. There are=
 no warranties with regard to this information. Neither the author nor the =
publisher accepts any liability for any direct, indirect, or consequential =
loss or damage arising from use of, or reliance on, this information.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (MingW32) - WinPT 1.2.0

iD8DBQFKd3Mm9EOAcmTuFN0RAsvtAKCy63s4g+vP3NMNgY/cH3Yk7IJXhwCdFxkI
x3i+U89DFXpEf/UHUalXsnc=3D
=3DD60y
-----END PGP SIGNATURE-----