CERTA-2004-AVI-046
Vulnerability from certfr_avis

Une vulnérabilité a été découverte sur Oracle9i Application Server et Oracle9i Database Server qui permet à un utilisateur mal intentionné de réaliser un déni de service sur ces deux systèmes.

Description

Une vulnérabilité a été découverte dans l'analyse des données SOAP (Simple Object Access Protocol) des applications Oracle : Oracle9i Application Server et Oracle9i Database Server.

Un utilisateur mal intentionné peut, en envoyant une requête SOAP malicieusement construite, réaliser un déni de service des applications Oracle. Le risque est plus important pour les versions Oracle9i Application Server seconde édition version 9.2.0.1 et antérieures car l'authentification SOAP est désactivée par défaut.

Solution

Appliquer la mise à jour correspondant à votre version (cf. section documentation).

None
Impacted products
Vendor Product Description
Oracle Database Server Oracle9i Database Server seconde édition, version 9.2.0.2 ;
Oracle N/A Oracle9i Application Server seconde édition, versions 9.0.3.0 et 9.0.3.1 ;
N/A N/A Oracle9i Application Server seconde édition, version 9.0.2.1 et les versions antérieures ;
Oracle N/A Oracle9i Application Server première édition, version 1.0.2.2 ;
Oracle Database Server Oracle9i Database Server première édition, version 9.0.1.4.
References
Avis de sécurité 65 d'Oracle None vendor-advisory
Correctif Oracle : - other

Show details on source website

To clipboard 

{
  "$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
  "affected_systems": [
    {
      "description": "Oracle9i Database Server seconde \u00e9dition, version 9.2.0.2 ;",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle9i Application Server seconde \u00e9dition, versions 9.0.3.0 et 9.0.3.1 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle9i Application Server seconde \u00e9dition, version 9.0.2.1 et les versions ant\u00e9rieures ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "N/A",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle9i Application Server premi\u00e8re \u00e9dition, version 1.0.2.2 ;",
      "product": {
        "name": "N/A",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    },
    {
      "description": "Oracle9i Database Server premi\u00e8re \u00e9dition, version 9.0.1.4.",
      "product": {
        "name": "Database Server",
        "vendor": {
          "name": "Oracle",
          "scada": false
        }
      }
    }
  ],
  "affected_systems_content": null,
  "content": "## Description\n\nUne vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte dans l\u0027analyse des donn\u00e9es SOAP\n(Simple Object Access Protocol) des applications Oracle : Oracle9i\nApplication Server et Oracle9i Database Server.  \n  \nUn utilisateur mal intentionn\u00e9 peut, en envoyant une requ\u00eate SOAP\nmalicieusement construite, r\u00e9aliser un d\u00e9ni de service des applications\nOracle. Le risque est plus important pour les versions Oracle9i\nApplication Server seconde \u00e9dition version 9.2.0.1 et ant\u00e9rieures car\nl\u0027authentification SOAP est d\u00e9sactiv\u00e9e par d\u00e9faut.\n\n## Solution\n\nAppliquer la mise \u00e0 jour correspondant \u00e0 votre version (cf. section\ndocumentation).\n",
  "cves": [],
  "initial_release_date": "2004-02-23T00:00:00",
  "last_revision_date": "2004-02-23T00:00:00",
  "links": [
    {
      "title": "Correctif Oracle :",
      "url": "http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT\u0026p_id=259556.1"
    }
  ],
  "reference": "CERTA-2004-AVI-046",
  "revisions": [
    {
      "description": "version initiale.",
      "revision_date": "2004-02-23T00:00:00.000000"
    }
  ],
  "risks": [
    {
      "description": "D\u00e9ni de service"
    }
  ],
  "summary": "Une vuln\u00e9rabilit\u00e9 a \u00e9t\u00e9 d\u00e9couverte sur Oracle9i Application Server et\nOracle9i Database Server qui permet \u00e0 un utilisateur mal intentionn\u00e9 de\nr\u00e9aliser un d\u00e9ni de service sur ces deux syst\u00e8mes.\n",
  "title": "Vuln\u00e9rabilit\u00e9 dans Oracle9i Application et Dabase Server",
  "vendor_advisories": [
    {
      "published_at": null,
      "title": "Avis de s\u00e9curit\u00e9 65 d\u0027Oracle",
      "url": "http://otn.oracle.com/deploy/security/pdf/2004alert65.pdf"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
  • Confirmed: The vulnerability is confirmed from an analyst perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
  • Patched: This vulnerability was successfully patched by the user reporting the sighting.
  • Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
  • Not confirmed: The user expresses doubt about the veracity of the vulnerability.
  • Not patched: This vulnerability was not successfully patched by the user reporting the sighting.