CERTVU:717140Oracle ENABLE_HIERARCHY_INTERNAL procedure vulnerable to PL/SQL injection
0.067 Low
EPSS
Percentile
93.8%
Overview
The Oracle ENABLE_HIERARCHY_INTERNAL procedure is vulnerable to PL/SQL injection. This vulnerability may allow a remote, authenticated attacker to execute arbitrary PL/SQL commands on a vulnerable Oracle installation.
Description
The Oracle ENABLE_HIERARCHY_INTERNAL procedure fails to properly sanitize user input. This may allow a remote attacker to insert arbitrary SQL commands that may be executed by the database. Note that an attacker must have execute privileges on XDB.DBMS_XDBZ package to exploit this vulnerability.
Based on research into public information, we believe that this issue is Oracle vuln# DB01 in the October 2006 Oracle CPU. However, there is not sufficient information to authoritatively relate Oracle vulnerability information to information provided by other parties.
Impact
A remote attacker may be able to execute PL/SQL queries on a server, possibly with elevated privileges. As a result, attackers may be able to view or modify the contents of an Oracle database.
Solution
Apply patches****
This issue is addressed in the Oracle Critical Patch Update for October 2006.
Vendor Information
717140
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Oracle Corporation __ Affected
Notified: October 17, 2006 Updated: October 19, 2006
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Refer to <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html>.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23717140 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html>
- <http://www.red-database-security.com/advisory/oracle_cpu_oct_2006.html>
- <http://www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf>
- <http://secunia.com/advisories/22396/>
- <http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_xdbz0.html>
Acknowledgements
This vulnerability was reported in the Oracle Critical Patch Update for October 2006.
This document was written by Jeff Gennari based on information from Oracle, Alexander Kornbrust of Red-Database-Security GmbH, and David Litchfield of NGSSoftware.
Other Information
| CVE IDs: | CVE-2006-5332 |
|---|---|
| Severity Metric: | 4.97 Date Public: |
References
secunia.com/advisories/22396/
www.databasesecurity.com/oracle/OracleOct2006-CPU-Analysis.pdf
www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html
www.red-database-security.com/advisory/oracle_cpu_oct_2006.html
www.red-database-security.com/advisory/oracle_sql_injection_dbms_xdbz0.html
Related
