Oracle Database - SQL Injection in SYS.DBMS_CDC_IMPDP [DB01]

Type securityvulns
Reporter Securityvulns
Modified 2006-07-24T00:00:00


Name SQL Injection in package SYS.DBMS_CDC_IMPDP (6980711) [DB01] Systems Oracle 10g Release 1 Severity High Risk Category SQL Injection Vendor URL Author Alexander Kornbrust (ak at Advisory 18 Jul 2006 (V 1.00)


The package SYS.DBMS_CDC_IMPDP contains SQL injection vulnerabilities in the procedures IMPORT_CHANGE_SET, IMPORT_CHANGE_TABLE, IMPORT_CHANGE_COLUMN, IMPORT_SUBSCRIBER, IMPORT_SUBSCRIBED_TABLE, IMPORT_SUBSCRIBED_COLUMN, VALIDATE_IMPORT, VALIDATE_CHANGE_SET, VALIDATE_CHANGE_TABLE, VALIDATE_SUBSCRIPTION. Oracle fixed these vulnerabilities with the package dbms_assert. To exploit this vulnerability it is necessary to have the privilege to create a PL/SQL-function.

Patch Information

Apply the patches for Oracle CPU July 2006 on top of Oracle 10g Release 1.


01-nov-2005 Oracle secalert was informed 02-nov-2005 Bug confirmed 18-jul-2006 Oracle published CPU July 2006 [DB01] 18-jul-2006 Advisory published

Additional Information

An analysis of the Oracle CPU July 2006 is available here

This document will be updated during the next few days and weeks with the latest information.