Oracle Security Bulletin: Several Oracle Security Vulnerabilities

Qualys™ Vulnerability R&D Lab has released new vulnerability checks in QualysGuard® to protect organizations against the new Oracle® vulnerabilities that were announced earlier today. Customers can immediately audit their networks for these and other new vulnerabilities by accessing their QualysGuard subscription.

Oracle has released their first monthly security rollup patch. This patch addresses more than 30 vulnerabilities found in Oracle Database, Oracle Enterprise Manager, and Oracle Application Server (specific releases and versions available by clicking here).

Qualys has released checks for several of the new vulnerabilities, including:

Oracle Database Server Multiple Vulnerabilities
SEVERITY: Urgent  5
QUALYS ID: 19102
CVE REFERENCE: GENERIC-MAP-NOMATCH
THREAT: Multiple critical vulnerabilities have been reported by NGSSoftware in Oracle Database Server. Versions affected include: Oracle Database 10g Release 1 Version 10.1.0.2 Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5 Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4 Oracle8i Database Server Release 3, version 8.1.7.4
IMPACT: The details of the vulnerabilities have not been disclosed yet. The advisory rates the severity of these as high.
SOLUTION: On the 31st of August 2004 Oracle released a set of patches to address all of these issues (and for other flaws found by other researchers.) This patch set can be downloaded from the Metalink website.

Oracle Application Server Multiple Portal and iSQL Plus Vulnerabilities
SEVERITY: Critical  4
QUALYS ID: 86675
CVE REFERENCE: GENERIC-MAP-NOMATCH
THREAT: A version of Oracle Application Server with multiple vulnerabilities in the portal and iSQL*Plus vulnerabilities was detected. The vulnerable versions are Oracle AS 9.0.2.3, 9.0.3.1 and 1.0.2.2.
IMPACT: A remote attacker without authentication can exploit these vulnerabilities.
SOLUTION: Oracle has released patches for these vulnerabilities which can be downloaded at Oracle Support Site. These new vulnerability checks are included in Qualys vulnerability signatures v1.9.15-3. To view the vulnerability signature version in your account, from the QualysGuard HOME menu, select the Account Info tab. Qualys is actively working to develop vulnerability checks for the remaining new Oracle vulnerabilities.
SELECTIVE SCAN INSTRUCTIONS USING QUALYSGUARD: Since the vulnerable services can reside on any port, Qualys recommends running a complete vulnerability scan against your assets to determine your exposure level. Should you wish to perform a selective vulnerability scan, use the following options: Enable scanning of TCP ports 1521 and 80 Enable the following Qualys IDs: 86675 19102 Enable the "Windows Host Name" signature (Qualys ID 82044) if you want to report on vulnerable hosts by Windows (NetBIOS) machine name.

For more information, customers may contact Qualys Technical Support directly at support@qualys.com or by telephone toll free at:
US: 1 866.801.6161 | EMEA: 33 1 44.17.00.41 | UK: +44 1753 872102

QualysGuard is an on-demand security audit service delivered over the web that enables organizations to effectively manage their vulnerabilities and maintain control over their network security with centralized reports, verified remedies, and full remediation workflow capabilities with trouble tickets. QualysGuard provides comprehensive reports on vulnerabilities including severity levels, time to fix estimates and impact on business, plus trend analysis on security issues. By continuously and proactively monitoring all network access points, QualysGuard dramatically reduces security managers' time researching, scanning and fixing network exposures and enables companies to eliminate network vulnerabilities before they can be exploited.

Access for QualysGuard customers: https://qualysguard.qualys.com

Free trial of QualysGuard service: http://www.qualys.com/forms/trials/qualysguard_trial/