| Release Date | Jun 25, 2009 |
| Severity | High |
| Impact | System Compromise |
| Description | This indicates an attack attempt against an SQL-injection vulnerability in Oracle Database Server product.
The vulnerability is caused by an error when the vulnerable software handles a specially crafted DBMS_AQADM_SYS packet. It allows a remote attacker to execute arbitrary SQL code within the security context of the database administrator. |
| Affected Products | Oracle Database 11g 11.1.0.6
Oracle Database 11g 11.1.0.7
Oracle Database 10g Release 2 versions 10.2.0.3
Oracle Database 10g Release 2 versions 10.2.0.4
Oracle Database 10g 10.1.0.5 |
| Recommended Actions | Apply the patch supplied by the vendor:
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2009.html |
| Common Vulnerabilities and Exposures (CVE) | http://cve.mitre.org/cgi-bin/cvename.cgi?name=2009-0977
|
| Reference/s | http://www.securityfocus.com/bid/34461 (BugTraq)
http://www.red-database-security.com/advisory/oracle_sql_injection_dbms_aqadm_sys.html
|