Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities

Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities

From: <>
Date: Mon, 7 Jun 2004 16:10:14 -0700
Message-ID: <>

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: - - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.

  Oracle E-Business Suite - Multiple SQL Injection Vulnerabilities

SUMMARY Multiple SQL injection vulnerabilities exist in the Oracle E-Business Suite 11i and Oracle Applications 11.0. These vulnerabilities can be remotely exploited simply using a browser and sending a specially crafted URL to the web server. ?A mandatory patch from Oracle is required to solve

these security issues.

DETAILS Vulnerable Systems:

Integrigy has discovered multiple SQL injection vulnerabilities in almost all supported versions of Oracle Applications (11.0 and 11i). Because Oracle Applications 11i installs code for all product modules, all Oracle Applications 11i customers are vulnerable to these SQL injection issues.  

A SQL injection vulnerability allows an attacker to execute SQL statements

or database functions by inserting SQL code fragments into input fields of

a web page. Due to the design of Oracle Applications, a SQL injection attack can easily and effectively compromise the entire database and application.  

Customers with Internet facing application servers are most vulnerable since these vulnerabilities can be exploited remotely using a browser. Since attacks can be specially crafted for Oracle Applications and an attack may only be a single HTTP Get or Post, successful attacks can be easily designed that will evade most intrusion detection and prevention systems.  

Oracle has released a patch for Oracle Applications 11.0 and the Oracle E-Business Suite 11i to correct these vulnerabilities.  

The following Oracle patches must be applied --

      Version     Patch
      -------     -----
      11i         3644626     (11.5.1 - 11.5.8)
      11.0        3648066     (all versions)

The patch availability matrix is available in Oracle Metalink Note ID 274375.1.  

Oracle Applications 11i customers that have applied both the Report Manager Mini-pack B (11i.FRM.B) or greater AND Marketing Suite Family Pack

B (11i.MKT_PF.B) do NOT need to apply a patch for these vulnerabilities - these patch levels are included in 11.5.9.  

All Oracle Applications customers should consider this vulnerability extremely high risk and apply the above patch at the earliest possible opportunity. Customers with Internet facing application servers should apply the patch immediately.  

Appropriate testing and backups should be always performed before applying

any patches.  

Additional Information:
<> Metalink Note ID 274356.1 (Oracle Security Alert) Metalink Note ID 274375.1 (Patch Availability Matrix)

ADDITIONAL INFORMATION The information has been provided by <> Integrigy Security.

Please see the official ORACLE-L FAQ:

To unsubscribe send email to: put 'unsubscribe' in the subject line.
Archives are at
FAQ is at
Received on Mon Jun 07 2004 - 18:07:14 CDT

Original text of this message