Security Advisory July 20, 2006

 

 

1. Vulnerabilities in Oracle

2. Microsoft IIS ASP Remote Code Execution Vulnerability

 

 

1. Vulnerabilities in Oracle

 

 

Oracle products and components are affected by multiple vulnerabilities. The impacts of these vulnerabilities include remote execution of arbitrary code, information disclosure, and denial of service.

 

 

I. Description

 

Oracle has released Critical Patch Update - July 2006. This update addresses numerous vulnerabilities in different Oracle products and components.

 

The Critical Patch Update provides information about affected components, access and authorization required, and the impact of the vulnerabilities on data confidentiality, integrity, and availability.

MetaLink customers should refer to MetaLink Note 293956.1 (login required) for more information on terms used in the Critical Patch Update.

 

According to Oracle, four of the vulnerabilities corrected in the Oracle Critical Patch Update - July 2006 affect Oracle Database client-only installations.

 

We believe that the Oracle Database vulnerability identified as Oracle Vuln# DB06 in the Oracle Critical Patch Update corresponds to US-CERT Vulnerability Note VU#932124, which includes further details as well as workarounds. In most cases, Oracle does not associate Vuln# identifiers (e.g., DB01) with other available information. As more details about vulnerabilities and remediation strategies become available, we will update the individual vulnerability notes.

 

II. Impact

 

The impact of these vulnerabilities varies depending on the product, component, and configuration of the system. Potential consequences include the execution of arbitrary code or commands, information disclosure, and denial of service. Vulnerable components may be available to unauthenticated, remote attackers. An attacker who compromises an Oracle database may be able to gain access to sensitive information.

 

 

III. Solution

 

Apply a patch from Oracle

 

Apply the appropriate patches or upgrade as specified in the Oracle Critical Patch Update - April 2006. Note that this Critical Patch Update only lists newly corrected issues. Updates to patches for previously known issues are not listed.

 

Appendix A. References

 

  * US-CERT Vulnerability Note VU#932124 -

 <http://www.kb.cert.org/vuls/id/932124>

 

  * US-CERT Vulnerability Notes Related to Critical Patch Update -

 July 2006 -

 <http://www.kb.cert.org/vuls/byid?searchview&query=oracle_cpu_july

 _2006>

 

  * Critical Patch Update - July 2006 -

 <http://www.oracle.com/technology/deploy/security/pdf/cpujul2006.h

 tml>

 

  * Critical Patch Updates and Security Alerts -

 <http://www.oracle.com/technology/deploy/security/alerts.htm>

 

  * Oracle Database Security Checklist (PDF) -

 <http://www.oracle.com/technology/deploy/security/pdf/twp_security

 _checklist_db_database.pdf>

 

  * MetaLink Note 293956.1 (login required) -

 <http://metalink.oracle.com/metalink/plsql/showdoc?db=Not&id=29395

 6.1>

 

  * MetaLink Note 372930.1 (login required) -

 <http://metalink.oracle.com/metalink/plsql/showdoc?db=Not&id=37293

 0.1>

 

  * Details Oracle Critical Patch Update July 2006 -

 <http://www.red-database-security.com/advisory/oracle_cpu_jul_2006

 .html>

 

 

 

2. Microsoft IIS ASP Remote Code Execution Vulnerability

 

I. Description

 

Microsoft Internet Information Server (IIS) is prone to a remote code-execution vulnerability because it fails to properly bounds-check user-supplied input before copying it to an insufficiently sized memory buffer.

 

To exploit this issue, attackers must be able to place and execute malicious ASP pages on computers running the affected ASP server software. This may be an issue in shared-hosting environments.

 

II. Impact

 

Vulnerable:  Microsoft Windows XP Tablet PC Edition SP2 Microsoft Windows XP Tablet PC Edition SP1 Microsoft Windows XP Tablet PC Edition Microsoft Windows XP Professional x64 Edition Microsoft Windows XP Professional SP2 Microsoft Windows XP Professional SP1 Microsoft Windows XP Professional Microsoft Windows XP Media Center Edition SP2 Microsoft Windows XP Media Center Edition SP1 Microsoft Windows XP Media Center Edition Microsoft Windows XP Home SP2 Microsoft Windows XP Home SP1 Microsoft Windows XP Home Microsoft Windows Server 2003 Web Edition SP1 Microsoft Windows Server 2003 Web Edition Microsoft Windows Server 2003 Standard x64 Edition Microsoft Windows Server 2003 Standard Edition SP1 Microsoft Windows Server 2003 Standard Edition Microsoft Windows Server 2003 Enterprise x64 Edition Microsoft Windows Server 2003 Enterprise Edition 64-bit SP1 Microsoft Windows Server 2003 Enterprise Edition 64-bit Microsoft Windows Server 2003 Enterprise Edition SP1 Microsoft Windows Server 2003 Enterprise Edition Microsoft Windows Server 2003 Datacenter x64 Edition Microsoft Windows Server 2003 Datacenter Edition 64-bit SP1 Microsoft Windows Server 2003 Datacenter Edition 64-bit Microsoft Windows Server 2003 Datacenter Edition SP1 Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows 2000 Server SP4 Microsoft Windows 2000 Server SP3 Microsoft Windows 2000 Server SP2 Microsoft Windows 2000 Server SP1 Microsoft Windows 2000 Server

+ Avaya DefinityOne Media Servers

+ Avaya IP600 Media Servers

+ Avaya S3400 Message Application Server Avaya S8100 Media Servers

Microsoft Windows 2000 Professional SP4

Microsoft Windows 2000 Professional SP3

Microsoft Windows 2000 Professional SP2

Microsoft Windows 2000 Professional SP1

Microsoft Windows 2000 Professional

Microsoft Windows 2000 Datacenter Server SP4 Microsoft Windows 2000 Datacenter Server SP3 Microsoft Windows 2000 Datacenter Server SP2 Microsoft Windows 2000 Datacenter Server SP1 Microsoft Windows 2000 Datacenter Server Microsoft Windows 2000 Advanced Server SP4 Microsoft Windows 2000 Advanced Server SP3 Microsoft Windows 2000 Advanced Server SP2 Microsoft Windows 2000 Advanced Server SP1 Microsoft Windows 2000 Advanced Server Microsoft IIS 6.0

+ Microsoft Windows Server 2003 Datacenter Edition Microsoft Windows

+ Server 2003 Datacenter Edition 64-bit Microsoft Windows Server 2003

+ Enterprise Edition Microsoft Windows Server 2003 Enterprise Edition

+ 64-bit Microsoft Windows Server 2003 Standard Edition Microsoft

+ Windows Server 2003 Web Edition

Microsoft IIS 5.1

+ Microsoft Windows XP 64-bit Edition SP1 Microsoft Windows XP 64-bit

+ Edition

- Microsoft Windows XP Home SP1

- Microsoft Windows XP Home

+ Microsoft Windows XP Professional SP1

+ Microsoft Windows XP Professional

Microsoft IIS 5.0

- Microsoft Windows 2000 Advanced Server SP2

- Microsoft Windows 2000 Advanced Server SP1

+ Microsoft Windows 2000 Advanced Server

- Microsoft Windows 2000 Datacenter Server SP2

- Microsoft Windows 2000 Datacenter Server SP1

- Microsoft Windows 2000 Professional SP2

- Microsoft Windows 2000 Professional SP1

+ Microsoft Windows 2000 Professional

- Microsoft Windows 2000 Server SP2

- Microsoft Windows 2000 Server SP1

+ Microsoft Windows 2000 Server

 

 

III. Solution

 

Microsoft has released an advisory along with fixes to address this issue

 

Appendix A. References

 

http://www.securityfocus.com/bid/18858/solution

 

http://www.securityfocus.com/bid/18858/references

 

 

Please forward this advisory to the personnel responsible for management and administration of the affected systems.

 

If you would like to be included into the security distribution list, please visit http://operations.doit.ri.gov/security/ls.php and provide your email address.

You request will be evaluated and responded to with in 24 hours.

 

Enterprise Information Security Office