Vulnerabilities > CVE-2008-4005 - Unspecified vulnerability in Oracle Database 11I 11.1.0.6
Attack vector
NETWORK Attack complexity
HIGH Privileges required
MULTIPLE Confidentiality impact
PARTIAL Integrity impact
PARTIAL Availability impact
PARTIAL Summary
Unspecified vulnerability in the Oracle Application Express component in Oracle Database 11.1.0.6 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Nessus
NASL family Web Servers NASL id ORACLE_APEX_CVE-2008-4005.NASL description An unspecified vulnerability in the Oracle Application Express component of Oracle Database version 11.1.0.6 allows remote, authenticated users to affect confidentiality, integrity, and availability via unpublished vectors. last seen 2020-06-01 modified 2020-06-02 plugin id 64707 published 2013-02-20 reporter This script is Copyright (C) 2013-2018 Recx Ltd. source https://www.tenable.com/plugins/nessus/64707 title Oracle Application Express (Apex) CVE-2008-4005 code # --------------------------------------------------------------------------------- # (c) Recx Ltd 2009-2012 # http://www.recx.co.uk/ # # Detection script for multiple issues within Oracle Application Express # # <3.1.2 # There is one Oracle Application Express security vulnerability listed in the risk matrix above. Security vulnerabilities in Oracle Application Express are fixed in version 3.1.2 and later # https://www.oracle.com/technetwork/topics/security/cpuoct2008-100299.html # Unspecified vulnerability in the Oracle Application Express component in Oracle Database 11.1.0.6 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. # CVE-2008-4005 # # Version 1.0 # --------------------------------------------------------------------------------- include("compat.inc"); if (description) { script_id(64707); script_version("1.6"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/12"); script_cve_id("CVE-2008-4005"); script_bugtraq_id(31683); script_name(english:"Oracle Application Express (Apex) CVE-2008-4005"); script_summary(english:"Checks Apex version against CVE-2008-4005"); script_set_attribute(attribute:"synopsis", value:"The remote host is running a vulnerable version of Oracle Apex."); script_set_attribute( attribute:"description", value: "An unspecified vulnerability in the Oracle Application Express component of Oracle Database version 11.1.0.6 allows remote, authenticated users to affect confidentiality, integrity, and availability via unpublished vectors." ); script_set_attribute(attribute:"solution", value:"Upgrade Application Express to the at least version 3.1.2."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:M/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"see_also", value:"http://www.oracle.com/technetwork/developer-tools/apex/index.html"); script_set_attribute(attribute:"see_also", value:"https://www.oracle.com/technetwork/topics/security/cpuoct2008-100299.html"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/02/20"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/10/13"); script_set_attribute(attribute:"patch_publication_date", value:"2008/10/13"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_set_attribute(attribute:"cpe",value:"cpe:/a:oracle:application_express"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Web Servers"); script_copyright(english:"This script is Copyright (C) 2013-2020 Recx Ltd."); script_dependencies("oracle_apex_detect_version.nasl"); script_require_keys("Oracle/Apex"); script_require_ports("Services/www", 8080, 80, 443); exit(0); } include("global_settings.inc"); include("http_func.inc"); include("http_keepalive.inc"); function raise_finding(port, report) { if(report_verbosity > 0) security_warning(port:port, extra:report); else security_warning(port); } port = get_http_port(default:8080, embedded:TRUE); if (!get_port_state(port)) exit(0, "Port " + port + " is not open."); version = get_kb_item("Oracle/Apex/"+port+"/Version"); if(!version) exit(0, "The 'Oracle/Apex/" + port + "/Version' KB item is not set."); location = get_kb_item("Oracle/Apex/" + port + "/Location"); if(!location) exit(0, "The 'Oracle/Apex/" + port + "/Location' KB item is not set."); url = build_url(qs:location, port:port); if (version == "2.2" || version == "3.0" || version == "3.0.1" || version == "3.1" || version == "3.1.1") { report = '\n URL : ' + url + '\n Installed version : ' + version + '\n Fixed version : 3.1.2' + '\n'; raise_finding(port:port, report:report); exit(0); } exit(0, "The Oracle Apex install at " + url + " is version " + version + " and is not affected.");
NASL family Databases NASL id ORACLE_RDBMS_CPU_OCT_2008.NASL description The remote Oracle database server is missing the October 2008 Critical Patch Update (CPU) and therefore is potentially affected by security issues in the following components : - Core RDBMS - Oracle Application Express - Oracle Data Capture - Oracle Data Mining - Oracle OLAP - Oracle Spatial - Upgrade - Workspace Manager last seen 2020-06-02 modified 2011-11-16 plugin id 56062 published 2011-11-16 reporter This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/56062 title Oracle Database Multiple Vulnerabilities (October 2008 CPU) code # # (C) Tenable Network Security, Inc. # include('compat.inc'); if (description) { script_id(56062); script_version("1.17"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01"); script_cve_id( "CVE-2008-2624", "CVE-2008-2625", "CVE-2008-3976", "CVE-2008-3980", "CVE-2008-3982", "CVE-2008-3983", "CVE-2008-3984", "CVE-2008-3989", "CVE-2008-3990", "CVE-2008-3991", "CVE-2008-3992", "CVE-2008-3994", "CVE-2008-3995", "CVE-2008-3996", "CVE-2008-4005" ); script_bugtraq_id(31683); script_name(english:"Oracle Database Multiple Vulnerabilities (October 2008 CPU)"); script_summary(english:"Checks installed patch info"); script_set_attribute(attribute:"synopsis", value: "The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Oracle database server is missing the October 2008 Critical Patch Update (CPU) and therefore is potentially affected by security issues in the following components : - Core RDBMS - Oracle Application Express - Oracle Data Capture - Oracle Data Mining - Oracle OLAP - Oracle Spatial - Upgrade - Workspace Manager"); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?9a813466"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the October 2008 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2008/10/14"); script_set_attribute(attribute:"patch_publication_date", value:"2008/10/14"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/11/16"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:database_server"); script_set_attribute(attribute:"agent", value:"all"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2011-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_rdbms_query_patch_info.nbin", "oracle_rdbms_patch_info.nbin"); exit(0); } include("oracle_rdbms_cpu_func.inc"); ################################################################################ # OCT2008 patches = make_nested_array(); # RDBMS 11.1.0.6 patches["11.1.0.6"]["db"]["nix"] = make_array("patch_level", "11.1.0.6.4", "CPU", "7375639"); patches["11.1.0.6"]["db"]["win32"] = make_array("patch_level", "11.1.0.6.7", "CPU", "7378392"); patches["11.1.0.6"]["db"]["win64"] = make_array("patch_level", "11.1.0.6.7", "CPU", "7378393"); # RDBMS 10.1.0.5 patches["10.1.0.5"]["db"]["nix"] = make_array("patch_level", "10.1.0.5.12", "CPU", "7375686"); patches["10.1.0.5"]["db"]["win32"] = make_array("patch_level", "10.1.0.5.28", "CPU", "7367493"); # RDBMS 10.2.0.4 patches["10.2.0.4"]["db"]["nix"] = make_array("patch_level", "10.2.0.4.0.2", "CPU", "7375644"); patches["10.2.0.4"]["db"]["win32"] = make_array("patch_level", "10.2.0.4.9", "CPU", "7386320"); patches["10.2.0.4"]["db"]["win64"] = make_array("patch_level", "10.2.0.4.9", "CPU", "7386321"); # RDBMS 10.2.0.3 patches["10.2.0.3"]["db"]["nix"] = make_array("patch_level", "10.2.0.3.8", "CPU", "7369190"); patches["10.2.0.3"]["db"]["win32"] = make_array("patch_level", "10.2.0.3.27", "CPU", "7353782"); patches["10.2.0.3"]["db"]["win64"] = make_array("patch_level", "10.2.0.3.27", "CPU", "7353785"); # RDBMS 10.2.0.2 patches["10.2.0.2"]["db"]["nix"] = make_array("patch_level", "10.2.0.2.11", "CPU", "7375660"); check_oracle_database(patches:patches);
Seebug
bulletinFamily | exploit |
description | BUGTRAQ ID: 31683 CVE(CAN) ID: CVE-2008-4008,CVE-2008-4009,CVE-2008-4010,CVE-2008-4011,CVE-2008-4012,CVE-2008-4013,CVE-2008-4000,CVE-2008-4001,CVE-2008-4002,CVE-2008-4003,CVE-2008-4004,CVE-2008-3985,CVE-2008-3988,CVE-2008-3998,CVE-2008-3619,CVE-2008-3993,CVE-2008-3975,CVE-2008-3977,CVE-2008-3588,CVE-2008-3986,CVE-2008-3987,CVE-2008-3989,CVE-2008-2624,CVE-2008-3996,CVE-2008-3992,CVE-2008-3976,CVE-2008-3982,CVE-2008-3983,CVE-2008-3984,CVE-2008-3994,CVE-2008-3980,CVE-2008-4005,CVE-2008-2625,CVE-2008-3990,CVE-2008-3991 Oracle Database是一款商业性质大型数据库系统。 Oracle发布了2008年7月的紧急补丁更新公告,修复了多个Oracle产品中的多个漏洞。这些漏洞影响Oracle产品的所有安全属性,可导致本地和远程的威胁。其中一些漏洞可能需要各种级别的授权,但也有些不需要任何授权。最严重的漏洞可能导致完全入侵数据库系统。目前已知的漏洞包括: BEA WebLogic Workshop中有关NetUI标签的漏洞可能导致信息泄露。 BEA WebLogic Server在使用多个授权者(如XACMLAuthorizer和DefaultAuthorizer)时的错误可能允许绕过某些安全限制。 Apache的WebLogic插件中的错误可能导致完全的系统入侵。 将Bea WebLogic Server 8.1SP3升级到更高版本可能导致无效用户可以使用之前受保护的应用。成功攻击要求使用了CLIENT-CERT认证方式。 Oracle Application Server 9.0.4.3 Oracle Application Server 10.1.3.4.0 Oracle Application Server 10.1.3.0.0 Oracle Application Server 10.1.2.3.0 Oracle Application Server 10.1.2.2.0 Oracle E-Business Suite 12.0.4 Oracle E-Business Suite 11.5.10.2 Oracle Database 9.2.0.8DV Oracle Database 9.2.0.8 Oracle Database 11.1.0.6 Oracle Database 10.2.0.4 Oracle Database 10.2.0.3 Oracle Database 10.2.0.2 Oracle Database 10.1.0.5 Oracle JD Edwards EnterpriseOne Tools 8.98 Oracle JD Edwards EnterpriseOne Tools 8.97 Oracle PeopleSoft Enterprise PeopleTools 8.49.14 Oracle PeopleSoft Enterprise PeopleTools 8.48.18 Oracle WebLogic Server 9.2 Oracle WebLogic Server 9.1 Oracle WebLogic Server 9.0 Oracle WebLogic Server 8.1 Oracle WebLogic Server 7.0 Oracle WebLogic Server 6.1 Oracle WebLogic Server 10.0 Oracle PeopleSoft Enterprise Portal 9.0 Oracle PeopleSoft Enterprise Portal 8.9 Oracle Workshop for WebLogic 9.2 Oracle Workshop for WebLogic 9.1 Oracle Workshop for WebLogic 9.0 Oracle Workshop for WebLogic 8.1 Oracle Workshop for WebLogic 10.3 GA Oracle Workshop for WebLogic 10.2 GA Oracle Workshop for WebLogic 10.0 厂商补丁: Oracle ------ Oracle已经为此发布了一个安全公告(cpuoct2008)以及相应补丁: cpuoct2008:Oracle Critical Patch Update Advisory - October 2008 链接:<a href=http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html?_template=/o target=_blank>http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2008.html?_template=/o</a> |
id | SSV:4264 |
last seen | 2017-11-19 |
modified | 2008-10-20 |
published | 2008-10-20 |
reporter | Root |
title | Oracle 2008年10月紧急补丁更新修复多个漏洞 |