Vulnerabilities > CVE-2013-3751 - Remote Security vulnerability in Oracle Database Server 11.2.0.2/11.2.0.3
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Unspecified vulnerability in the XML Parser component in Oracle Database Server 11.2.0.2, 11.2.0.3, and 12.1.0.1 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 2 |
Nessus
NASL family Databases NASL id ORACLE_RDBMS_CPU_JUL_2013.NASL description The remote Oracle database server is missing the July 2013 Critical Patch Update (CPU) and is, therefore, potentially affected by security issues in the following components : - XML Parser - Network Layer - Oracle Executable - Core RDBMS last seen 2020-06-02 modified 2013-07-17 plugin id 68934 published 2013-07-17 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68934 title Oracle Database Multiple Vulnerabilities (July 2013 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(68934); script_version("1.17"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01"); script_cve_id( "CVE-2013-3751", "CVE-2013-3758", "CVE-2013-3774", "CVE-2013-3760", "CVE-2013-3771", "CVE-2013-3789", "CVE-2013-3790" ); script_bugtraq_id( 61205, 61206, 61207, 61209, 61211, 61215, 61219 ); script_name(english:"Oracle Database Multiple Vulnerabilities (July 2013 CPU)"); script_summary(english:"Checks installed patch info"); script_set_attribute(attribute:"synopsis", value:"The remote database server is affected by multiple vulnerabilities."); script_set_attribute( attribute:"description", value: "The remote Oracle database server is missing the July 2013 Critical Patch Update (CPU) and is, therefore, potentially affected by security issues in the following components : - XML Parser - Network Layer - Oracle Executable - Core RDBMS" ); script_set_attribute(attribute:"see_also", value:"https://www.zerodayinitiative.com/advisories/ZDI-13-199/"); # https://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?e1cbd417"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the July 2013 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-3751"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/07/16"); script_set_attribute(attribute:"patch_publication_date", value:"2013/07/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/07/17"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:database_server"); script_set_attribute(attribute:"agent", value:"all"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_rdbms_query_patch_info.nbin", "oracle_rdbms_patch_info.nbin"); exit(0); } include("oracle_rdbms_cpu_func.inc"); ################################################################################ # JUL2013 patches = make_nested_array(); # RDBMS 11.1.0.7 patches["11.1.0.7"]["db"]["nix"] = make_array("patch_level", "11.1.0.7.16", "CPU", "16742110, 16619896"); patches["11.1.0.7"]["db"]["win32"] = make_array("patch_level", "11.1.0.7.53", "CPU", "16803787"); patches["11.1.0.7"]["db"]["win64"] = make_array("patch_level", "11.1.0.7.53", "CPU", "16803788"); # RDBMS 11.2.0.2 patches["11.2.0.2"]["db"]["nix"] = make_array("patch_level", "11.2.0.2.11", "CPU", "16742100, 16619893"); patches["11.2.0.2"]["db"]["win32"] = make_array("patch_level", "11.2.0.2.26", "CPU", "16345851"); patches["11.2.0.2"]["db"]["win64"] = make_array("patch_level", "11.2.0.2.26", "CPU", "16345852"); # RDBMS 11.2.0.3 patches["11.2.0.3"]["db"]["nix"] = make_array("patch_level", "11.2.0.3.7", "CPU", "16742095, 16619892"); patches["11.2.0.3"]["db"]["win32"] = make_array("patch_level", "11.2.0.3.22", "CPU", "16803774"); patches["11.2.0.3"]["db"]["win64"] = make_array("patch_level", "11.2.0.3.22", "CPU", "16803775"); # RDBMS 10.2.0.5 patches["10.2.0.5"]["db"]["nix"] = make_array("patch_level", "10.2.0.5.12", "CPU", "16742123, 16619894"); patches["10.2.0.5"]["db"]["win32"] = make_array("patch_level", "10.2.0.5.22", "CPU", "16803780"); patches["10.2.0.5"]["db"]["win64"] = make_array("patch_level", "10.2.0.5.22", "CPU", "16803782, 18940198"); # RDBMS 10.2.0.4 patches["10.2.0.4"]["db"]["nix"] = make_array("patch_level", "10.2.0.4.17", "CPU", "16742253, 16619897"); check_oracle_database(patches:patches, high_risk:TRUE);NASL family Databases NASL id ORACLE_RDBMS_CPU_JUL_2014.NASL description The remote Oracle database server is missing the July 2014 Critical Patch Update (CPU). It is, therefore, affected by security issues in the following components : - XML Parser - Network Layer - RDBMS Core last seen 2020-06-02 modified 2014-07-16 plugin id 76531 published 2014-07-16 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/76531 title Oracle Database Multiple Vulnerabilities (July 2014 CPU) code # # (C) Tenable Network Security, Inc. # include("compat.inc"); if (description) { script_id(76531); script_version("1.10"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/01"); script_cve_id( "CVE-2013-3751", "CVE-2013-3774", "CVE-2014-4236", "CVE-2014-4237", "CVE-2014-4245" ); script_bugtraq_id(61206, 61207, 68617, 68627, 68633); script_name(english:"Oracle Database Multiple Vulnerabilities (July 2014 CPU)"); script_summary(english:"Checks the installed patch info."); script_set_attribute(attribute:"synopsis", value:"The remote database server is affected by multiple vulnerabilities."); script_set_attribute(attribute:"description", value: "The remote Oracle database server is missing the July 2014 Critical Patch Update (CPU). It is, therefore, affected by security issues in the following components : - XML Parser - Network Layer - RDBMS Core"); # https://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?77697fb1"); script_set_attribute(attribute:"solution", value: "Apply the appropriate patch according to the July 2014 Oracle Critical Patch Update advisory."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"vuln_publication_date", value:"2014/07/15"); script_set_attribute(attribute:"patch_publication_date", value:"2014/07/15"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/07/16"); script_set_attribute(attribute:"plugin_type", value:"combined"); script_set_attribute(attribute:"cpe", value:"cpe:/a:oracle:database_server"); script_set_attribute(attribute:"agent", value:"all"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Databases"); script_copyright(english:"This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("oracle_rdbms_query_patch_info.nbin", "oracle_rdbms_patch_info.nbin"); exit(0); } include("oracle_rdbms_cpu_func.inc"); ################################################################################ # JUL2014 patches = make_nested_array(); # RDBMS 11.1.0.7 patches["11.1.0.7"]["db"]["nix"] = make_array("patch_level", "11.1.0.7.20", "CPU", "18681875, 18522513"); patches["11.1.0.7"]["db"]["win32"] = make_array("patch_level", "11.1.0.7.57", "CPU", "18944207"); patches["11.1.0.7"]["db"]["win64"] = make_array("patch_level", "11.1.0.7.57", "CPU", "18944208"); # RDBMS 12.1.0.1 patches["12.1.0.1"]["db"]["nix"] = make_array("patch_level", "12.1.0.1.4", "CPU", "18522516"); patches["12.1.0.1"]["db"]["win"] = make_array("patch_level", "12.1.0.1.11", "CPU", "19062327"); # RDBMS 11.2.0.3 patches["11.2.0.3"]["db"]["nix"] = make_array("patch_level", "11.2.0.3.11", "CPU", "18681866, 18522512"); patches["11.2.0.3"]["db"]["win32"] = make_array("patch_level", "11.2.0.3.32", "CPU", "18940193"); patches["11.2.0.3"]["db"]["win64"] = make_array("patch_level", "11.2.0.3.32", "CPU", "18940194"); # RDBMS 11.2.0.4 patches["11.2.0.4"]["db"]["nix"] = make_array("patch_level", "11.2.0.4.3", "CPU", "18681862, 18522509"); patches["11.2.0.4"]["db"]["win"] = make_array("patch_level", "11.2.0.4.7", "CPU", "18842982"); check_oracle_database(patches:patches);
References
- http://lists.opensuse.org/opensuse-security-announce/2013-09/msg00000.html
- http://osvdb.org/95264
- http://seclists.org/fulldisclosure/2014/Dec/23
- http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
- http://www.oracle.com/technetwork/topics/security/cpujuly2013-1899826.html
- http://www.securityfocus.com/archive/1/534161/100/0/threaded
- http://www.securitytracker.com/id/1028789
- http://www.vmware.com/security/advisories/VMSA-2014-0012.html
- https://exchange.xforce.ibmcloud.com/vulnerabilities/85650