Intrusion Prevention

Oracle.MDSYS.SDO_LRS.Package.SQL.Injection

Description

This indicates a possible exploit of an SQL injection vulnerability in the Oracle Database products, which can be triggered by a crafted call to the MDSYS.SDO_LRS package function convert_to_lrs_layer.

Affected Products

Oracle Pharmaceutical Applications
Oracle PeopleSoft Enterprise Tools
Oracle PeopleSoft Enterprise Portal
Oracle PeopleSoft Enterprise PeopleTools
Oracle Oracle9i Standard Edition
Oracle Oracle9i Enterprise Edition
Oracle Oracle9i Application Server
Oracle Oracle8i Standard Edition
Oracle Oracle8i Enterprise Edition
Oracle Oracle10g Standard Edition
Oracle Oracle10g Enterprise Edition
Oracle Oracle10g Application Server
Oracle OneWorld Tools SP23
Oracle JD Edwards EnterpriseOne
Oracle HTML DB
Oracle E-Business Suite
Oracle Developer Suite
Oracle Collaboration Suite Release
Oracle Application Server Release

Impact

SQL injection

Recommended Actions

Please refer to the following updates or patches:
Oracle HTML DB 1.5
Oracle apex_2.2.1.zip
http://www.oracle.com/technology/software/htdocs/devlic.html?url=http: //download.oracle.com/otn/java/appexpress/apex_2.2.1.zip
Oracle HTML DB 1.6.1
Oracle apex_2.2.1.zip
http://www.oracle.com/technology/software/htdocs/devlic.html?url=http: //download.oracle.com/otn/java/appexpress/apex_2.2.1.zip
Oracle HTML DB 2.0
Oracle apex_2.2.1.zip
http://www.oracle.com/technology/software/htdocs/devlic.html?url=http: //download.oracle.com/otn/java/appexpress/apex_2.2.1.zip

CVE References

CVE-2006-5340