Intrusion Prevention

Oracle.Database.SUBSCRIPTION_NAME.SQL.Injection

Description

This indicates an attack attempt to exploit a SQL injection vulnerability in
Oracle Database Server.
The vulnerability is a result of the application's failure to properly sanitize user input before using it in a SQL query. As a result, a remote attacker can send a crafted query to execute SQL commands on a vulnerable server.

Affected Products

Oracle Oracle10g Standard Edition 10.1 .0.4
Oracle Oracle10g Standard Edition 10.1 .0.3.1
Oracle Oracle10g Standard Edition 10.1 .0.3
Oracle Oracle10g Standard Edition 10.1 .0.2
Oracle Oracle10g Standard Edition 9.0.4 .0
Oracle Oracle10g Personal Edition 10.1 .0.4
Oracle Oracle10g Personal Edition 10.1 .0.3.1
Oracle Oracle10g Personal Edition 10.1 .0.3
Oracle Oracle10g Personal Edition 10.1 .0.2
Oracle Oracle10g Personal Edition 9.0.4 .0
Oracle Oracle10g Enterprise Edition 10.1 .0.4
Oracle Oracle10g Enterprise Edition 10.1 .0.3.1
Oracle Oracle10g Enterprise Edition 10.1 .0.3
Oracle Oracle10g Enterprise Edition 10.1 .0.2
Oracle Oracle10g Enterprise Edition 9.0.4 .0
Oracle Oracle10g Application Server 10.1.2
Oracle Oracle10g Application Server 10.1 .0.3.1
Oracle Oracle10g Application Server 10.1 .0.3
Oracle Oracle10g Application Server 10.1 .0.2
Oracle Oracle10g Application Server 9.0.4 .1
Oracle Oracle10g Application Server 9.0.4 .0

Impact

System Comprise:Remote attackers can execute arbitrary sql commands.

Recommended Actions

Apply Oracle Critical Patch Update April 2005.
http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf

CVE References

CVE-2005-4832