Update Protection against Oracle Database Server CREATE_TABLES SQL Injection Vulnerability
| Check Point Reference: | CPAI-2009-297 | |
| Date Published: | ||
| Severity: | ||
| Source: | Secunia Advisory: SA37027 | |
| Industry Reference(s): | CVE-2009-1991 | |
| Protection Provided by: |
Security Gateway
|
|
| Who is Vulnerable? Oracle Database 9i Release 2 9.2.0.8DV Oracle Database 9i Release 2 9.2.0.8 Oracle Database 10g 10.1.0.5 Oracle Database 10g Release 2 10.2.0.4 | ||
| Vulnerability Description An SQL injection vulnerability has been reported in Oracle Database server. The Oracle Database server is an enterprise-level relational database application suite. A remote attacker may exploit this vulnerability to execute malicious SQL commands on a vulnerable system. |
||
|
Update/Patch Available Apply patches: Oracle Critical Patch Update Advisory - October 2009 |
|
|
Vulnerability Details The vulnerability is due to an input validation error in the Oracle Database server CREATE_TABLES function. A remote attacker can exploit this issue by sending malicious packets to the target server. Successful exploitation of this vulnerability would allow the attacker to inject and execute malicious SQL commands remotely. |
Protection Overview
This protection will detect and block Oracle traffic with the vulnerable CREATE_TABLES function.
In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
Oracle Critical Patch Update Advisory - October 2009