Advisory Details

January 18th, 2011

Oracle Real User Experience Insight rsynclogdird SQL Injection Vulnerability

ZDI-11-016
ZDI-CAN-690

CVE ID CVE-2010-3594
CVSS SCORE 9, (AV:N/AC:L/Au:N/C:P/I:P/A:C)
AFFECTED VENDORS Oracle
AFFECTED PRODUCTS Real User Experience Insight
TIPPINGPOINT™ IPS CUSTOMER PROTECTION TippingPoint IPS customers are protected against this vulnerability by Digital Vaccine protection filter ID 9563. For further product information on the TippingPoint IPS: http://www.tippingpoint.com
VULNERABILITY DETAILS

This vulnerability allows remote attackers to inject arbitrary SQL on vulnerable installations of Oracle Real User Experience Insight. Authentication is not required to exploit this vulnerability.

The specific flaw exists within a portion of the application which parses log files. Due to the component escaping characters improperly when inserting into a UTF-8 database, a user can inject a quote and provide arbitrary SQL statements.

VENDOR RESPONSE Oracle has issued an update to correct this vulnerability. More details can be found at:
http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.html
DISCLOSURE TIMELINE
  • 2010-02-02 - Vulnerability reported to vendor
  • 2011-01-18 - Coordinated public release of advisory
CREDIT 1c239c43f521145fa8385d64a9c32243
BACK TO ADVISORIES