• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

Oracle 10g Database SUBSCRIPTION_NAME Remote SQL Injection Vulnerability

Solution:
Oracle has released a Critical Patch Update (Critical Patch Update - April 2005) to address these issues. Information regarding obtaining and applying an appropriate patch can be found in the Oracle Critical Patch Update (see the references).

Pre-Installation Notes for Oracle Database Server can be found at the following location:

http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=301045.1

Reports indicate that the patch supplied with 'Oracle Critical Patch Update - April 2005' to address this issue is not effective against systems prior to patchset 2 including Oracle10g versions 10.1.0.2 and 10.1.0.3. The patch reportedly works properly for Oracle10g 10.1.0.4 systems. Note that Symantec has not verified this information.