Vulnerability CVE-2008-2613 - CERT Civis.Net

Vulnerability Name:

CVE-2008-2613 (CCN-43786)

Assigned:

2008-07-15

Published:

2008-07-15

Updated:

2018-10-11

Summary:

Unspecified vulnerability in the Database Scheduler component in Oracle Database 10.2.0.4 and 11.1.0.6 has unknown impact and local attack vectors.
Note: the previous information was obtained from the Oracle July 2008 CPU. Oracle has not commented on reliable researcher claims that this is an untrusted search path issue that allows local users to gain privileges via a malicious (1) libclntsh.so or (2) libnnz10.so library.

CVSS v3 Severity:

7.5 High (CCN CVSS v3.1 Vector: CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H)

Exploitability Metrics:	Attack Vector (AV): Local Attack Complexity (AC): High Privileges Required (PR): Low User Interaction (UI): Required
Scope:	Scope (S): Changed
Impact Metrics:	Confidentiality (C): High Integrity (I): High Availibility (A): High

CVSS v2 Severity:

6.5 Medium (CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P)
4.8 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Network Access Complexity (AC): Low Authentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Partial Integrity (I): Partial Availibility (A): Partial

6.0 Medium (CCN CVSS v2 Vector: AV:L/AC:H/Au:S/C:C/I:C/A:C)
4.5 Medium (CCN Temporal CVSS v2 Vector: AV:L/AC:H/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)

Exploitability Metrics:	Access Vector (AV): Local Access Complexity (AC): High Athentication (Au): Single_Instance
Impact Metrics:	Confidentiality (C): Complete Integrity (I): Complete Availibility (A): Complete

Vulnerability Type:

Vulnerability Consequences:

Gain Privileges

References:

Source: CCN
Type: Full-Disclosure Mailing List, Sat Jul 19 2008 - 10:08:40 CDT
Oracle Database Local Untrusted Library Path Vulnerability

Source: MITRE
Type: CNA
CVE-2008-1666

Source: MITRE
Type: CNA
CVE-2008-2613

Source: CCN
Type: HP Security Bulletin HPSBMA02133 SSRT061201 rev.9
HP Oracle for OpenView (OfO) Critical Patch Update

Source: HP
Type: UNKNOWN
SSRT061201

Source: IDEFENSE
Type: UNKNOWN
20080715 Oracle Database Local Untrusted Library Path Vulnerability

Source: CCN
Type: SA31087
Oracle Products Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
31087

Source: CCN
Type: SA31113
HP Oracle for OpenView Multiple Vulnerabilities

Source: SECUNIA
Type: Vendor Advisory
31113

Source: CCN
Type: SECTRACK ID: 1020499
Oracle Database Bugs Let Remote Users Access and Modify Data and Cause Denial of Service Conditions and Let Local Users Gain Elevated Privileges

Source: CCN
Type: Oracle Critical Patch Update - July 2008
Oracle Critical Patch Update Advisory - July 2008

Source: CONFIRM
Type: UNKNOWN
http://www.oracle.com/technetwork/topics/security/cpujul2008-090335.html

Source: BUGTRAQ
Type: UNKNOWN
20080719 Oracle Database Local Untrusted Library Path Vulnerability

Source: CCN
Type: BID-30177
Oracle July 2008 Critical Patch Update Multiple Vulnerabilities

Source: SECTRACK
Type: UNKNOWN
1020499

Source: VUPEN
Type: Vendor Advisory
ADV-2008-2109

Source: VUPEN
Type: Vendor Advisory
ADV-2008-2115

Source: XF
Type: UNKNOWN
oracle-scheduler-privilege-escalation(43786)

Source: CCN
Type: iDefense Labs PUBLIC ADVISORY: 07.15.08
Oracle Database Local Untrusted Library Path Vulnerability

Vulnerable Configuration:

Configuration 1:

cpe:/a:oracle:database_scheduler:*:*:*:*:*:*:*:*

OR cpe:/a:oracle:database_server:10.2.0.4:*:*:*:*:*:*:*

Configuration 2:

cpe:/a:oracle:database_scheduler:*:*:*:*:*:*:*:*

OR cpe:/a:oracle:database_server:11.1.0.6:*:*:*:*:*:*:*

Configuration CCN 1:

cpe:/a:oracle:database_server:10.2.0.2:r2:*:*:*:*:*:*

OR cpe:/a:oracle:database_server:10.2.0.3:r2:*:*:*:*:*:*

OR cpe:/a:oracle:database_server:11.1.0.6:*:*:*:*:*:*:*

Denotes that component is vulnerable