| Vulnerability Name: | CVE-2014-6567 (CCN-100065) | ||||||||
| Assigned: | 2014-09-17 | ||||||||
| Published: | 2015-01-20 | ||||||||
| Updated: | 2016-11-28 | ||||||||
| Summary: | Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. Note: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that this is a stack-based buffer overflow in DBMS_AW.EXECUTE, which allows code execution via a long Current Directory Alias (CDA) command. Per: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html The CVSS Score is 9.0 only on Windows for Database versions prior to 12c. The CVSS Base Score is 6.5 (Confidentiality, Integrity and Availability are Partial+) for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms. | ||||||||
| CVSS v3 Severity: | 9.0 Critical (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H)
| ||||||||
| CVSS v2 Severity: | 9.0 High (CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C) 6.7 Medium (Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
6.7 Medium (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:S/C:C/I:C/A:C/E:U/RL:OF/RC:C)
| ||||||||
| Vulnerability Type: | CWE-noinfo | ||||||||
| Vulnerability Consequences: | Gain Privileges | ||||||||
| References: | Source: MITRE Type: CNA CVE-2014-6567 Source: MISC Type: Patch http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf Source: CCN Type: IBM Security Bulletin 1883820 IBM OpenPages Platform with Database vulnerabilities Source: CCN Type: Oracle Critical Patch Update Advisory - January 2015 Oracle Critical Patch Update Advisory - January 2015 Source: CONFIRM Type: Patch, Vendor Advisory http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html Source: BID Type: UNKNOWN 72134 Source: CCN Type: BID-72134 Oracle Database Server CVE-2014-6567 Remote Security Vulnerability Source: SECTRACK Type: UNKNOWN 1031572 Source: XF Type: UNKNOWN oracle-cpujan2015-cve20146567(100065) | ||||||||
| Vulnerable Configuration: | Configuration 1: Configuration CCN 1:  Denotes that component is vulnerable | ||||||||
| BACK | |||||||||