CVE-2014-6567

21.01.2015, 15:28

Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors.  NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that this is a stack-based buffer overflow in DBMS_AW.EXECUTE, which allows code execution via a long Current Directory Alias (CDA) command.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	9 UNKNOWN	NETWORK	LOW		AV:N/AC:L/Au:S/C:C/I:C/A:C

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Affected Products (NVD)

Vendor	Product	Version
oracle	database_server	11.1.0.7
oracle	database_server	11.2.0.3
oracle	database_server	11.2.0.4
oracle	database_server	12.1.0.1
oracle	database_server	12.1.0.2

𝑥

= Vulnerable software versions

References

http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.securityfocus.com/bid/72134

http://www.securitytracker.com/id/1031572

http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf

http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

http://www.securityfocus.com/bid/72134

http://www.securitytracker.com/id/1031572