CVE-2009-1979 - OpenCVE

Unspecified vulnerability in the Network Authentication component in Oracle Database 10.1.0.5 and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2009 CPU. Oracle has not commented on claims from an independent researcher that this is related to improper validation of the AUTH_SESSKEY parameter length that leads to arbitrary code execution.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Complete

Integrity Impact Complete

Availability Impact Complete

AV:N/AC:L/Au:N/C:C/I:C/A:C

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Oracle	Database Server

Configuration 1 [-]

OR	cpe:2.3:a:oracle:database_server:10.1.0.5:::::::*
	cpe:2.3:a:oracle:database_server:10.2.0.4:::::::*

No data.

References

Link	Providers
http://blogs.conus.info/node/28
http://osvdb.org/59110
http://secunia.com/advisories/37027
http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html
http://www.securityfocus.com/archive/1/507598/100/0/threaded
http://www.securityfocus.com/bid/36747
http://www.securitytracker.com/id?1023057
http://www.us-cert.gov/cas/techalerts/TA09-294A.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: oracle

Published: 2009-10-22T18:00:00

Updated: 2024-08-07T05:36:20.587Z

Reserved: 2009-06-08T00:00:00

Link: CVE-2009-1979

Vulnrichment

No data.

NVD

Status : Modified

Published: 2009-10-22T18:30:00.390

Modified: 2018-10-10T19:39:14.193

Link: CVE-2009-1979

Redhat

No data.

{"containers": {"cna": {"affected": [{"product": "n/a", "vendor": "n/a", "versions": [{"status": "affected", "version": "n/a"}]}], "datePublic": "2009-10-20T00:00:00", "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Network Authentication component in Oracle Database 10.1.0.5 and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2009 CPU. Oracle has not commented on claims from an independent researcher that this is related to improper validation of the AUTH_SESSKEY parameter length that leads to arbitrary code execution."}], "problemTypes": [{"descriptions": [{"description": "n/a", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2018-10-10T18:57:01", "orgId": "43595867-4340-4103-b7a2-9a5208d29a85", "shortName": "oracle"}, "references": [{"tags": ["x_refsource_MISC"], "url": "http://blogs.conus.info/node/28"}, {"name": "20091030 CVE-2009-1979 (Oracle RDBMS)", "tags": ["mailing-list", "x_refsource_BUGTRAQ"], "url": "http://www.securityfocus.com/archive/1/507598/100/0/threaded"}, {"name": "37027", "tags": ["third-party-advisory", "x_refsource_SECUNIA"], "url": "http://secunia.com/advisories/37027"}, {"name": "1023057", "tags": ["vdb-entry", "x_refsource_SECTRACK"], "url": "http://www.securitytracker.com/id?1023057"}, {"name": "TA09-294A", "tags": ["third-party-advisory", "x_refsource_CERT"], "url": "http://www.us-cert.gov/cas/techalerts/TA09-294A.html"}, {"tags": ["x_refsource_CONFIRM"], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html"}, {"name": "36747", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/36747"}, {"name": "59110", "tags": ["vdb-entry", "x_refsource_OSVDB"], "url": "http://osvdb.org/59110"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "secalert_us@oracle.com", "ID": "CVE-2009-1979", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "n/a", "version": {"version_data": [{"version_value": "n/a"}]}}]}, "vendor_name": "n/a"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "Unspecified vulnerability in the Network Authentication component in Oracle Database 10.1.0.5 and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2009 CPU. Oracle has not commented on claims from an independent researcher that this is related to improper validation of the AUTH_SESSKEY parameter length that leads to arbitrary code execution."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "n/a"}]}]}, "references": {"reference_data": [{"name": "http://blogs.conus.info/node/28", "refsource": "MISC", "url": "http://blogs.conus.info/node/28"}, {"name": "20091030 CVE-2009-1979 (Oracle RDBMS)", "refsource": "BUGTRAQ", "url": "http://www.securityfocus.com/archive/1/507598/100/0/threaded"}, {"name": "37027", "refsource": "SECUNIA", "url": "http://secunia.com/advisories/37027"}, {"name": "1023057", "refsource": "SECTRACK", "url": "http://www.securitytracker.com/id?1023057"}, {"name": "TA09-294A", "refsource": "CERT", "url": "http://www.us-cert.gov/cas/techalerts/TA09-294A.html"}, {"name": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html", "refsource": "CONFIRM", "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html"}, {"name": "36747", "refsource": "BID", "url": "http://www.securityfocus.com/bid/36747"}, {"name": "59110", "refsource": "OSVDB", "url": "http://osvdb.org/59110"}]}}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-07T05:36:20.587Z"}, "title": "CVE Program Container", "references": [{"tags": ["x_refsource_MISC", "x_transferred"], "url": "http://blogs.conus.info/node/28"}, {"name": "20091030 CVE-2009-1979 (Oracle RDBMS)", "tags": ["mailing-list", "x_refsource_BUGTRAQ", "x_transferred"], "url": "http://www.securityfocus.com/archive/1/507598/100/0/threaded"}, {"name": "37027", "tags": ["third-party-advisory", "x_refsource_SECUNIA", "x_transferred"], "url": "http://secunia.com/advisories/37027"}, {"name": "1023057", "tags": ["vdb-entry", "x_refsource_SECTRACK", "x_transferred"], "url": "http://www.securitytracker.com/id?1023057"}, {"name": "TA09-294A", "tags": ["third-party-advisory", "x_refsource_CERT", "x_transferred"], "url": "http://www.us-cert.gov/cas/techalerts/TA09-294A.html"}, {"tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html"}, {"name": "36747", "tags": ["vdb-entry", "x_refsource_BID", "x_transferred"], "url": "http://www.securityfocus.com/bid/36747"}, {"name": "59110", "tags": ["vdb-entry", "x_refsource_OSVDB", "x_transferred"], "url": "http://osvdb.org/59110"}]}]}, "cveMetadata": {"assignerOrgId": "43595867-4340-4103-b7a2-9a5208d29a85", "assignerShortName": "oracle", "cveId": "CVE-2009-1979", "datePublished": "2009-10-22T18:00:00", "dateReserved": "2009-06-08T00:00:00", "dateUpdated": "2024-08-07T05:36:20.587Z", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:oracle:database_server:10.1.0.5:*:*:*:*:*:*:*", "matchCriteriaId": "03A522A3-07D7-481F-A538-EA3D13256F63", "vulnerable": true}, {"criteria": "cpe:2.3:a:oracle:database_server:10.2.0.4:*:*:*:*:*:*:*", "matchCriteriaId": "E4AC251D-9313-4A54-9623-51DC0AEC46FC", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Unspecified vulnerability in the Network Authentication component in Oracle Database 10.1.0.5 and 10.2.0.4 allows remote attackers to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information was obtained from the October 2009 CPU. Oracle has not commented on claims from an independent researcher that this is related to improper validation of the AUTH_SESSKEY parameter length that leads to arbitrary code execution."}, {"lang": "es", "value": "Vulnerabilidad no especificada en el componente Network Authentication en Oracle Database v10.1.0.5 y v10.2.0.4 permite a atacantes remotos afectar la confidencialidad, integridad y disponibilidad a trav\u00e9s de vectores no conocidos."}], "evaluatorImpact": "Per: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2009.html\r\n\r\n# The CVSS Base Score is 10.0 only for Windows. For Linux, Unix and other platforms, the CVSS Base Score is 7.5, and the impacts for Confidentiality, Integrity and Availability are Partial+.", "id": "CVE-2009-1979", "lastModified": "2018-10-10T19:39:14.193", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "COMPLETE", "baseScore": 10.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}]}, "published": "2009-10-22T18:30:00.390", "references": [{"source": "secalert_us@oracle.com", "url": "http://blogs.conus.info/node/28"}, {"source": "secalert_us@oracle.com", "url": "http://osvdb.org/59110"}, {"source": "secalert_us@oracle.com", "url": "http://secunia.com/advisories/37027"}, {"source": "secalert_us@oracle.com", "url": "http://www.oracle.com/technetwork/topics/security/cpuoct2009-096303.html"}, {"source": "secalert_us@oracle.com", "url": "http://www.securityfocus.com/archive/1/507598/100/0/threaded"}, {"source": "secalert_us@oracle.com", "url": "http://www.securityfocus.com/bid/36747"}, {"source": "secalert_us@oracle.com", "url": "http://www.securitytracker.com/id?1023057"}, {"source": "secalert_us@oracle.com", "tags": ["US Government Resource"], "url": "http://www.us-cert.gov/cas/techalerts/TA09-294A.html"}], "sourceIdentifier": "secalert_us@oracle.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}