CVE-2014-6567

Current Description

Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that this is a stack-based buffer overflow in DBMS_AW.EXECUTE, which allows code execution via a long Current Directory Alias (CDA) command.

Evaluator Description

Per: http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlThe CVSS Score is 9.0 only on Windows for Database versions prior to 12c. The CVSS Base Score is 6.5 (Confidentiality, Integrity and Availability are Partial+) for Database 12c on Windows and for all versions of Database on Linux, Unix and other platforms.

Basic Data

PublishedJanuary 21, 2015
Last ModifiedNovember 28, 2016
Assignercve@mitre.org
Data TypeCVE
Data FormatMITRE
Data Version4.0
Problem TypeNVD-CWE-noinfo
CVE Data Version4.0

Base Metric V2

CVSS 2 - Version2.0
CVSS 2 - Vector StringAV:N/AC:L/Au:S/C:C/I:C/A:C
CVSS 2 - Access VectorNETWORK
CVSS 2 - Access ComplexityLOW
CVSS 2 - AuthenticationSINGLE
CVSS 2 - Confidentiality ImpactCOMPLETE
CVSS 2 - Availability ImpactCOMPLETE
CVSS 2 - Base Score9.0
SeverityHIGH
Exploitability Score8.0
Impact Score10.0
Obtain All Privilegefalse
Obtain User Privilegefalse
Obtain Other Privilegefalse

Base Metric V3

No data provided.

Configurations

  • OR - Configuration 1
    Cpe VersionPartVendorProductVersionUpdateEditionLanguageSW EditionTarget SWTarget HWOtherVersion Start IncludingVersion End IncludingVersion Start ExcludingVersion End Excluding
    2.3ApplicationOracleDatabase Server11.1.0.7*******
    2.3ApplicationOracleDatabase Server11.2.0.3*******
    2.3ApplicationOracleDatabase Server11.2.0.4*******
    2.3ApplicationOracleDatabase Server12.1.0.1*******
    2.3ApplicationOracleDatabase Server12.1.0.2*******

Vulnerable Software List

VendorProductVersions
Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, 12.1.0.2

References

NameSourceURLTags
http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdfhttp://www.databaseforensics.com/Oracle_Jan2015_CPU.pdfMISCPATCH
http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlhttp://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.htmlCONFIRMPATCH Vendor Advisory
72134http://www.securityfocus.com/bid/72134BID
1031572http://www.securitytracker.com/id/1031572SECTRACK