A vulnerability in Oracle 9i Application Server could allow attackers to use SQL injection attacks to steal sensitive information from vulnerable systems.
The flaw is caused by an input validation error in the portal component when user input is supplied to the Oracle 9i Application Server data dictionary tables. It is found in Oracle 9i Application Server Portal Release 1, v188.8.131.52.5 and prior versions, as well as Oracle 9i Application Server Portal Release 2, v184.108.40.206.0 and prior versions. Version 220.127.116.11 and later are not vulnerable.
Exploiting the vulnerability isn't easy. An attacker could gain unauthorized access to data on the application server by injecting a SQL script through a URL. More specifically, it requires sending SQL queries to the data dictionary tables on the application server.
A SQL injection attack through the Internet is likely if the required conditions listed above are met, according to Oracle. The vulnerability could also be exploited through a corporate Intranet.
Patches have been released for v18.104.22.168.0 and v22.214.171.124.5. These are available at Oracle's Metalink site.
FOR MORE INFORMATION: