CVE-2007-5561

Format string vulnerability in the logging function in the Oracle OPMN daemon, as used on Oracle Enterprise Grid Console server 10.2.0.1, allows remote attackers to execute arbitrary code via format string specifiers in the URI in an HTTP request to port 6003, aka Oracle reference number 6296175. NOTE: this might be the same issue as CVE-2007-0282 or CVE-2007-0280, but there are insufficient details to be sure.

Weakness

The product uses a function that accepts a format string as an argument, but the format string originates from an external source.

Affected Software

Name	Vendor	Start Version	End Version
Enterprise_grid_console_server	Oracle	10.2.0.1 (including)	10.2.0.1 (including)
Opmn_daemon	Oracle	*	*

Potential Mitigations

https://cwe.mitre.org/data/definitions/135.html
https://cwe.mitre.org/data/definitions/67.html

References

http://www.irmplc.com/index.php/111-Vendor-Alerts
http://www.irmplc.com/index.php/142-Advisory-021
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html
http://www.irmplc.com/index.php/111-Vendor-Alerts
http://www.irmplc.com/index.php/142-Advisory-021
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2007.html

NVD	https://nvd.nist.gov/vuln/detail/CVE-2007-5561
CWE	https://cwe.mitre.org/data/definitions/134.html

Use of Externally-Controlled Format String

Weakness

Affected Software

Potential Mitigations

Related Attack Patterns

References