VIR Vulnerability Intelligence Relay

CVE-2014-6567

critical
Published 2015-01-21 · Modified 2026-05-06
CVSS v3
CVSS v2
9.0
VIR risk
9.0

Description

Unspecified vulnerability in the Core RDBMS component in Oracle Database Server 11.1.0.7, 11.2.0.3, 11.2.0.4, 12.1.0.1, and 12.1.0.2 allows remote authenticated users to affect confidentiality, integrity, and availability via unknown vectors. NOTE: the previous information is from the January 2015 CPU. Oracle has not commented on the researcher's claim that this is a stack-based buffer overflow in DBMS_AW.EXECUTE, which allows code execution via a long Current Directory Alias (CDA) command.

Predictions

Exploit likelihood
20%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

vendor Authored 2026-05-27

Vendor advisory: secalert_us@oracle.com — http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html

vendor Authored 2026-05-27

Vendor advisory: secalert_us@oracle.com — http://www.databaseforensics.com/Oracle_Jan2015_CPU.pdf

Application impact
VendorProductVersionsFixed
oracle oracledatabase_server11.1.0.7
oracle oracledatabase_server11.2.0.3
oracle oracledatabase_server11.2.0.4
oracle oracledatabase_server12.1.0.1
oracle oracledatabase_server12.1.0.2

References

Verify integrity in audit chain (admin only). AS-IS.