In-Depth Research, Timely Responsible Notifications
The nature of the IT security business requires us to remain one step ahead of malicious users. Our continual vigilance and timely dissemination of security information mitigates the damage from database and application threats and vulnerabilities. We at the Imperva Application Defense Center are intent on building the most advanced application and database security knowledge base in the world by discovering database vulnerabilities before they're exploited.
In order to bring you these published Security Advisories, we conduct in-depth research in our labs, utilize real-world experience, and leverage publicly available information. Each day, we strive to uncover new security attack and defense techniques and application, platform, and database vulnerabilities. When we find a database or application security issue, we work within industry guidelines and responsible ethics to notify the vendor and publish the Advisory. Our ultimate goal is to provide you with accurate, timely information so that you know the steps you need to take to secure your applications, databases, and protect confidential data.
Benefit to SecureSphere Customers
Imperva customers benefit from our research with updates to SecureSphere through automated ADC Security Updates as well as ADC Insight Services. With Imperva, you are protected against the latest security threats, often well ahead of patches released from application and database security vendors.
ADC Security Advisories
The following are currently published ADC Security Advisories. Periodically check this page to locate newly published Advisories.
Oracle DBMS – Access Control Bypass with Direct Path Export
This security advisory discusses an access control bypass vulnerability that was discovered by Imperva.
Oracle EBS – XSS VulnerabilityThis security advisory discusses a cross-site scripting vulnerability in Oracle E-Business Suite that was discovered by Imperva and is addressed in Oracle’s July 2007 Critical Patch Update.
Web 2.0, AJAX and Client Security LogicAn illustration of the problems created by Web 2.0 development frameworks such as AJAX that place increasing emphasis on client-side browser code (JavaScript, etc.) as a mechanism for enforcing security logic.
DB2 RDBMS - Critical Denial of Service Vulnerability in Database Communication ProtocolIllustrates the need for the validation of database communication protocols in database security products.
DB2 DBMS - Critical Buffer Overrun VulnerabilityAn illustration of the risk of depending on database vendor patches for database security.
Oracle DBMS - Critical Patch Update 04/18/06This security advisory discusses the database vulnerabilities in Oracle's April 2006 CPU and offers some available workarounds.
Oracle DBMS - Critical Access Control Bypass in Login BugAn illustration of the risk of depending on database vendor patches for database security.
Microsoft SQL Server Audit BugAn illustration of the problems created when relying on a database server to audit itself.
Arbitrary File Access and Denial of Service Vulnerabilities in Business Objects’ Crystal Report Web Delivery ModulesCrystal Reports modules which deliver image files through the web are vulnerable in a way that can be exploited for arbitrary file access and denial of service.
Incorrect Handling of Cross Site Scripting Protection in ASP.NetThe ASP.Net request validation feature has an implementation flaw which allows an attacker to easily bypass the content restrictions, possibly exposing the application to cross site scripting and script injection attacks.
Back to TopADC Security Responses
If Imperva SecureSphere is listed on a vulnerability alert, such as from CERT, the ADC publishes Security Responses to those alerts. Check this page to locate newly published Responses.
Imperva Security Response for VU#739224
The U.S. Computer Emergency Response Team (US-CERT) has reported a Web attack evasion technique using full-width and half-width Unicode characters intended to evade inspection by IDS/IPS/WAF security products.
Back to TopUpcoming Security Alerts
| Report date | Vendor code | Versions affected | Severity |
| IBM | |||
| 17/01/2007 | Informix IDS 10UC6 and earlier | High | |
| 02/08/2007 | Informix IDS 10TC3 | High | |
| 25/02/2007 | Informix IDS 11 and earlier | Critical | |
| 25/02/2007 | Informix IDS 10 TC5 | Low | |
| Oracle | |||
| 14/06/2007 | 10097059 | EBS 11.x | Low |
| 13/12/2005 | 6768557 | Oracle 10.2 and earlier | Medium |
| 20/12/2005 | 6808279 | Oracle 10.2 and earlier | High |
| 20/09/2006 | 8645119 | Oracle 10.2 and earlier | Medium |
| 31/07/2007 | 10404365 | Oracle EBS all versions | Medium |
| 31/05/2007 | 9909517 | Oracle EBS all versions | Medium |
| 31/05/2007 | 9909589 | Oracle EBS all versions | Low |
| DWR | |||
| 07/11/2007 | DWR 2.0.1 and earlier | High | |