Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
|
|
|
|
|
|
|
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
|
|
|
|
Become a Partner and License Our Database or Notification Service
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Oracle Database Server Has Multiple Flaws That Let Remote Users Take Control of the Server
|
|
SecurityTracker Alert ID: 1011125
|
|
SecurityTracker URL: http://securitytracker.com/id?1011125
|
|
CVE Reference: CAN-2004-0637
, CAN-2004-0638
(Links to External Site)
|
Updated: Sep 2 2004
|
Original Entry Date: Sep 1 2004
|
Impact: Execution of arbitrary code via local system, Execution of arbitrary code via network, User access via local system, User access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Advisory: AppSecInc, iDEFENSE, NGSSoftware
|
Version(s): 8i, 9i, and 10g; 8.1.7.4, 9.0.1.4, 9.0.1.5, 9.0.4, 9.2.0.4, 9.2.0.5, and 10.1.0.2
|
Description: Multiple vulnerabilities were reported Oracle's Database Server. A remote user can obtain control of the database server.
Numerous buffer overflow vulnerabilities were reported by several different security researchers.
In July 2004, NGSSoftware reported
34 vulnerabilities in Oracle's Database Server and Application Server products, most of which are considered critical. The vulnerabilities
include buffer overflows, PL/SQL injection, trigger abuse, character set conversion errors, and denial of service bugs. Specific
details have not been published. However, NGSSoftware plans to issue details by December 2004.
In August 2004, Application Security,
Inc. separately reported 44 buffer overflow vulnerabilities in the Oracle Database Server. Cesar Cerrudo and Esteban Martinez Fayo
are credited with discovering these overflows. A list of the affected packages and parameters is provided in their advisory, available
at:
http://www.appsecinc.com/resources/alerts/oracle/2004-0001/
In September 2004, iDEFENSE reported two vulnerabilities.
A remote authenticated user with execute permissions can invoke the 'ctxsys.driload' package to execute database commands with
administrative privileges [CVE: CAN-2004-0637]. A remote authenticated user can trigger a buffer overflow in the dbms_system.ksdwrt()
function to potentially execute arbitrary code [CVE: CAN-2004-0638]. Users with SYS or SYSTEM roles or with execute permissions
on the dbms_system package can exploit this flaw. The vendor was notified on May 6, 2004.
The iDEFENSE advisories are available
at:
http://www.idefense.com/application/poi/display?id=135&type=vulnerabilities
http://www.idefense.com/application/poi/display?id=136&type=vulnerabilities
With
the vulnerabilities reported by NGSSoftware, AppSecInc, and iDEFENSE, a remote user can gain control of the database server. A
local user can gain control of the database server.
|
Impact: A remote user or a local user can gain control of the database server.
|
Solution: Oracle has issued a fix. Patch information is provided in MetaLink Document ID 281189.1, available at:
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocu
ment?p_database_id=NOT&p_id=281189.1
A fix is available in Oracle Database 10g Release 1, version 10.1.0.3.
|
Vendor URL: www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf (Links to External Site)
|
Cause: Boundary error, Input validation error
|
Underlying OS: Linux (Any), UNIX (AIX), UNIX (HP/UX), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000)
|
|
Message History:
None.
|
Source Message Contents
|
|
|
[Original Message Not Available for Viewing]
|
|
Go to the Top of This SecurityTracker Archive Page
|
