SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Database)  >   Oracle Database Vendors:   Oracle
Oracle Database Buffer Overflow in Oracle Net Services Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1006664
SecurityTracker URL:  http://securitytracker.com/id/1006664
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Apr 29 2003
Impact:   User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): Oracle9i Release 2, Oracle9i Release 1, Oracle8i (8.1.x all releases), Oracle8 (8.0.x all releases), and Oracle7 Release 7.3.x
Description:   A buffer overflow vulnerability was reported in the Oracle Database Server. A remote authenticated user can cause denial of service conditions or execute arbitrary code.

It is reported that there is a buffer overflow in Oracle Net Services for Oracle Database Server. A remote authenticated user can cause denial of service conditions or cause arbitrary code to be executed on the database server. According to the report, a remote authenticated user with the CREATE DATABASE LINK privilege can trigger the flaw.

Oracle credits David Litchfield of Next Generation Security Software Ltd. with reporting this vulnerability.

Impact:   A remote authenticated user can cause denial of service. A remote authenticated user can execute arbitrary code on the database server.
Solution:   Oracle has released patches for 9.2.0.2, 9.0.1.4, 8.1.7.4, and 8.0.6.3 on various affected platforms. See the Oracle alert for a patch availability matrix:

http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf

Patches are available at:

http://metalink.oracle.com/

The vendor does not plan to release a patch for 8.0.5.x, 8.1.5.x, 8.1.6.x, or 7.3.x.

Vendor URL:  otn.oracle.com/deploy/security/pdf/2003alert54.pdf (Links to External Site)
Cause:   Boundary error
Underlying OS:  Linux (Any), OpenVMS, UNIX (AIX), UNIX (HP/UX), UNIX (Open UNIX-SCO), UNIX (Solaris - SunOS), UNIX (Tru64), Windows (NT), Windows (2000), Windows (XP)

Message History:   None.


 Source Message Contents

Subject:  Oracle Security Alert 54


http://otn.oracle.com/deploy/security/pdf/2003alert54.pdf

Oracle issued Security Alert 54 warning of a buffer overflow in Oracle Net Services for 
Oracle Database Server

A remote authenticated user can cause denial of service conditions or cause arbitrary code 
to be executed on the database server.  According to the report, a remote authenticated 
user with the CREATE DATABASE LINK privilege can trigger the flaw.

The following versions are affected:


Patches are available for 9.2.0.2, 9.0.1.4, 8.1.7.4, and 8.0.6.3 on various affected 
platforms.  See the Oracle alert for a patch availability matrix.

The patches listed in the Oracle alert supersede the patches listed in Oracle Security
Alerts 40 and 42 for Oracle Net Services.

Oracle credits David Litchfield, of Next Generation Security Software Ltd. with reporting 
this flaw.

Severity: 2



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2020, SecurityGlobal.net LLC