| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Mailing Lists -> Oracle-L -> RE: ISSalert: Internet Security Systems Security Advisory: Vulner
Unfortunately, the bug number in question (1361722)
returns no hits using a bug search on MetaLink.
No electrons were harmed in the making of this e-mail.
> -----Original Message-----
> From: Gupta, Rakesh [mailto:Rakesh_Gupta_at_mail.ci.baltimore.md.us]
> Sent: Wednesday, October 25, 2000 4:07 PM
> To: Multiple recipients of list ORACLE-L
> Subject: ISSalert: Internet Security Systems Security Advisory:
> Vulnerabil
>
>
> Just wondering if anyone has downloaded the patch and fixed
> this problem..
>
> Rakesh
>
> -----Original Message-----
> Sent: Wednesday, October 25, 2000 12:24 PM
> To: alert_at_iss.net
> Vulnerability in the Oracle Listener Program
>
> Internet Security Systems Security Advisory
> October 25, 2000
>
> Vulnerability in the Oracle Listener Program
>
> Synopsis:
> Internet Security Systems (ISS) X-Force has discovered a vulnerability
> in the listener program in Oracle Enterprise Server. It is
> possible for
> a remote attacker to gain access to the Oracle owner operating system
> account and the Oracle database, and to execute code in various
> operating systems.
>
> Affected Products and Releases:
> Oracle listener program releases 7.3.4, 8.0.6, and 8.1.6 on all
> platforms.
>
> Description:
> The Oracle listener program accepts remote commands from
> remote listener
> controllers. If configured properly, a password is required to
> authenticate a user before issuing a listener command. The default
> Oracle installation does not allow a password for the listener program
> to be indicated. If a password has not been set, the Oracle listener
> program can be configured to append log information to a
> file. Due to a
> problem with the SET TRC_FILE and SET LOG_FILE commands, these values
> can be changed to any file name. This allows an attacker to
> create a new
> file or corrupt an existing file.
>
> The information logged by the listener program can be specified by an
> attacker by sending a specially formed connect packet to the listener.
> This logged information can be changed to include commands and escape
> characters, allowing an attacker to gain access to an operating system
> account.
>
> Recommendations:
> Oracle recommends that customers download the patches for this
> vulnerability from Oracle's Worldwide Support Services website
> http://metalink.oracle.com. Customers can reference generic bug number
> 1361722 filed against the listener program.
>
> Customers will also find a security alert for this issue on the Oracle
> Technology Network at the following URL:
> http://otn.oracle.com/deploy/security/alerts.htm
>
> ISS SAFEsuite security assessment software, Database Scanner,
> currently
> determines if a password is indicated for the listener and how strong
> the password is. An upcoming release of Database Scanner will
> be updated
> to determine if the Oracle patch has been applied.
>
> Additional Information:
> The Common Vulnerabilities and Exposures (CVE) project has
> assigned the
> name CAN-2000-0818 to this issue. This is a candidate for inclusion in
> the CVE list (http://cve.mitre.org), which standardizes names for
> security problems.
>
> Credits:
> This vulnerability was discovered and researched by Ben Layer
> and Aaron
> Newman of Internet Security Systems. ISS would like to thank
> Oracle for
> their response and handling of this vulnerability
>
> About Internet Security Systems (ISS)
> Internet Security Systems (ISS) (NASDAQ: ISSX) is the leading global
> provider of security management solutions for the Internet.
> By combining
> best of breed products, security management services, aggressive
> research and development, and comprehensive educational and consulting
> services, ISS is the trusted security advisor for thousands of
> organizations around the world looking to protect their
> mission critical
> information and networks.
>
> Copyright (c) 2000 Internet Security Systems, Inc.
>
> Permission is hereby granted for the redistribution of this Alert
> electronically. It is not to be edited in any way without express
> consent of the X-Force. If you wish to reprint the whole or
> any part of
> this Alert in any other medium excluding electronic medium, please
> e-mail xforce_at_iss.net for permission.
>
> Disclaimer
>
> The information within this paper may change without notice.
> Use of this
> information constitutes acceptance for use in an AS IS
> condition. There
> are NO warranties with regard to this information. In no
> event shall the
> author be liable for any damages whatsoever arising out of or in
> connection with the use or spread of this information. Any use of this
> information is at the user's own risk.
>
> X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as
> well as on MIT's PGP key server and PGP.com's key server.
>
> Please send suggestions, updates, and comments to: X-Force
> xforce_at_iss.net of Internet Security Systems, Inc.
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: 2.6.3a
> Charset: noconv
>
> iQCVAwUBOfb6vzRfJiV99eG9AQGPKQP/Qph7vRRg5Efk0vXyq5XQIrg40Iuy8uBf
> t5dHjxSR/X0fihr3MOaTyf82IoIn+FF/5f4ltOGBSHZj9b7C+IeFIONf0SOwiuoo
> z8oxKvc+pKj9IPcQSG1qKArspsYJDDpTf2t4o9u3m1/pOQ+wJ/trbYJ7ugi3/9Yc
> pZy+SLut1Z0=
> =0/aS
> -----END PGP SIGNATURE-----
>
>
>
> --
> Please see the official ORACLE-L FAQ: http://www.orafaq.com
> --
> Author: Gupta, Rakesh
> INET: Rakesh_Gupta_at_mail.ci.baltimore.md.us
>
> Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
> San Diego, California -- Public Internet access / Mailing Lists
> --------------------------------------------------------------------
> To REMOVE yourself from this mailing list, send an E-Mail message
> to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
> the message BODY, include a line containing: UNSUB ORACLE-L
Received on Wed Oct 25 2000 - 14:50:55 CDT
 |
 |