Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> RE: Oracle security vulnerabilities

RE: Oracle security vulnerabilities

From: Maser, Donna (SEA) <DonnaMaser_at_chiroscience.com>
Date: Wed, 29 Nov 2000 15:05:04 -0800
Message-Id: <10695.123264@fatcity.com> 





Well, here is one.



-----Original Message-----


From: X-Force [mailto:xforce_at_iss.net]


Sent: Wednesday, October 25, 2000 9:24 AM
To: alert_at_iss.net


Subject: ISSalert: Internet Security Systems Security Advisory:
Vulnerability in the Oracle Listener Program





TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to
majordomo_at_iss.net  Contact alert-owner_at_iss.net for help with any problems!





-----BEGIN PGP SIGNED MESSAGE-----


Internet Security Systems Security Advisory
October 25, 2000



Vulnerability in the Oracle Listener Program



Synopsis:


Internet Security Systems (ISS) X-Force has discovered a vulnerability
in the listener program in Oracle Enterprise Server. It is possible for
a remote attacker to gain access to the Oracle owner operating system
account and the Oracle database, and to execute code in various
operating systems.



Affected Products and Releases:


Oracle listener program releases 7.3.4, 8.0.6, and 8.1.6 on all
platforms.



Description:


The Oracle listener program accepts remote commands from remote listener
controllers. If configured properly, a password is required to
authenticate a user before issuing a listener command. The default
Oracle installation does not allow a password for the listener program
to be indicated. If a password has not been set, the Oracle listener
program can be configured to append log information to a file. Due to a
problem with the SET TRC_FILE and SET LOG_FILE commands, these values
can be changed to any file name. This allows an attacker to create a new
file or corrupt an existing file.



The information logged by the listener program can be specified by an
attacker by sending a specially formed connect packet to the listener.
This logged information can be changed to include commands and escape
characters, allowing an attacker to gain access to an operating system
account.



Recommendations:


Oracle recommends that customers download the patches for this
vulnerability from Oracle's Worldwide Support Services website
http://metalink.oracle.com. Customers can reference generic bug number
1361722 filed against the listener program.      



Customers will also find a security alert for this issue on the Oracle
Technology Network at the following URL:
http://otn.oracle.com/deploy/security/alerts.htm



ISS SAFEsuite security assessment software, Database Scanner, currently
determines if a password is indicated for the listener and how strong
the password is. An upcoming release of Database Scanner will be updated
to determine if the Oracle patch has been applied.



Additional Information:


The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2000-0818 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org), which standardizes names for
security problems.



Credits:


This vulnerability was discovered and researched by Ben Layer and Aaron
Newman of Internet Security Systems. ISS would like to thank Oracle for
their response and handling of this vulnerability



About Internet Security Systems (ISS)


Internet Security Systems (ISS) (NASDAQ: ISSX) is the leading global
provider of security management solutions for the Internet. By combining
best of breed products, security management services, aggressive
research and development, and comprehensive educational and consulting
services, ISS is the trusted security advisor for thousands of
organizations around the world looking to protect their mission critical
information and networks.



Copyright (c) 2000 Internet Security Systems, Inc.



Permission is hereby granted for the redistribution of this Alert
electronically. It is not to be edited in any way without express
consent of the X-Force. If you wish to reprint the whole or any part of
this Alert in any other medium excluding electronic medium, please
e-mail xforce_at_iss.net for permission.



Disclaimer



The information within this paper may change without notice. Use of this
information constitutes acceptance for use in an AS IS condition. There
are NO warranties with regard to this information. In no event shall the
author be liable for any damages whatsoever arising out of or in
connection with the use or spread of this information. Any use of this
information is at the user's own risk.



X-Force PGP Key available at: http://xforce.iss.net/sensitive.php as
well as on MIT's PGP key server and PGP.com's key server.



Please send suggestions, updates, and comments to: X-Force
xforce_at_iss.net of Internet Security Systems, Inc.





-----Original Message-----


From: Jim Conboy [mailto:Jim.Conboy_at_trw.com]
Sent: Wednesday, November 29, 2000 6:57 AM
To: Multiple recipients of list ORACLE-L
Subject: RE: Oracle security vulnerabilities




Rachel, I'm not going to pick on any individuals, in fact I commend your
friend for taking the extra effort to send the email. 



BUT..


As an organization, Oracle seems to be dropping the ball.  If there are
newly discovered vulnerabilities, or known ones that perhaps we should
double-check because they've recently gotten more exposure, where is this
information publicized?  I go to Oracle.com and find an article something
like "What's right about Oracle and wrong with the rest of the world" (I'm
not kidding!), but nothing about security alerts.  Its irritating that I now
must rummage thru my bookmarks of security sites to figure out what this guy
is talking about. 



Jim



>>> carmichr_at_hotmail.com 11/28/00 09:26PM >>>

The original of this message was sent internally within Oracle... it was a 
friend of mine who asked that I publicize it.



And he is not on the lists because he is already on several internal Oracle 
email lists and can barely handle the volume of mail he receives as it is.



Let's be fair here.....




>From: Scott.Shafer_at_dcpds.cpms.osd.mil 

>Reply-To: ORACLE-L_at_fatcity.com 

>To: Multiple recipients of list ORACLE-L <ORACLE-L_at_fatcity.com>

>Subject: RE: Oracle security vulnerabilities

>Date: Tue, 28 Nov 2000 08:25:38 -0800

>

>All the boneheads at OSPM have to do is subscribe to the lists in question!

>Larry is getting more and more Bill like every day...

>

>--Scott Shafer

>   San Antonio, TX

>

>PS -- Not directed at you rachel...  ;-)

>



<snip>


-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: Jim Conboy
  INET: Jim.Conboy_at_trw.com

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).


The information contained in this email is intended for the
personal and confidential use of the addressee only. It may
also be privileged information. If you are not the intended
recipient then you are hereby notified that you have received
this document in error and that any review, distribution or
copying of this document is strictly prohibited. If you have
received  this communication in error, please notify Celltech
Group immediately on:


Received on Wed Nov 29 2000 - 17:05:04 CST












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US