Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> security alert #45

security alert #45

From: Ray Stell <stellr_at_cns.vt.edu>
Date: Mon, 14 Oct 2002 11:28:43 -0800
Message-ID: <F001.004E8512.20021014112843@fatcity.com> 







http://metalink.oracle.com/metalink/plsql/showDoc?db=NEW&id=215900.996



Oracle Security Alert #45


Dated: 04 October 2002 (Updated: 10 October 2002)
Severity: 1



Security Release of Apache 1.3.27



Description


Apache has released version 1.3.27 of its HTTP Server that contains fixes for the security vulnerabilities noted below and described at http://cve.mitre.org.  The vulnerabilities that affect all of the supported versions of the Oracle HTTP Server (OHS) are:


CAN-2002-0839: This is a security vulnerability involving System V shared memory based scoreboards.  It can only occur on Oracle Linux and HP ports. Exploitation of this vulnerability requires that a malicious and knowledgeable user be able to run his programs on the server web site.  As a few commercial web sites allow this, the vulnerability applies to few sites. If a malicious and knowledgeable user is able to run his own programs, the web site has more serious, unrelated security issues than the exploit of this vulnerability. 
CAN-2002-0840: This is a cross-site scripting vulnerability involving the default error 404 pages.  It can occur on all Oracle database platforms.  Exploitation of this vulnerability requires the use of wildcard DNS and the setting of UseCanonicalNames = OFF. 
CAN-2002-0843: There were potential buffer overflows in Apache Bench (ab) that could be exploited by a malicious server.   Note that 'ab' is not in Apache itself but is an HTTP client utility used for generating load for performance testing.  This vulnerability only occurs when the 'ab' load generating HTTP client, used for performance testing, is used against a malicious HTTP server. 


These security vulnerabilities are described in more detail at http://cve.mitre.org/



Product afftected


OHS in Oracle Database Releases 8.1.7.x, 9.0.1.x and 9.2.x
OHS in Oracle9i Application Server Releases 1.0.2.x and 9.0.2.x



Platforms affected


All except as noted in item #1 in the Description above.




Ray Stell   stellr_at_vt.edu     (540) 231-4109     KE4TJC    28^D


-- 



Please see the official ORACLE-L FAQ: http://www.orafaq.com


-- 



Author: Ray Stell


  INET: stellr_at_cns.vt.edu


Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------


To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Mon Oct 14 2002 - 14:28:43 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US