Oracle FAQ Your Portal to the Oracle Knowledge Grid

Home -> Community -> Mailing Lists -> Oracle-L -> security alert #45

security alert #45

From: Ray Stell <>
Date: Mon, 14 Oct 2002 11:28:43 -0800
Message-ID: <>

Oracle Security Alert #45
Dated: 04 October 2002 (Updated: 10 October 2002) Severity: 1

Security Release of Apache 1.3.27

Apache has released version 1.3.27 of its HTTP Server that contains fixes for the security vulnerabilities noted below and described at The vulnerabilities that affect all of the supported versions of the Oracle HTTP Server (OHS) are:

CAN-2002-0839: This is a security vulnerability involving System V shared memory based scoreboards.  It can only occur on Oracle Linux and HP ports. Exploitation of this vulnerability requires that a malicious and knowledgeable user be able to run his programs on the server web site.  As a few commercial web sites allow this, the vulnerability applies to few sites. If a malicious and knowledgeable user is able to run his own programs, the web site has more serious, unrelated security issues than the exploit of this vulnerability. 
CAN-2002-0840: This is a cross-site scripting vulnerability involving the default error 404 pages.  It can occur on all Oracle database platforms.  Exploitation of this vulnerability requires the use of wildcard DNS and the setting of UseCanonicalNames = OFF. 
CAN-2002-0843: There were potential buffer overflows in Apache Bench (ab) that could be exploited by a malicious server.   Note that 'ab' is not in Apache itself but is an HTTP client utility used for generating load for performance testing.  This vulnerability only occurs when the 'ab' load generating HTTP client, used for performance testing, is used against a malicious HTTP server. 
These security vulnerabilities are described in more detail at

Product afftected
OHS in Oracle Database Releases 8.1.7.x, 9.0.1.x and 9.2.x OHS in Oracle9i Application Server Releases 1.0.2.x and 9.0.2.x

Platforms affected
All except as noted in item #1 in the Description above.

Ray Stell (540) 231-4109 KE4TJC 28^D

Please see the official ORACLE-L FAQ:

Author: Ray Stell
Fat City Network Services    -- 858-538-5051
San Diego, California        -- Mailing list and web hosting services
To REMOVE yourself from this mailing list, send an E-Mail message to: (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing). Received on Mon Oct 14 2002 - 14:28:43 CDT

Original text of this message