Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Re: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i

Re: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i

From: Don Granaman <granaman_at_cox.net>
Date: Wed, 19 Jan 2005 07:29:34 -0800
Message-ID: <001c01c4fe3b$ae05fc90$6401a8c0@dilbert>


This same "alert" was forwarded to me yesterday also. I could find no such patch - or any other related information on Metalink or OTN's security alerts. The most recent (unrelated) security alert I could find was from Dec 17, 2004.

-Don Granaman

> I just received this from my SA, Claus. Has anyone applied this patchset?
> Does anyone know the details.
>
> Inquiring minds what to know.
> Ruth
>
> -----Original Message-----
> From: Claus Lund [mailto:clund_at_tax.state.vt.us]
> Sent: Tuesday, January 18, 2005 11:30 AM
> To: Ruth Gramolini
> Subject: FW: [VulnWatch] Multiple high risk vulnerabilities in Oracle
> RDBMS 10g/9i
>
>
> I don't know if you heard about this yet...
>
> -Claus
>
> -----Original Message-----
> From: NGSSoftware Insight Security Research [mailto:nisr_at_nextgenss.com]
> Sent: Tuesday, January 18, 2005 10:33 AM
> To: bugtraq_at_securityfocus.com; ntbugtraq_at_listserv.ntbugtraq.com;
> vulnwatch_at_vulnwatch.org
> Subject: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS
> 10g/9i
>
>
> Researchers at NGSSoftware have discovered multiple high risk
> vulnerabilities in the Oracle Database Server. Versions affected include
>
> Oracle Database 10g - All Releases
> Oracle9i Database Server - All Releases
>
> The vulnerabilities include PL/SQL Injection vulnerabilities that allow
low
> privileged users to gain DBA privileges and a buffer overflow
vulnerability.
> The former can be exploited via the web through Oracle Application Server.
> Oracle has released a patch set (18/01/2005) to address these issues.
Oracle
> database administrators are urged to download, test and install the patch
> set as soon as possible. See http://metalink.oracle.com/ for more details.
>
> NGSSoftware are going to withhold details about these flaws for three
> months. Full details will be published on the 18th of April 2005. This
three
> month window will allow Oracle database administrators the time needed to
> test and apply the patch set before the details are released to the
general
> public. This reflects NGSSoftware's new approach to responsible
disclosure.
>
> NGSSQuirreL for Oracle, NGSSoftware's advanced vulnerability assessment
> scanner and security manager for Oracle, has been updated to check for and
> positively identify these flaws in Oracle database servers on the network.
> More information about NGSSQuirreL for Oracle can be found at
> http://www.ngssoftware.com/squirrelora.htm.
>
> NGSSoftware Insight Security Research
> http://www.ngssoftware.com/
> +44(0)208 401 0070
>
>
>
> --
> http://www.freelists.org/webpage/oracle-l

--
http://www.freelists.org/webpage/oracle-l
Received on Wed Jan 19 2005 - 08:31:02 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US