| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
 |
 | |||
| Oracle FAQ | Your Portal to the Oracle Knowledge Grid | |
|
| |||
Home -> Community -> Usenet -> c.d.o.tools -> Re: Serious security hole in oracle 8i
"steve" <E_at_E.COM> wrote in message news:1ewp7s1.1jdw3anwjudviN%E_at_E.COM...
> hi,
> is anyone aware of the following and where the patches are (ftp server
> directory) to fix the problem for oracle on netware.
>
>
>
>
> -----------------------------------------------------------------
>
> 6) Oracle 8i Vulnerability
>
> A vulnerability in Oracle 8i allows remote intruders to assume control
> of database servers running on victim machines. If the Oracle server is
> running on a Windows system, an intruder may also be able to gain
> control of the underlying operating system.
>
> The COVERT labs at PGP Security have discovered a buffer overflow
> vulnerability in Oracle 8i that allows intruders to execute arbitrary
> code with the privileges of the TNS listener process.
>
> The vulnerability occurs in a section of code that is executed prior to
> authentication, so an intruder does not require a username or password.
>
> An intruder who exploits the vulnerability can remotely execute
> arbitrary code. On UNIX systems, this code runs as the 'oracle' user. If
> running on Windows systems, the intruder's code will run in the Local
> System security context.
>
> In either case, the attacker can gain control of the database server on
> the victim machine. On Windows systems, the intruder can also gain
> administrative control of the operating system.
> More information is available in
>
> http://otn.oracle.com/deploy/security/pdf/nai_net8_bof.pdf
>
> -----------------------------------------------------------------
Need to have a support contract for this and netware will be desupported within a few months.
Regards,
Sybrand Bakker, Senior Oracle DBA Received on Tue Jul 17 2001 - 11:45:24 CDT
 |
 |