Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Usenet -> c.d.o.tools -> Re: Serious security hole in oracle 8i

Re: Serious security hole in oracle 8i

From: steve <E_at_E.COM>
Date: Wed, 18 Jul 2001 08:35:16 +0800
Message-ID: <1ewqfma.93wh4sm0twj0N%E@E.COM> 







Yep,


and I suppose if oracle burns my house down I have to pay for it as
well.



The oracle was supplied as part of the netware package (netware 4.2) 5
user licence, so how is it covered?




Sybrand Bakker <postbus_at_sybrandb.demon.nl> wrote:



> "steve" <E_at_E.COM> wrote in message news:1ewp7s1.1jdw3anwjudviN%E_at_E.COM...

> > hi,

> > is anyone aware of the following and where the patches are (ftp server

> > directory) to fix the problem for oracle on netware.

> >

> >

> >

> >

> > -----------------------------------------------------------------

> >

> > 6) Oracle 8i Vulnerability

> >

> > A vulnerability in Oracle 8i allows remote intruders to assume control

> > of database servers running on victim machines. If the Oracle server is

> > running on a Windows system, an intruder may also be able to gain

> > control of the underlying operating system.

> >

> > The COVERT labs at PGP Security have discovered a buffer overflow

> > vulnerability in Oracle 8i that allows intruders to execute arbitrary

> > code with the privileges of the TNS listener process.

> >

> > The vulnerability occurs in a section of code that is executed prior to

> > authentication, so an intruder does not require a username or password.

> >

> > An intruder who exploits the vulnerability can remotely execute

> > arbitrary code. On UNIX systems, this code runs as the 'oracle' user. If

> > running on Windows systems, the intruder's code will run in the Local

> > System security context.

> >

> > In either case, the attacker can gain control of the database server on

> > the victim machine. On Windows systems, the intruder can also gain

> > administrative control of the operating system.

> > More information is available in

> >

> > http://otn.oracle.com/deploy/security/pdf/nai_net8_bof.pdf

> >

> > -----------------------------------------------------------------

> 

> 

> Need to have a support contract for this and netware will be desupported

> within a few months.

> 

> Regards,

> 

> Sybrand Bakker, Senior Oracle DBA

Received on Tue Jul 17 2001 - 19:35:16 CDT












Original text of this message













  HOME |
  ASK QUESTION |
  ADD INFO |
  SEARCH |
  E-MAIL US