Netcool issue: Oracle 8i TNS listener vulnerabality fixed on 9i

I have a question with regards to the Cert Advisory stated below.

Our company has our Netcool Network Mgmt Suite throwing data to our Oracle 8i database
via its Oracle gateway. Cert posted this advisory and we can't download the patch for it from metalink.oracle.com since we need to purchase their product. We are now considering upgrading to 9i since Oracle says below-mentioned vulnerability is fixed in 9i.

My questions now are these:

1. If any of you guys have the Netcool/Oracle 8i interface, has anyone of you encountered any problems/issues/bugs with Netcool/Oracle after upgrading to 9i (if ever you upgraded)?
2. Does anyone have the 8i patch for this vulnerability that they can share with me?

Your replies are greatly appreciated.

Sincerely,
Louie

-----BEGIN PGP SIGNED MESSAGE-----
CERT Advisory CA-2001-16 Oracle 8i contains buffer overflow in TNS listener

   Original release date: July 03, 2001
   Last revised: --
   Source: CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

• Systems running Oracle 8i

Overview

   A vulnerability in Oracle 8i allows remote intruders to assume control    of database servers running on victim machines. If the Oracle server    is running on a Windows system, an intruder may also be able to gain    contol of the underlying operating system.

I. Description

   The COVERT labs at PGP Security have discovered a buffer overflow    vulnerability in Oracle 8i that allows intruders to execute arbitrary    code with the privileges of the TNS listener process. The    vulnerability occurs in a section of code that is executed prior to    authentication, so an intruder does not require a username or    password.

   For more information, see the COVERT Labs Security Advisory, available    at

          http://www.pgp.com/research/covert/advisories/050.asp

II. Impact

   An intruder who exploits the vulnerability can remotely execute    arbitrary code. On UNIX systems, this code runs as the 'oracle' user.    If running on Windows systems, the intruder's code will run in the    Local System security context.

   In either case, the attacker can gain control of the database server    on the victim machine. On Windows systems, the intruder can also gain    administrative control of the operating system.

III. Solutions

   Install a patch from Oracle. More information is available in    Appendix A.

Appendix A

Oracle

   Oracle has issued an alert for this vulnerability at

          http://otn.oracle.com/deploy/security/pdf/nai_net8_bof.pdf

   Oracle has fixed this potential security vulnerability in the Oracle9i    database server. Oracle is in the process of backporting the fix to    supported Oracle8i database server Releases 8.1.7 and 8.1.6 and    Oracle8 Release 8.0.6 on all platforms. The Oracle bug number for the    patch is 1489683.

   Download the patch for your platform from Oracle's Worldwide Support    web site, Metalink:

          http://metalink.oracle.com

   Please check Metalink periodically for patch availability if the patch    for your platform is not yet available.

   Our thanks to COVERT Labs at PGP Security for the information    contained in their advisory.

   This document was written by Shawn V. Hernan. If you have feedback    concerning this document, please send email to:

          mailto:cert_at_cert.org?Subject=[VU#620495]%20Feedback%20CA-2001-16

   Copyright 2001 Carnegie Mellon University.

   Revision History
July 03, 2001: Initial Release

-----BEGIN PGP SIGNATURE-----

Version: PGPfreeware 5.0i for non-commercial use Charset: noconv

iQCVAwUBO0I28QYcfu8gsZJZAQF1AQP/QvE4AO+I5HP8VXK850g83NlPiFCxlG1K 51GjO/KCFqK78DoBK9YWvxGaZiR6xKaxYJbGftcJh1zKwNqiRDIGk1OdeW873uhj bR8vjobFMzNSZU5y9gXPa9YQWdEg1KozQH1VuNsBxRnmHu6Yi3WANbmZXYcRck2x lhP8noPes/Q=
=nVFt
-----END PGP SIGNATURE-----