RE: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i

  • From: "Ruth Gramolini" <rgramolini@xxxxxxxxxxxxxxx>
  • To: <granaman@xxxxxxx>, "oracle-l" <oracle-l@xxxxxxxxxxxxx>
  • Date: Wed, 19 Jan 2005 09:40:40 -0500

I just logged on to Metalink and there is a patch which was updated
yesterday that deals with a pl_sql vulnerability.  For my database
release on AIX5L is is patch # 4002994.

The notice from VulnWatch wisely doesn't explain how to exploit the
vulnerability so I don't know how vulnerable we are.  I will probably
install it on our test box as soon as possible and then on production
sometime next week.

Any insights appreciated!


-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Don Granaman
Sent: Wednesday, January 19, 2005 10:30 AM
To: rgramolini@xxxxxxxxxxxxxxx; oracle-l
Subject: Re: [VulnWatch] Multiple high risk vulnerabilities in Oracle
RDBMS 10g/9i

This same "alert" was forwarded to me yesterday also.  I could find no such
patch - or any other related information on Metalink or OTN's security
alerts.  The most recent (unrelated) security alert I could find was from
Dec 17, 2004.

-Don Granaman

----- Original Message -----
From: "Ruth Gramolini" <rgramolini@xxxxxxxxxxxxxxx>
To: "oracle-l" <oracle-l@xxxxxxxxxxxxx>
Sent: Tuesday, January 18, 2005 11:52 AM
Subject: FW: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS

> I just received this from my SA, Claus. Has anyone applied this patchset?
> Does anyone know the details.
> Inquiring minds what to know.
> Ruth
> -----Original Message-----
> From: Claus Lund [mailto:clund@xxxxxxxxxxxxxxx]
> Sent: Tuesday, January 18, 2005 11:30 AM
> To: Ruth Gramolini
> Subject: FW: [VulnWatch] Multiple high risk vulnerabilities in Oracle
> RDBMS 10g/9i
> I don't know if you heard about this yet...
> -Claus
> -----Original Message-----
> From: NGSSoftware Insight Security Research [mailto:nisr@xxxxxxxxxxxxx]
> Sent: Tuesday, January 18, 2005 10:33 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx; ntbugtraq@xxxxxxxxxxxxxxxxxxxxxx;
> vulnwatch@xxxxxxxxxxxxx
> Subject: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS
> 10g/9i
> Researchers at NGSSoftware have discovered multiple high risk
> vulnerabilities in the Oracle Database Server. Versions affected include
> Oracle Database 10g - All Releases
> Oracle9i Database Server - All Releases
> The vulnerabilities include PL/SQL Injection vulnerabilities that allow
> privileged users to gain DBA privileges and a buffer overflow
> The former can be exploited via the web through Oracle Application Server.
> Oracle has released a patch set (18/01/2005) to address these issues.
> database administrators are urged to download, test and install the patch
> set as soon as possible. See for more details.
> NGSSoftware are going to withhold details about these flaws for three
> months. Full details will be published on the 18th of April 2005. This
> month window will allow Oracle database administrators the time needed to
> test and apply the patch set before the details are released to the
> public. This reflects NGSSoftware's new approach to responsible
> NGSSQuirreL for Oracle, NGSSoftware's advanced vulnerability assessment
> scanner and security manager for Oracle, has been updated to check for and
> positively identify these flaws in Oracle database servers on the network.
> More information about NGSSQuirreL for Oracle can be found at
> NGSSoftware Insight Security Research
> +44(0)208 401 0070
> --
> //



Other related posts: