RE: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS 10g/9i

  • From: "Ruth Gramolini" <rgramolini@xxxxxxxxxxxxxxx>
  • To: <granaman@xxxxxxx>, "oracle-l" <oracle-l@xxxxxxxxxxxxx>
  • Date: Wed, 19 Jan 2005 09:40:40 -0500

I just logged on to Metalink and there is a patch which was updated
yesterday that deals with a pl_sql vulnerability.  For my 9.2.0.4 database
release on AIX5L is is patch # 4002994.

The notice from VulnWatch wisely doesn't explain how to exploit the
vulnerability so I don't know how vulnerable we are.  I will probably
install it on our test box as soon as possible and then on production
sometime next week.

Any insights appreciated!

Ruth

-----Original Message-----
From: oracle-l-bounce@xxxxxxxxxxxxx
[mailto:oracle-l-bounce@xxxxxxxxxxxxx]On Behalf Of Don Granaman
Sent: Wednesday, January 19, 2005 10:30 AM
To: rgramolini@xxxxxxxxxxxxxxx; oracle-l
Subject: Re: [VulnWatch] Multiple high risk vulnerabilities in Oracle
RDBMS 10g/9i


This same "alert" was forwarded to me yesterday also.  I could find no such
patch - or any other related information on Metalink or OTN's security
alerts.  The most recent (unrelated) security alert I could find was from
Dec 17, 2004.

-Don Granaman

----- Original Message -----
From: "Ruth Gramolini" <rgramolini@xxxxxxxxxxxxxxx>
To: "oracle-l" <oracle-l@xxxxxxxxxxxxx>
Sent: Tuesday, January 18, 2005 11:52 AM
Subject: FW: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS
10g/9i


> I just received this from my SA, Claus. Has anyone applied this patchset?
> Does anyone know the details.
>
> Inquiring minds what to know.
> Ruth
>
> -----Original Message-----
> From: Claus Lund [mailto:clund@xxxxxxxxxxxxxxx]
> Sent: Tuesday, January 18, 2005 11:30 AM
> To: Ruth Gramolini
> Subject: FW: [VulnWatch] Multiple high risk vulnerabilities in Oracle
> RDBMS 10g/9i
>
>
> I don't know if you heard about this yet...
>
> -Claus
>
> -----Original Message-----
> From: NGSSoftware Insight Security Research [mailto:nisr@xxxxxxxxxxxxx]
> Sent: Tuesday, January 18, 2005 10:33 AM
> To: bugtraq@xxxxxxxxxxxxxxxxx; ntbugtraq@xxxxxxxxxxxxxxxxxxxxxx;
> vulnwatch@xxxxxxxxxxxxx
> Subject: [VulnWatch] Multiple high risk vulnerabilities in Oracle RDBMS
> 10g/9i
>
>
> Researchers at NGSSoftware have discovered multiple high risk
> vulnerabilities in the Oracle Database Server. Versions affected include
>
> Oracle Database 10g - All Releases
> Oracle9i Database Server - All Releases
>
> The vulnerabilities include PL/SQL Injection vulnerabilities that allow
low
> privileged users to gain DBA privileges and a buffer overflow
vulnerability.
> The former can be exploited via the web through Oracle Application Server.
> Oracle has released a patch set (18/01/2005) to address these issues.
Oracle
> database administrators are urged to download, test and install the patch
> set as soon as possible. See http://metalink.oracle.com/ for more details.
>
> NGSSoftware are going to withhold details about these flaws for three
> months. Full details will be published on the 18th of April 2005. This
three
> month window will allow Oracle database administrators the time needed to
> test and apply the patch set before the details are released to the
general
> public. This reflects NGSSoftware's new approach to responsible
disclosure.
>
> NGSSQuirreL for Oracle, NGSSoftware's advanced vulnerability assessment
> scanner and security manager for Oracle, has been updated to check for and
> positively identify these flaws in Oracle database servers on the network.
> More information about NGSSQuirreL for Oracle can be found at
> http://www.ngssoftware.com/squirrelora.htm.
>
> NGSSoftware Insight Security Research
> http://www.ngssoftware.com/
> +44(0)208 401 0070
>
>
>
> --
> //www.freelists.org/webpage/oracle-l


--
//www.freelists.org/webpage/oracle-l

--
//www.freelists.org/webpage/oracle-l

Other related posts: