Security Alert : Oracle 9iAS Web Cache

Our security folks just sent me this.

 The Federal Computer Incident Response Center
(FedCIRC) and Computer Emergency Response Team/Coordination Center
(CERT/CC) have issued an advisory (FA-2001-29/CA-2001-29) which
discusses a buffer overflow vulnerability with the Oracle9iAS Web Cache. This vulnerability, discovered by Defcom Labs, is remotely exploitable on all platforms and allows intruders to execute arbitrary
code with the privileges of the web cache process or disrupt the normal
operation of the Web Cache. Intruders may also be able to intercept and/or modify sensitive data such as credentials and other types of sensitive information passing through the host running Web Cache. Finally, the Web Cache can be used as an entry point into the network,
or the intruder can leverage an existing trust relationship between Web
Cache and another system to allow the intruder to gain access to the other system. The entire advisory can be found on the FedCIRC Web Page
at http://www2.fedcirc.gov/advisories/FA-2001-29.html. (Source: FedCIRC, 25 October)

Ian MacGregor
Stanford Linear Accelerator Center
ian_at_slac.stanford.edu

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.com
-- 
Author: MacGregor, Ian A.
  INET: ian_at_SLAC.Stanford.EDU

Fat City Network Services    -- (858) 538-5051  FAX: (858) 538-5051
San Diego, California        -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L


(or the name of mailing list you want to be removed from).  You may

also send the HELP command for other information (like subscribing).