Oracle FAQ Your Portal to the Oracle Knowledge Grid
HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US
 

Home -> Community -> Mailing Lists -> Oracle-L -> Oracle alert #51 - is bug fix in 8.1.7.4.7 for win32 (W2K on Inte

Oracle alert #51 - is bug fix in 8.1.7.4.7 for win32 (W2K on Inte

From: Drake, Paul <Paul.Drake_at_encodasystems.com>
Date: Fri, 14 Feb 2003 10:52:31 -0800
Message-ID: <F001.0054E082.20030214105231@fatcity.com>


Hi.

I've been on digest mode on this list for quite awhile. When I received the alert from Oracle this morning, I set the list to NODIGEST.
I'm just now receiving emails realtime.

I'm sure that this subject was already covered on the list today, so I apologize in advance for posting a probably redundant subject.

Does anyone know if the fix for the bug #2620726 covered in alert #51 is included in 8.1.7.4.7?
It is not mentioned in the readme.

Does anyone aware of a known exploit existing for this vulnerability? I have scanned the following sites, but found no annoucements except for those released by Oracle.

http://metalink.oracle.com
alerts 48-52
http://otn.oracle.com/deploy/security/alerts.htm alerts 48-52

http://www.securityfocus.com/					2/14/2003
1:02:12 PM		nothing
http://www.cert.org						2/14/2003
1:02:53 PM		nothing
http://www.sans.org						2/14/2003
1:04:19 PM		nothing
http://www.appsecinc.com/resources/alerts/oracle/	2/14/2003 1:20:23 PM
nothing
http://www.treachery.net/					2/14/2003
1:43:18 PM		nothing
http://online.securityfocus.com/archive/1			2/14/2003
1:44:04 PM		nothing
http://www.rootprompt.org/					2/14/2003
1:45:24 PM		nothing
http://razor.bindview.com/					2/14/2003
1:47:03 PM		nothing
http://www.packetstormsecurity.org/				2/14/2003
1:47:40 PM		nothing


(I've been away from the grey/black hat sites for a long time).

>From the readme for 8.1.7.4.7: (only one entry)



Bug fixes included in this patch



<8.1.7.4.7>

Bug Base Bug Category Description

-----    -------- --------  -----------------------------------------------
2790160  2787968   NET      INAPPROPRIATE MESSAGE ON ERROR CONDITION
                            THAT SHOULD NEVER OCCUR

<8.1.7.4.6>





Oracle Security Alert #51
Dated: 11 February 2003
Severity: 1

Buffer Overflow in ORACLE.EXE binary of Oracle9i Database Server

Description
A potential security vulnerability has been discovered in the ORACLE.EXE binary of Oracle9i Database. A knowledgeable and malicious user can potentially execute arbitrary code by exploiting a buffer overflow in this binary.

Note that this exploit can manifest only when using a client application that does not place proper limits on the size of data sent to the server.

Products Affected
Oracle9i Database Release 2, Oracle9i Database Release 1, Oracle8i Database v 8.1.7, Oracle Database v 8.0.6.

Platforms Affected
All platforms.

Patch Information
Oracle has fixed the potential security vulnerability identified above under the base bug number 2620726. Future releases of the Oracle Database Server will contain the fix by default.

This potential security vulnerability is fixed in the last patchset level for each database release on all platforms. It will be available in the Oracle9i Database Release 2 v 9.2.0.3 patchset. It is available on Oracle9i Database Release 2 v 9.2.0.2, on Oracle9i Database Release 1 v 9.0.1.4 and on Oracle8i Database v 8.1.7.4. It is available for Oracle8 Database v 8.0.6 on demand.

Download currently available patches from Oracle Support Services web site, MetaLink (http://metalink.oracle.com). Activate the Patches button to get to the patches web page. Enter Bug Number 2620726 as indicated above and activate the Go button.

Please review MetaLink, or check with Oracle Support Services periodically for patch availability if the patch for your platform is unavailable.

Oracle strongly recommends that you comprehensively test the stability of your system upon application of any patch prior to deleting any of the original file(s) that are replaced by the patch.



I am most concerned that if an exploit is in the wild for this vulnerability that a compromise could easily occur. If no exploit is loose, I can have a nice weekend and pick this up next week. :)

thanks much,

Paul

Paul Drake
DBA/SysAdmin
Encoda Systems, Agency Solutions
mailto:paul.drake_at_encodasystems.com

"This information in this e-mail is intended solely for the addressee and may contain information which is confidential or privileged. Access to this e-mail by anyone else is unauthorized. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please notify the sender that you have received this e-mail in error, and delete the copy you received."

-- 
Please see the official ORACLE-L FAQ: http://www.orafaq.net
-- 
Author: Drake, Paul
  INET: Paul.Drake_at_encodasystems.com

Fat City Network Services    -- 858-538-5051 http://www.fatcity.com
San Diego, California        -- Mailing list and web hosting services
---------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from).  You may
also send the HELP command for other information (like subscribing).
Received on Fri Feb 14 2003 - 12:52:31 CST

Original text of this message

HOME | ASK QUESTION | ADD INFO | SEARCH | E-MAIL US