Buffer Overflow in Oracle Net Services for Oracle Database Server

Description
A potential security vulnerability has been discovered in Oracle Net
services for the Oracle Database server. A knowledgeable and malicious
user can cause a
buffer overflow in an Oracle database link that may result in a Denial
of Service (DoS) attack and/or the execution of arbitrary code against
the Oracle Database
server.

Product Affected

Oracle9i Release 2
Oracle9i Release 1
Oracle8i (8.1.x - all releases)
Oracle8 (8.0.x - all releases)
Oracle7 Release 7.3.x

http://webiv.oraclecorp.com/cgi-bin/webiv/do.pl/Get?WwwID=note:237172.1
========
<html>
<head>
<TITLE>View NOTE:237172.1</TITLE>

</HEAD>
<BODY BGCOLOR="#FFFFFF">

<TABLE BORDER="0" CELLPADDING="0" CELLSPACING="0"><TR>
<TD WIDTH=160><I><B>WebIV:View NOTE:237172.1</B></I></TD>
<TD WIDTH=80></TD>
<TD WIDTH=80>
<A HREF="/cgi-bin/webiv/do.pl/PREVIOUS"><IMG SRC="/images/webiv/arrows/bw/prev.gif"
border=0" ALT="Previous"></A>
<A HREF="/cgi-bin/webiv/do.pl/NEXT"><IMG SRC="/images/webiv/arrows/bw/next.gif"
border=0" ALT="Next"></A>
</TD>
<TD WIDTH=80>
<A HREF="/cgi-bin/webiv/do.pl/LOGOFF" TARGET="_top"><IMG
SRC="/images/webiv/buttons/col/logoff_up_b.gif"
height="18" width="80" border="0" ALT="Logoff"></A>
</TD>
<TD WIDTH=80>
<A HREF="#"><IMG
SRC="/images/webiv/buttons/col/help_up_b.gif"
height="18" width="80" border="0" ALT="Help"></A>
</TD>
<TD WIDTH=80>
<A HREF="/cgi-bin/webiv/do.pl/RESETMENU" TARGET="_top"><IMG
SRC="/images/webiv/buttons/col/menu_down_b.gif"
height="18" width="50" border="0" ALT="Reset Menu"></A>
</TD>
</TR></TABLE> <FORM NAME="lookup" METHOD=POST ACTION="/cgi-bin/webiv/do.pl/Get">
<INPUT TYPE=hidden NAME=WwwAction VALUE="">
<SELECT NAME="WwwDocSource">
<OPTION SELECTED VALUE="NOTE"> Note (Sure)
<OPTION VALUE="NOTE_MODIFICATIONS"> - Note Mods
<OPTION VALUE="NOTE_REFERENCES"> - Note Refs
<OPTION VALUE="PRIMUS"> Primus
<OPTION VALUE="BULLETIN"> OLS Bull
<OPTION VALUE="OERR"> Error
<OPTION VALUE="OERI"> ORA 600
<OPTION VALUE="TAR"> TAR
<OPTION VALUE="TARINFO"> TAR-Info
<OPTION VALUE="SMS"> SMS
<OPTION VALUE="BUG"> Bug
<OPTION VALUE="BUGMATRIX"> Bug Matrix
<OPTION VALUE="RFI"> RFI
<OPTION VALUE="ORAUSER"> OraUser
<OPTION VALUE="DIARY"> Diary
<OPTION VALUE="EVENTS"> Events
<OPTION VALUE="PARAMETERS"> Parameters
<OPTION VALUE="LOCKS"> Locks
<OPTION VALUE="LATCHES"> Latches
<OPTION VALUE="VIEWS"> Views
<OPTION VALUE="PROCEDURES"> Pkg/Proc
<OPTION VALUE="STATISTICS"> Statistics
<OPTION VALUE="WAITEVENTS"> Wait Events
<OPTION VALUE="FUNCTION"> Function
<OPTION VALUE="BUGUSER"> BugDB User
<OPTION VALUE="PORT"> Port Names
<OPTION VALUE="COMPONENT"> Prod/Comp
<OPTION VALUE="DOC"> Doc Part

</SELECT>
<INPUT NAME="WwwDocID" MAXLENGTH=100 SIZE=15 VALUE="237172.1">
<INPUT TYPE=button VALUE="Clear">
<INPUT TYPE=button VALUE="Do>"
onClick="Act(document.lookup.TMP_Action.options[document.lookup.TMP_Action.selectedIndex]);">
<SELECT NAME="TMP_Action">
<OPTION SELECTED VALUE="GET"> Get
<OPTION VALUE="EXPLODE"> Explode
<OPTION VALUE="-MAIL">Mail
<OPTION VALUE="-FAXDOC">Fax
<OPTION VALUE="MARK"> Mark
<OPTION VALUE="TAG"> Tag
<OPTION VALUE="TAGALL"> Tag-References
<OPTION VALUE="CHECKREFS"> Check-References
<OPTION VALUE="REMARKS"> Show Remarks
<OPTION VALUE=".EDIT"> Edit
<OPTION VALUE=".EDITFULL"> Edit (Full Header)
<OPTION VALUE=".COPYFULL"> Copy (Full Header)
<OPTION VALUE=".ATTACH"> Attachments<OPTION VALUE="MLDOCSTATS"> Show Doc Stats<OPTION VALUE="SHOWML"> Show ML Copy
</SELECT>
<INPUT TYPE=button VALUE="Match">
<INPUT TYPE=button VALUE="Wrap">
<INPUT TYPE=button VALUE="Add Remark">
</FORM><PRE><strong>
Article-ID: <<A HREF="/cgi-bin/webiv/do.pl/Get?WwwID=note:237172.1" >Note:237172.1</A>>
Circulation: <A HREF="/cgi-bin/webiv/do.pl/Get?WwwID=Help:KRSTATUS.PUBLISHED" >PUBLISHED (EXTERNAL)</A>
Folder: <A HREF="/cgi-bin/webiv/do.pl/Get?WwwID=Topics:13156.1" >network.Troubleshooting</A>
Topic: <A HREF="/cgi-bin/webiv/do.pl/Get?WwwID=Articles:13156.1.9363.1" >Alerts</A>
Title: Security Alert #54: Buffer Overflow in Oracle Net Services
for Oracle Database Server
Document-Type: ALERT
Impact: MEDIUM
Skill-Level: NOVICE
Updated-Date: 01-MAY-2003 01:01:20
References:
Shared-Refs:
Authors: SECALERT.US
Attachments: NONE
Content-Type: TEXT/X-HTML
Keywords: <A HREF="/cgi-bin/webiv/do.pl/GET:KEYWORDLIST:KEYWORD:ALERTINFO">ALERTINFO</A>; <A HREF="/cgi-bin/webiv/do.pl/GET:KEYWORDLIST:KEYWORD:SECURITY">SECURITY</A>;
Products: 115/NET;
Platforms: GENERIC;
</strong>
</PRE><html>

<head>
<meta http-equiv="Content-Language" content="en-au">
<meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<meta name="GENERATOR" content="Microsoft FrontPage 4.0">
<meta name="ProgId" content="FrontPage.Editor.Document">
<title>Oracle Security Alert #54</title>
</head>

<body>

<p><small>
@ *** NOTICE TO ORACLE EMPLOYEES *** <br>
@ For the current issues generated by this Alert, please review <<Note:237007.1>>. <br>
@ Please follow the instructions from the note to forward additional issues.</small></p>

<p><b>Oracle Security Alert #54<br>
Dated: April 25, 2003<br>
Updated: April 30, 2003<br>
Severity: 2</p>
<p>Buffer Overflow in Oracle Net Services for Oracle Database Server</p>
<p>Description<br>
</b>A potential security vulnerability has been discovered in Oracle Net
services for the Oracle Database server.  A  knowledgeable and
malicious user can cause a buffer overflow in an Oracle database link that may
result in a Denial of Service (DoS) attack and/or the execution of arbitrary
code against the Oracle Database server.</p>
<p><b>Product Affected
</b></p>
<ul>
<li>Oracle9<i>i</i> Release 2</li>
<li>Oracle9<i>i</i> Release 1</li>
<li>Oracle8<i>i</i> (8.1.x - all releases)</li>
<li>Oracle8 (8.0.x - all releases)</li>
<li>Oracle7 Release 7.3.x</li>
</ul>
<p><b>Platforms Affected<br>
</b>See <a href="#Patch Availability Matrix"> Patch Availability Matrix</a>.</p>
<p><b>Required conditions for exploit</b>
 <br>
Database-authenticated user (i.e., valid login required) and the CREATE DATABASE
LINK privilege.</p>

<blockquote>

<p><b>Risk to exposure</b><br>
Risk to exposure is high, as this buffer overflow can lead to the execution of
arbitrary code that may compromise the Oracle host server and/or result in a
Denial of service (DoS) attack against the Oracle Database.  Unless you
connect the Oracle Database directly to the Internet (e.g., no intervening
application server or firewall), a remote exploit via the Internet is, in our
opinion, unlikely.  Note that we strongly recommend that you do not connect
your database directly to the Internet.  This vulnerability is susceptible
to an insider attack originated on the corporate Intranet if the required
conditions mentioned above are met.</p>

<p><b>How to minimize risk</b><br>
Follow best practices for database, <a href="http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf">http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf</a>
& <a href="http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf">http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf</a>,
and for IT deployments of firewalls, etc.</p>

<p><b>Ramification for customer</b><br>
There are no workarounds that can directly address the potential vulnerability
identified above.</p>

<p>Oracle strongly recommends that customer review the severity rating for
this Alert and patch accordingly.  See <a href="http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf">http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf</a>
for a definition of the severity ratings.</p>

</blockquote>
<p><b>Patch Information<br>
</b>The patches listed in the <a href="#Patch Availability Matrix"> Patch Availability Matrix</a> fix the potential
security vulnerability identified above.  Please note that this fix is
included in the Oracle9<i>i</i> Database Release 2, Version  9.2.0.3 patchset.
</p>

<p>The patch READMEs contain the patch application instructions/configuration
guide.
</p>

<p><b>Fixed by</b><br>
An interim (one-off patch) for this issue is available for these affected
database versions:
</p>

<ul>
<li>Oracle9<i>i</i> Release 2, version 9.2.0.2 (excluding Windows)</li>
<li>Oracle9<i>i</i> Release 1, version 9.0.1.4</li>
<li>Oracle8<i>i</i> Release 3, version 8.1.7.4</li>
<li>Oracle8 Database, Version 8.0.6.3 (Desupported release; however, patch is
available for Extended Maintenance Support customers.)</li>
</ul>
<blockquote>
<p>Currently there are no plans to release a patch for 8.0.5.x, 8.1.5.x,
8.1.6.x, 7.3.x, or other patchsets of the supported releases.
</p>

</blockquote>

<p>Download this one-off patch from the oracle Support Services web site,
MetaLink (<a href="http://metalink.oracle.com">http://metalink.oracle.com</a>).
</p>

<ol>
<li>Click on the <b>Patches</b> button.</li>
<li>Click on the "<b>New</b> Metalink Patch Search".<br>
If you are not on the "Simple Search" screen, click on the
"Simple" button to get to the "Simple Search" screen.</li>
<li>Refer to the <a href="#Patch Availability Matrix"> Patch Availability Matrix</a> below to determine the patch number
required.</li>
<li>In the "Search By" option select "Patch Numbers(s)"
from the drop-down menu, and enter the required patch number in the box.</li>
<li>Click on the "Go" button.</li>
<li>Select the required platform and language.</li>
<li>Click on the "Download" button.</li>
<li>Recommended: you should also click on the "View README" button
for additional information and instructions.</li>
</ol>
<p>Please review MetaLink, or check with Oracle Support Services periodically
for patch availability if the patch for your platform is unavailable.
</p>

<p>Oracle strongly recommends that you backup and comprehensively test the
stability of your system upon application of any patch prior to deleting any of
the original file(s) that are replaced by that patch.
</p>

<p><b><a name="Patch Availability Matrix">Patch Availability Matrix</a></b></p>

<p><b>Special Note:</b> The patches listed below supersede all patches in the Oracle
Security Alerts 40 and 42 for the Oracle Net Services.</p>
<blockquote>
<table border="1" width="90%">
<tr>
<td width="25%"><b>Platforms</b></td>
<td width="10%" align="left"><b>9.2.0.2</b></td>
<td width="13%" align="left"><b>9.0.1.4</b></td>
<td width="8%" align="left"><b>8.1.7.4</b></td>
<td width="12%" align="left"><b>8.0.6.3</b></td>
</tr>
<tr>
<td width="25%">Sun Solaris (32 bit)</td>
<td width="10%">2749511</td>
<td width="12%">2760944</td>
<td width="8%">2784635</td>
<td width="11%">2760879</td>
</tr>
<tr>
<td width="25%">Sun Solaris (64 bit)</td>
<td width="10%">2749511</td>
<td width="12%">2760944</td>
<td width="8%">2784635</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">IBM AIX 4.3.3 and 5L (32 bit)</td>
<td width="10%">N/A</td>
<td width="12%">N/A</td>
<td width="8%">2784635</td>
<td width="11%">2760879</td>
</tr>
<tr>
<td width="25%">IBM AIX 4.3.3 (64 bit)</td>
<td width="10%">2749511</td>
<td width="12%">2760944</td>
<td width="8%">2784635</td>
<td width="11%">2760879</td>
</tr>
<tr>
<td width="25%">IBM AIX Based 5L (64 bit)</td>
<td width="10%">2749511</td>
<td width="12%">N/A</td>
<td width="8%">N/A</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">MS Windows NT/2000/XP</td>
<td width="10%">N/A</td>
<td width="12%">ECD:May 2003</td>
<td width="8%">2899111</td>
<td width="11%">2845564</td>
</tr>
<tr>
<td width="25%">HP-UX 10.20</td>
<td width="10%">N/A</td>
<td width="12%">N/A</td>
<td width="8%">N/A</td>
<td width="11%">ECD:TBD</td>
</tr>
<tr>
<td width="25%">HP-UX 11.0 (32 bit)</td>
<td width="10%">N/A</td>
<td width="12%">N/A</td>
<td width="8%">2784635</td>
<td width="11%">2760879</td>
</tr>
<tr>
<td width="25%">HP-UX (64 bit)</td>
<td width="10%">2749511</td>
<td width="12%">2760944</td>
<td width="8%">2784635</td>
<td width="11%">2760879</td>
</tr>
<tr>
<td width="25%">HP Tru64 </td>
<td width="10%">2749511</td>
<td width="12%">2760944</td>
<td width="8%">2784635</td>
<td width="11%">2760879</td>
</tr>
<tr>
<td width="25%">LINUX</td>
<td width="10%">2749511</td>
<td width="12%">2760944</td>
<td width="8%">2784635</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">LINUX 390</td>
<td width="10%">2749511</td>
<td width="12%">N/A</td>
<td width="8%">N/A</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">LINUX IA64</td>
<td width="10%">ECD:TBD</td>
<td width="12%">N/A</td>
<td width="8%">N/A</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">INTEL SOLARIS</td>
<td width="10%">N/A</td>
<td width="12%">N/A</td>
<td width="8%">ECD:TBD</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">DATA GENERAL</td>
<td width="10%">N/A</td>
<td width="12%">N/A</td>
<td width="8%">ECD:TBD</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">UNIXWARE</td>
<td width="10%">N/A</td>
<td width="12%">N/A</td>
<td width="8%">2784635</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">IBM NUMA-Q</td>
<td width="10%">N/A</td>
<td width="12%">N/A</td>
<td width="8%">2784635</td>
<td width="11%">ECD:May 2003</td>
</tr>
<tr>
<td width="25%">SGI-IRIX-64</td>
<td width="10%">N/A</td>
<td width="12%">N/A</td>
<td width="8%">ECD:TBD</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">Siemens-64</td>
<td width="10%">N/A</td>
<td width="12%">N/A</td>
<td width="8%">ECD:TBD</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">Novell</td>
<td width="10%">N/A</td>
<td width="12%">N/A</td>
<td width="8%">N/A</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">OpenVMS</td>
<td width="10%">ECD:TBD</td>
<td width="12%">2760944</td>
<td width="8%">2784635</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">IBM OS/390 (MVS)</td>
<td width="10%">2749511</td>
<td width="12%">2760944</td>
<td width="8%">N/A</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">NEC</td>
<td width="10%">N/A</td>
<td width="12%">N/A</td>
<td width="8%">N/A</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">HP IA64</td>
<td width="10%">ECD:TBD</td>
<td width="12%">N/A</td>
<td width="8%">N/A</td>
<td width="11%">N/A</td>
</tr>
<tr>
<td width="25%">Fujitsu UXP/DS</td>
<td width="10%">N/A</td>
<td width="12%">N/A</td>
<td width="8%">N/A</td>
<td width="11%">2760879</td>
</tr>
<tr>
<td width="25%">Hitachi RISC Unix</td>
<td width="10%">N/A</td>
<td width="12%">N/A</td>
<td width="8%">N/A</td>
<td width="11%">2760879</td>
</tr>
</table>
</blockquote>
<blockquote>
<p><b>N/A</b>: The patch for the Oracle Database Release/Version is not
available for this platform.<b><br>
ECD</b>: Expected Completion Date.</p>
</blockquote>
<p><b>Credits</b><br>
Oracle Corporation thanks David Litchfield, of Next Generation Security Software
Ltd., for discovering and promptly bringing this potential security
vulnerability to Oracle's attention.  The Next Generation Security Software
Advisory is available at <a href="http://www.nextgenss.com/research/advisories.html">http://www.nextgenss.com/research/advisories.html</a>.</p>
<p><b>Modification History<br>
</b>25-APR-03: Initial release, version 1<br>
30-APR-03: Updated the patch available information</p>
</body>

</html>


========

2 Softbuilder:: Ne vse links y menya public..
"Подобные "very important" уже были в Oracle не раз и возможно будут еще. .."
Konechno, budut. Dlya togo i pishu v forume, chtoby VSE mogli prochest'..
Ne v obidy, poslushai starshix,inogda kagetsya, chto ty zadalsya
samozel'u "nakrutit'" schetchik
svoih soobshenii...

Eto tak, rabochaya perepalka..

Daa.
======
Маленький Вовочка спрашивает у отца:
- Папа, а чем жизнь отличается от члена?
Отец скребёт в затылке:
- Ну как бы тебе объяснить, сынок? Жизнь - она куда жёстче.
======