PGP SIGNED MESSAGE-----
CA-2003-05 Multiple Vulnerabilities in Oracle Servers
release date: February 19, 2003
Last revised: --
revision history can be found at the end of this file.
running Oracle9i Database (Release 1 and 2)
* Systems running Oracle8i Database v 8.1.7
* Systems running Oracle8 Database v 8.0.6
* Systems running Oracle9i Application Server (Release 9.0.2 and 9.0.3)
vulnerabilities exist in Oracle software that may lead to
execution of arbitrary code; the ability to read, modify, or delete
information stored in underlying Oracle databases; or denial of
service. All of these vulnerabilites were discovered by Next
Generation Security Software Ltd.
vulnerabilities exist in Oracle9i Application Server,
Oracle9i Database, and Oracle8i Database. The majority of these
vulnerabilities are buffer overflows.
has published Security Alerts describing these vulnerabilities.
If you use Oracle products listed in the "Systems Affected"
this document, we strongly encourage you to review the following
Oracle Security Alerts and apply patches as appropriate:
Overflow in DIRECTORY parameter of Oracle9i Database Server
Overflow in TZ_OFFSET function of Oracle9i Database Server
Overflow in TO_TIMESTAMP_TZ function of Oracle9i Database Server
Overflow in ORACLE.EXE binary of Oracle9i Database Server
Vulnerabilities in Oracle9i Application Server
Insight Security Research Advisories describing these
issues are listed below:
Application Server Format String Vulnerability
TO_TIMESTAMP_TZ Remote System Buffer Overrun
bfilename function buffer overflow vulnerability
TZ_OFFSET Remote System Buffer Overrun
unauthenticated remote system compromise
has published vulnerability notes for each of these issues
as well. The vulnerability in Oracle's mod_dav module (VU#849993) has
been as assigned CVE ID CAN-2002-0842.
on the vulnerability being exploited, an attacker may be
able to execute arbitrary code; read, modify, or delete information
stored in underlying Oracle databases; or cause a denial of service.
The vulnerabilities in "ORACLE.EXE" (VU#953746) and the WebDAV
(VU#849993, VU#511194) may be exploited prior to authentication.
for specific vulnerabilities can be found in the above
referenced Oracle Security Alerts, NGSSoftware Insight Security
Research Advisories, and individual CERT/CC Vulnerability Notes.
a patch can be applied, the CERT/CC recommends that vulnerable
unnecessary Oracle services
* run Oracle services with the least privilege
* restrict network access to Oracle services
A. Vendor Information
contains information provided by vendors. When vendors
report new information, this section is updated and the changes are
noted in the revision history. If a vendor is not listed below, we
have not received their comments.
see the following Oracle Security Alerts:
acknowledges both Next Generation Security Software Ltd.
and Oracle for providing information upon which this document is
can be directed to the author: Ian A. Finlay.
is available from:
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
personnel answer the hotline 08:00-17:00 EST(GMT-5) /
EDT(GMT-4) Monday through Friday; they are on call for emergencies
during other hours, on U.S. holidays, and on weekends.
urge you to encrypt sensitive information sent by email.
Our public PGP key is available from
prefer to use DES, please call the CERT hotline for more
and other security information are available from
our web site
to the CERT mailing list for advisories and bulletins,
send email to firstname.lastname@example.org. Please include in the body of your
and "CERT Coordination Center" are registered in the U.S.
Patent and Trademark Office.
Any material furnished by Carnegie Mellon University and the Software
Engineering Institute is furnished on an "as is" basis. Carnegie
Mellon University makes no warranties of any kind, either expressed
implied as to any matter including, but not limited to, warranty of
fitness for a particular purpose or merchantability, exclusivity or
results obtained from use of the material. Carnegie Mellon University
does not make any warranty of any kind with respect to freedom from
patent, trademark, or copyright infringement.
for use, disclaimers, and sponsorship information
2003 Carnegie Mellon University.
February 19, 2003: Initial release
Version: PGP 6.5.8
-----END PGP SIGNATURE-----