Revision: Multiple Critical and High Vulnerabilities in Oracle Database Server

To: <bugtraq@xxxxxxxxxxxxxxxxx>, <ntbugtraq@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Revision: Multiple Critical and High Vulnerabilities in Oracle Database Server
From: "David Litchfield" <davidl@xxxxxxxxxxxxxxx>
Date: Wed, 19 Oct 2005 03:06:34 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
References: <001901c5d439$9eeb6ae0$4300a8c0@xxxxxxxxxxxxxxx>

Having downloaded and given the Oracle October patch a cursory examination,some of the flaws Oracle told me were being fixed, remain exploitable. Onceagain the patch is not sufficient. I will conduct a full investigation ofthe patch over the coming few days and post some recommendations oncecomplete. Incidently, it's good to see that the NGS Disclosure policy of notpublicly releasing details of the flaws "fixed" seems to work as a usefulfail safe mechanism.


More to follow...
Cheers,
David Litchfield
NGSSoftware Ltd
http://www.ngssoftware.com/

David Litchfield of NGSSoftware has discovered discovered multiplecritical and high risk vulnerabilities in the Oracle Database Server.These vulnerabilities can be exploited by an attacker to gain completecontrol of the database server. Versions affected include
Oracle Database 10g - All Releases
Oracle9i Database Server - All Releases
The vulnerabilities include a buffer overflow vulnerability and seventeenPL/SQL injection vulnerabilities and Oracle has released a patch set todeal with these issues. It is understood that this patch set fixes anumber of other flaws found by seven other security researchers. Oracledatabase administrators are urged to download, test and install the patchset as soon as possible. Seehttp://www.oracle.com/technology/deploy/security/pdf/cpuoct2005.html formore details.
NGSSQuirreL for Oracle, NGSSoftware's advanced vulnerability assessmentscanner and security manager for Oracle, has been updated to check for andpositively identify these flaws in Oracle database servers on the network.More information about NGSSQuirreL for Oracle can be found athttp://www.ngssoftware.com/squirrelora.htm.
NGSSoftware are going to withhold details about these flaws for threemonths. Full details will be published on the 18th of January 2006. Thisthree month window will allow Oracle database administrators the timeneeded to test and apply the patch set before the details are released tothe general public. This reflects NGSSoftware's new approach toresponsible disclosure.
NGSSoftware Insight Security Research
http://www.ngssoftware.com/
+44(0)208 401 0070

References:
- Multiple Critical and High Vulnerabilities in Oracle Database Server
  - From: NGSSoftware Insight Security Research

Prev by Date: Re: Require many large corporate emails for contact regarding vulnerability.
Next by Date: Metasploit Framework v2.5
Previous by thread: Multiple Critical and High Vulnerabilities in Oracle Database Server
Next by thread: Re: Require many large corporate emails for contact regarding vulnerability.
Index(es):
- Date
- Thread