It was also reported by the SANS institute
--29 June 2001 Oracle8i Database Buffer Overflow Vulnerability
Security experts found and disclosed a pair of vulnerabilities in the
standard and enterprise editions of Oracle8i database. The Transport
Network Substrate (TNS) Listener has a buffer overflow vulnerability;
a flaw in the SQL Net protocol leaves the system vulnerable to
denial-of- service attacks. Patches are available.
http://www.computerworld.com/storyba/0,4125,NAV47_STO61802,00.html
Christian
-----Message d'origine-----
De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]De la part de Guy Hammond
Envoyé : mercredi 4 juillet 2001 12:20
À : Multiple recipients of list ORACLE-L
Objet : RE: CERT and Oracle
Actually, this came in yesterday:
http://www.cert.org/advisories/CA-2001-16.html
g
-----Original Message-----
Sent: Tuesday, July 03, 2001 4:46 PM
To: Multiple recipients of list ORACLE-L
Most likely because no-one (at least, I hope not) connects their Oracle
server directly to the Internet without a firewall in between, so Oracle
servers aren't exposed to hacking attempts. Also, hackers can easily get
hold of Linux, and use it to find holes in open-source programs like
sendmail and bind (two CERT favorites) but there are fewer copies of
Oracle available to non-specialists (altho' this is changing) to
experiment with, and no source code "in the wild". Oracle doesn't need
to run as root. There's not (as far as I know) a way to make Oracle
buffer-overflow and give control of the stack to arbitrary code (this is
a typical sendmail/bind exploit). There are probably more (and better)
reasons, but I think that would explain it.
Cheers,
g
-----Original Message-----
Sent: Tuesday, July 03, 2001 2:51 PM
To: Multiple recipients of list ORACLE-L
Why is Oracle listed so infrequently in the CERT advisories?
Just wondering, since Oracle security patches appear to be available
from
Oracle...
Regards,
Patrice Boivin
Systems Analyst (Oracle Certified DBA)
Systems Admin & Operations | Admin. et Exploit. des systèmes
Technology Services | Services technologiques
Informatics Branch | Direction de l'informatique
Maritimes Region, DFO | Région des Maritimes, MPO
E-Mail: [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Guy Hammond
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Guy Hammond
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
--
Please see the official ORACLE-L FAQ: http://www.orafaq.com
--
Author: Christian Bilien
INET: [EMAIL PROTECTED]
Fat City Network Services -- (858) 538-5051 FAX: (858) 538-5051
San Diego, California -- Public Internet access / Mailing Lists
--------------------------------------------------------------------
To REMOVE yourself from this mailing list, send an E-Mail message
to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).
