This vulnerability is only exploitable by local users. That is to say, if you have a local user (one that uses telnet or (ideally) ssh to log in) that has permissions to execute the oracle binary, you are vulnerable to this. It has nothing to do with whether or not your system is attached to the Internet, it has to do with giving users logins on your system.
Now, of course, having your database exposed to the Internet is a terrible idea, but its a generally terrible idea, not one specific to this vulnerability. Let me know if I can clarify any of this. Thanks, Matt -- Matthew Zito GridApp Systems Email: [EMAIL PROTECTED] Cell: 646-220-3551 Phone: 212-358-8211 x 359 http://www.gridapp.com > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On > Behalf Of DENNIS WILLIAMS > Sent: Thursday, October 23, 2003 12:20 PM > To: Multiple recipients of list ORACLE-L > Subject: RE: Do not connect Oracle DB to the Internet. Oracle > Alert #59 > > > Ian - I haven't been able to locate this on Metalink, but can > you give a quick idea about how I can ensure I don't have a > vulnerability here? Our databases are behind firewalls and > all access is through app servers. Thanks. > > > > Dennis Williams > DBA > Lifetouch, Inc. > [EMAIL PROTECTED] > > -----Original Message----- > Sent: Thursday, October 23, 2003 9:25 AM > To: Multiple recipients of list ORACLE-L > > > The exploit involves passing a large argv[1] argument to > the oracle or > oracle0 binary. Credit for discovering the vulnerability goes to > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> . The error > was first discovered on a LINUX box but I have seen notes > that AIX is vulnerable as well. What is not published in > North America yet, is the Oracle alert you mention. The > first security note I saw on this was published on 19 > October. Yes there are people who know how to exploit the > vulnerability. > The vulnerability was shown to Oracle over a month ago, > according to the comments in a proof of concept exploit. > > One workaround is to take off the setuid bit from the Oracle > binary Is it > really necessary to set this. How many places still have > users log into > the database server? Oracle has recommended putting its > databases behind > firewalls for some time. > > Ian MacGregor > Stanford Linear Accelerator Center > [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> > > -----Original Message----- > Sent: Thursday, October 23, 2003 6:25 AM > To: Multiple recipients of list ORACLE-L > > > Important: Please read the following Oracle Alert. > > We strongly recommend that you do not connect the Oracle > Database directly to the Internet. > > Got your attention? That is what is in the Alert. These > alerts are beginning > to come all too often. Sounds just like Microsoft's software, yeah? > > Buffer Overflow in Oracle Database Server Binaries > This is with the Oracle kernel/binary itself ie 'oracle' or > 'oracleO' file in $ORACLE_HOME/bin. > > > Description > A potential buffer overflow has been discovered in the > "oracle" and "oracleO" (the letter O) binaries of the Oracle > Database. A knowledgeable and malicious local user can > exploit this buffer overflow to execute code on the operating > system hosting the Oracle Database server. Products Affected > * Oracle 9i Database Release 2, Version 9.2.x > * Oracle 9i Database Release 1, Version 9.0.x > Platforms Affected > All supported UNIX and Linux operating system variants. > > > Patch only available for Linux right now. > > So who found out this vulnerability? David Litchfield? Aaron > Newman? I know it is a bit silly to ask but does anyone know how > to exploit this vulnerability? Send it to me directly if you > dont want to > reply publicly > > ta > tony > > > -- > Please see the official ORACLE-L FAQ: http://www.orafaq.net > -- > Author: DENNIS WILLIAMS > INET: [EMAIL PROTECTED] > > Fat City Network Services -- 858-538-5051 http://www.fatcity.com > San Diego, California -- Mailing list and web hosting services > --------------------------------------------------------------------- > To REMOVE yourself from this mailing list, send an E-Mail message > to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') > and in the message BODY, include a line containing: UNSUB > ORACLE-L (or the name of mailing list you want to be removed > from). You may also send the HELP command for other > information (like subscribing). > -- Please see the official ORACLE-L FAQ: http://www.orafaq.net -- Author: Matthew Zito INET: [EMAIL PROTECTED] Fat City Network Services -- 858-538-5051 http://www.fatcity.com San Diego, California -- Mailing list and web hosting services --------------------------------------------------------------------- To REMOVE yourself from this mailing list, send an E-Mail message to: [EMAIL PROTECTED] (note EXACT spelling of 'ListGuru') and in the message BODY, include a line containing: UNSUB ORACLE-L (or the name of mailing list you want to be removed from). You may also send the HELP command for other information (like subscribing).
