-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Denial of Service in Oracle interMedia
AppSecInc Team SHATTER Security Advisory http://www.appsecinc.com/resources/alerts/oracle/2005-01.html April 18, 2005 Affected versions: Oracle Database Server versions 9i and 10g Risk level: Medium Credits: This vulnerability was discovered and researched by Esteban Martínez Fayó of Argeniss for Application Security Inc. Details: Within the Oracle interMedia system, two types (ORDImage and ORDDoc) have a vulnerability that can cause a Denial of Service condition. When trying to load a specially constructed file, or when setting specially constructed data to object's property, a Denial of service can be triggered making Oracle server process consume 100% CPU usage. The service needs to be restarted to resume normal operation. This vulnerability can be exploited remotely by supplying a specially constructed file to an application that uses the vulnerable objects to process the file in the database server. Impact: By default PUBLIC has execute permission on these objects so any Oracle database user can exploit this vulnerability. Exploitation of this vulnerability will allow an attacker to cause a DOS (Denial of service). Vendor Status: Vendor was contacted and a patch was released. Fix: Apply Oracle Critical Patch Update April 2005 available at http://metalink.oracle.com Links: Application Security, Inc advisory: http://www.appsecinc.com/resources/alerts/oracle/2005-01.html Oracle security alert: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf - -- _____________________________________________ Application Security, Inc. www.appsecinc.com AppSecInc is the leading provider of database security solutions for the enterprise. AppSecInc products proactively secure enterprise applications at more than 300 organizations around the world by discovering, assessing, and protecting the database against rapidly changing security threats. By securing data at its source, we enable organizations to more confidently extend their business with customers, partners and suppliers. Our security experts, combined with our strong support team, deliver up-to-date application safeguards that minimize risk and eliminate its impact on business. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.0 (MingW32) iD8DBQFCZAQW/0w1dSVRt4URAmo6AJ9yKUAN3zd5bqhPwUmlLqljTPxrFgCgpleQ QUm/LCcdiyGz+VgCs+dqJfY= =ao/r -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/