- Oracle9i Release 2, Version 9.2.x.
- Oracle9i Release 1, Version 9.0.x.
hosted on all supported variants of Unix/Linux.
A malicious user can cause buffer overflow by executing 'Oracle' and 'OracleO' binary files with a very long command line parameter. Some exploit code can then be run by the user resulting in compromise of the database server and the operating system hosting the database server.
This buffer overflow allows a malicious user to run the program to get 'Oracle' owner privileges, execute arbitrary code under these privileges and compromise the database server. The underlying operating system may also get compromised by the malicious user causing the buffer overflow.
The operating system group other should be denied execute permission on these binaries. It should also be ensured that the group owning Oracle and OracleO binaries has only authenticated users in it.
Oracle Security Alert 59 Dated: October 22, 2003.
The information provided herein is on "as is" basis, without warranty of any kind.