|
|
Info |
Last Modified |
| 9 months ago |
|
|
|
|
|
This Entry needs help! It is only 50% Complete. Click the edit link above to add more information.
Contributing is fast and easy, and benefits the entire security community.
|
Keywords |
Oracle Security Alert #40
|
|
Description |
(Description Provided by CVE) : Format string vulnerabilities in Oracle Listener Control utility (lsnrctl) for Oracle 9.2 and 9.0, 8.1, and 7.3.4, allow remote attackers to execute arbitrary code on the Oracle DBA system by placing format strings into certain entries in the listener.ora configuration file.
|
|
Classification |
Location:
Local Access Required
Disclosure:
Vendor Verified
|
|
Solution |
Workaround:
In addition to available patches, Oracle strongly urges customers to take the following steps to address the vulnerabilities identified above.
1. Configure listener password to prevent unauthorized users from administering the listener.
Alternatively, set ADMIN_RESTRICTIONS_listener_name=ON in listener.ora to completely disable the runtime modification of listener’s configuration parameters.
2. Set appropriate Operating System directory and file permissions on the Listener configuration file, listener.ora.
For example:
Unix: $ chmod 600 $ORACLE_HOME/network/admin/listener.ora
Windows: File properties > Security > Permissions …
3. Do not attempt to start an Oracle Net Listener with an invalid name.
Patch Information
Oracle has fixed the potential vulnerabilities identified above under the base bug number 2395416. Download currently available patches from Oracle Worldwide Support Services web site, Metalink (http://metalink.oracle.com). Activate the ‘Patches’ button to get to the patches Web page. Enter bug Number 2395416 as indicated above and activate the ‘Submit’ button.
|
|
Products |
|
|
8.1.7 |
|
|
|
|
Credit |
Unknown or Incomplete
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
