| Subject | Open source looks pretty good to me |
|---|---|
| Author | Mike Harbison |
| Post date | 2004-09-07T17:04:52Z |
(1) HIGH: Oracle Products Multiple Vulnerabilities
Affected:
Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
Oracle8i Database Server Release 3, version 8.1.7.4 Oracle Database 10g
Release 1, version 10.1.0.2 Oracle Enterprise Manager Grid Control 10g,
version 10.1.0.2 Oracle Enterprise Manager Database Control 10g, version
10.1.0.2 Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and
9.0.4.1 Oracle9i Application Server Release 2, versions 9.0.2.3 and
9.0.3.1 Oracle9i Application Server Release 1, version 1.0.2.2 Oracle
Collaboration Suite Oracle E-Business Suite 11i
Description: The Oracle Database server, the Oracle Application server,
the Oracle Enterprise Manager, the Oracle E-Business and the Oracle
Collaboration suites contain multiple buffer overflows (numbering over
40) and SQL injection vulnerabilities, which may be exploited to execute
arbitrary code on the server(s). Some of the flaws in the Database and
the Application server can be exploited by a remote unauthenticated
attacker, whereas the flaws in the Enterprise Manager can be exploited
only with valid user credentials. The Collaboration and the E-Business
suite customers have been advised to apply the appropriate Database and
Application server patches; hence, the flaws in these applications could
also be exploited by remote unauthenticated attackers. In the
configurations using Oracle as a back-end database, the flaws may be
leveraged via SQL injection vulnerabilities in the front-end web
scripts. The default accounts provide another avenue for exploitation.
The technical details regarding many of the buffer overflows have been
publicly posted. Further details are expected to be released in the
upcoming months.
Status: Oracle has released patches listed in the Oracle Security Alert
#68. Given the fact that relevant technical information regarding some
of the overflows has been posted, and that some of the flaws may be
exploited by remote unauthenticated attackers, the patches should be
applied on a priority basis. The Center for Internet Security (CIS) has
released security benchmarking tools for Oracle, which may help in
hardening the database security.
Council Site Actions: A majority of the reporting council sites that
have Oracle implementations and are responding to this vulnerability.
Most of these sites are currently evaluating and testing the patches.
Some sites plan to patch the systems as soon as possible, while other
sites will patch during their next regularly scheduled system update
process. Several sites commented that their Oracle database servers are
isolated from external networks and thus the threat is greatly reduced.
One site is monitoring for any unusual network connections to systems
that are running Oracle products.
References:
Oracle Advisory
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
CERT Advisories
http://www.us-cert.gov/cas/techalerts/TA04-245A.html
http://www.kb.cert.org/vuls/id/170830
http://www.kb.cert.org/vuls/id/435974
http://www.kb.cert.org/vuls/id/316206
Application Security Advisory
http://www.appsecinc.com/resources/alerts/oracle/2004-0001/
Integrigy Advisory
http://www.integrigy.com/alerts/OraAlert68OraAppsImpact.htm
NGS Advisory
http://www.nextgenss.com/advisories/oracle-01.txt
PeteFinnigan Advisory
http://www.petefinnigan.com/alerts.htm
iDefense Advisories
http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0064.html
http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0075.html
Oracle Security Hardening Tools
http://www.cisecurity.org/bench_oracle.html
SecurityFocus BID
http://www.securityfocus.com/bid/10871
****************************************************************
(3) MODERATE: IBM DB2 Buffer Overflow Vulnerabilities
Affected:
IBM DB2 version 8.1 Fixpak 6 and prior
IBM DB2 version 7.x Fixpak 11 and prior
Description: IBM DB2 database contains two buffer overflow
vulnerabilities, which can be potentially exploited to execute arbitrary
code on the database server. The discoverers of the flaw have not
released any technical details regarding these flaws, which have been
rated as "High". Other advisories with a similar rating from the
discoverers have included overflows that require minimal user privileges
or flaws that can be exploited by remote unauthenticated attackers.
Hence, although the @RISK rating for this item is currently "MODERATE"
due to lack of any more information, the DB2 administrators should apply
the patches on a priority basis. The technical details are scheduled to
be released on December 1, 2004. It may also be possible to "binary
diff" the patches to obtain more information about the flaws.
Status: IBM has released the patches. Upgrade DB2 version 8.1 to Fixpak
7, and DB2 version 7.x installations to Fixpak 12.
Council Site Actions: Three council sites are running the affected
software. One site is reviewing the potential impact and will likely
patch their systems on an accelerated schedule. The other two sites have
notified their support staff, but no other action has been taken at this
time.
References:
NGS Advisory
http://www.nextgenss.com/advisories/db2-01.txt
IBM Patch Download
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html
IBM DB2 Product Page
http://www-3.ibm.com/software/data/db2/
SecurityFocus BID
http://www.securityfocus.com/bid/11089
Affected:
Oracle9i Database Server Release 1, versions 9.0.1.4, 9.0.1.5 and 9.0.4
Oracle9i Database Server Release 2, versions 9.2.0.4 and 9.2.0.5
Oracle8i Database Server Release 3, version 8.1.7.4 Oracle Database 10g
Release 1, version 10.1.0.2 Oracle Enterprise Manager Grid Control 10g,
version 10.1.0.2 Oracle Enterprise Manager Database Control 10g, version
10.1.0.2 Oracle Application Server 10g (9.0.4), versions 9.0.4.0 and
9.0.4.1 Oracle9i Application Server Release 2, versions 9.0.2.3 and
9.0.3.1 Oracle9i Application Server Release 1, version 1.0.2.2 Oracle
Collaboration Suite Oracle E-Business Suite 11i
Description: The Oracle Database server, the Oracle Application server,
the Oracle Enterprise Manager, the Oracle E-Business and the Oracle
Collaboration suites contain multiple buffer overflows (numbering over
40) and SQL injection vulnerabilities, which may be exploited to execute
arbitrary code on the server(s). Some of the flaws in the Database and
the Application server can be exploited by a remote unauthenticated
attacker, whereas the flaws in the Enterprise Manager can be exploited
only with valid user credentials. The Collaboration and the E-Business
suite customers have been advised to apply the appropriate Database and
Application server patches; hence, the flaws in these applications could
also be exploited by remote unauthenticated attackers. In the
configurations using Oracle as a back-end database, the flaws may be
leveraged via SQL injection vulnerabilities in the front-end web
scripts. The default accounts provide another avenue for exploitation.
The technical details regarding many of the buffer overflows have been
publicly posted. Further details are expected to be released in the
upcoming months.
Status: Oracle has released patches listed in the Oracle Security Alert
#68. Given the fact that relevant technical information regarding some
of the overflows has been posted, and that some of the flaws may be
exploited by remote unauthenticated attackers, the patches should be
applied on a priority basis. The Center for Internet Security (CIS) has
released security benchmarking tools for Oracle, which may help in
hardening the database security.
Council Site Actions: A majority of the reporting council sites that
have Oracle implementations and are responding to this vulnerability.
Most of these sites are currently evaluating and testing the patches.
Some sites plan to patch the systems as soon as possible, while other
sites will patch during their next regularly scheduled system update
process. Several sites commented that their Oracle database servers are
isolated from external networks and thus the threat is greatly reduced.
One site is monitoring for any unusual network connections to systems
that are running Oracle products.
References:
Oracle Advisory
http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
CERT Advisories
http://www.us-cert.gov/cas/techalerts/TA04-245A.html
http://www.kb.cert.org/vuls/id/170830
http://www.kb.cert.org/vuls/id/435974
http://www.kb.cert.org/vuls/id/316206
Application Security Advisory
http://www.appsecinc.com/resources/alerts/oracle/2004-0001/
Integrigy Advisory
http://www.integrigy.com/alerts/OraAlert68OraAppsImpact.htm
NGS Advisory
http://www.nextgenss.com/advisories/oracle-01.txt
PeteFinnigan Advisory
http://www.petefinnigan.com/alerts.htm
iDefense Advisories
http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0064.html
http://archives.neohapsis.com/archives/fulldisclosure/2004-09/0075.html
Oracle Security Hardening Tools
http://www.cisecurity.org/bench_oracle.html
SecurityFocus BID
http://www.securityfocus.com/bid/10871
****************************************************************
(3) MODERATE: IBM DB2 Buffer Overflow Vulnerabilities
Affected:
IBM DB2 version 8.1 Fixpak 6 and prior
IBM DB2 version 7.x Fixpak 11 and prior
Description: IBM DB2 database contains two buffer overflow
vulnerabilities, which can be potentially exploited to execute arbitrary
code on the database server. The discoverers of the flaw have not
released any technical details regarding these flaws, which have been
rated as "High". Other advisories with a similar rating from the
discoverers have included overflows that require minimal user privileges
or flaws that can be exploited by remote unauthenticated attackers.
Hence, although the @RISK rating for this item is currently "MODERATE"
due to lack of any more information, the DB2 administrators should apply
the patches on a priority basis. The technical details are scheduled to
be released on December 1, 2004. It may also be possible to "binary
diff" the patches to obtain more information about the flaws.
Status: IBM has released the patches. Upgrade DB2 version 8.1 to Fixpak
7, and DB2 version 7.x installations to Fixpak 12.
Council Site Actions: Three council sites are running the affected
software. One site is reviewing the potential impact and will likely
patch their systems on an accelerated schedule. The other two sites have
notified their support staff, but no other action has been taken at this
time.
References:
NGS Advisory
http://www.nextgenss.com/advisories/db2-01.txt
IBM Patch Download
http://www-306.ibm.com/software/data/db2/udb/support/downloadv8.html
http://www-306.ibm.com/software/data/db2/udb/support/downloadv7.html
IBM DB2 Product Page
http://www-3.ibm.com/software/data/db2/
SecurityFocus BID
http://www.securityfocus.com/bid/11089