__________________________________________________________

                       The U.S. Department of Energy
                   Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

             Buffer Overflows in EXTPROC of Oracle Database Server
                           [Oracle Security Alert 57]

July 25, 2003 19:00 GMT                                           Number N-127
[Revised 07 August 2003]
______________________________________________________________________________
PROBLEM:       EXTPROC is vulnerable to a stack based buffer overflow. 
SOFTWARE:      Oracle8i (8.1.x - all releases) 
	       Oracle9i Releases 1 and 2 
DAMAGE:        A knowledgeable and malicious user can potentially execute
	       arbitrary code against the Oracle database. 
SOLUTION:      Apply patch as stated in Oracle's security alert. 
______________________________________________________________________________
VULNERABILITY  The risk is MEDIUM. An attacker must be an authenticated user 
ASSESSMENT:    of the database with the CREATE LIBRARY or the CREATE ANY 
	       LIBRARY privilege. 
______________________________________________________________________________
LINKS: 
 CIAC BULLETIN:      http://www.ciac.org/ciac/bulletins/n-127.shtml 
 ORIGINAL BULLETIN:  http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf 
______________________________________________________________________________

Revision History: 8/7/2003 - Oracle removed unclear references to Alert 29, 
                             Version 2

[***** Start Oracle Security Alert 57 *****]

Oracle Security Alert 57
Dated: 23 July 2003
Updated: 07 Aug 2003
Severity: 3

Buffer Overflows in EXTPROC of Oracle Database Server 

Description

Potential security vulnerabilities have been discovered in the EXTPROC 
executable of the Oracle Database. A knowledgeable and malicious user can 
potentially execute arbitrary code against the Oracle database by exploiting 
buffer overflows in this executable. 

Products Affected 

	·Oracle9i Release 2
	·Oracle9i Release 1
	·Oracle8i (8.1.x – all releases) 

Platforms Affected

See Patch Availability Matrix. 

Required conditions for exploit

Database authenticated user (i.e., valid login required) with the CREATE 
LIBRARY or the CREATE ANY LIBRARY privilege. 

	Risk to exposure

	Risk to exposure is low, as the CREATE LIBRARY or the CREATE ANY 
	LIBRARY	privilege is needed to exploit these vulnerabilities. Unless 
	you connect to the database directly from the Internet (e.g., no 
	intervening application server or firewall), a remote buffer 
	overflow attack via the Internet is, in Oracle’s opinion, unlikely. 
	These vulnerabilities are susceptible to an insider attack originated
	on the corporate Intranet, but Oracle believes that the likelihood of
	exploit is minimal if best practices for database are followed. Note 
	that Oracle strongly recommends that you do not connect your database 
	directly to the Internet. 

	How to minimize risk

	There are no workarounds that can directly address these potential
	security vulnerabilities, but a patch is available (see below). 
	However, to mitigate the risk of exposure, Oracle strongly recommends 
	that you limit granting the CREATE LIBRARY and/or the CREATE ANY 
	LIBRARY privilege to only those users who require it or if you are not 
	using the CREATE LIBRARY or the CREATE ANY LIBRARY privilege, revoke 
	them from all users.

	To check whether you have the CREATE LIBRARY and/or the CREATE ANY
	LIBRARY privilege, run the following statement (requires DBA privilege):

	select grantee, privilege from dba_sys_privs where
	privilege like 'CREATE%LIBRARY';

	Follow Oracle’s best practices for database,
	http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf &
	http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf, and
	for IT deployments of firewalls, etc. 

	Ramification for customer 

	Oracle strongly recommends that customers review their database
	implementations and the severity rating for this Alert and patch
	accordingly. See
	http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf
	for a definition of severity ratings. 

Patch Information 

The patches listed in the Patch Availability Matrix fix the potential security
vulnerabilities identified above, enhance the robustness of EXTPROC. The patch is
included in the Oracle9i Database Release 2, Version 9.2.0.4 patchset.

The patch READMEs contain the patch application instructions/configuration guide. 

Fixed by

An interim (one-off) patch for these issues is available for these affected 
database versions: 

	·Oracle 9i Release 2, version 9.2.0.3
	·Oracle 9i Release 2, version 9.2.0.2

Currently, due to architectural constraints, there are no plans to
release a patch for versions 9.0.1.4, 8.1.7.4, 8.1.6.x, 8.1.5.x, 8.0.6.3,
8.0.5.x, 7.3.x, or other patchsets of the supported releases. 

Download this one-off patch from the Oracle Support Services web site,
Metalink (http://metalink.oracle.com).

	·Click on the Patches button.
	·Click on the "New Metalink Patch Search ".
	 If you are not on the "Simple Search" screen, click on the 
	 "Simple” button to get to the “Simple Search” screen.
	·Refer to the Patch Availability Matrix below to determine the patch
	 number required.
	·In the "Search By" option select “Patch Numbers” from the drop-down
	 menu, and enter the required patch number in the box.
	·Click on the “Go” button.
	·Select the required platform and language.
	·Click on the “Download” button.
	·Recommended: you should also click on the “View
	 README” button for additional information and
	 instructions.

Please review Metalink, or check with Oracle Support Services periodically 
for patch availability if the patch for your platform is unavailable.

Oracle strongly recommends that you backup and comprehensively test the 
stability of your system upon application of any patch prior to deleting any 
of the original file(s) that are replaced by the patch.

Patch Availability Matrix 

Special Notes 

	·Customers running supported database releases up to and including
	 Oracle9i Release 9.0.1.4 must continue to use the workaround identified
	 in Alert 29,
	 http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf.
	 Customers running Oracle9i Release 2 (9.2.0.2 and above) can apply
	 the patch identified in the matrix below.
	·For this Alert, customers running supported database releases upto
	 and including Oracle9i Release 9.0.1.4 must migrate to the releases
	 identified in the matrix below to obtain patches.
	·Oracle recommends that E-Business Suite 11i customers apply the
	 patches listed below.

Platforms 				9.2.0.3 		9.2.0.2
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Sun Solaris (32-bit) 			2988114 		2988086 
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Sun Solaris (64-bit) 			2988114 		2988086
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
IBM AIX 4.3.3 and 5L (32-bit) 		--- 			---
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
IBM AIX 4.3.3 (64-bit) 			2988114 		2988086
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
IBM AIX Based 5L(64-bit) 		2988114 		2988086
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
MS Windows NT/2000/XP 			2973634 		3056404
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HP-UX 11.0 (32-bit) 			--- 			---
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HP-UX (64-bit) 				2988114 		2988086
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HP Tru64 				2988114 		2988086
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LINUX 					2988114 		2988086
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LINUX 390 				2988114 		2988086
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
LINUX IA64 				--- 			2988086
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
INTEL SOLARIS 				--- 			---
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
DATA GENERAL 				--- 			---
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
UNIXWARE 				--- 			---
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
IBM NUMA-Q 				--- 			---
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
SGI-IRIX-64 				--- 			---
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Siemens-64 				--- 			---
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Novell 					--- 			---
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Alpha OpenVMS 				2988114 		2988086
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
IBM OS/390 (MVS) 			2990322 		2990370
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
NEC 					--- 			---
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
HP IA64 				2988114 		2988086
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

	---: The patch for the Oracle Database Release/Version is not 
	     available for this platform.

	ECD: Expected Completion Date.

Credits

Oracle Corporation thanks Chris Anley, of Next Generation Security Software 
Ltd., for discovering and promptly bringing these potential security 
vulnerabilities to Oracle’s attention. The Next Generation Security Software 
Advisory is available at http://www.nextgenss.com/research/advisories.html.

Modification History

23-JUL-03: Initial release, Version 1
07-AUG-03: Removed unclear references to Alert 29, Version 2

[***** End Oracle Security Alert 57 *****]

_______________________________________________________________________________

CIAC wishes to acknowledge the contributions of Oracle Corporation and Next 
Generation Security Software Limited (NGSSoftware) for the information 
contained in this bulletin. 
_______________________________________________________________________________


CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193 (7x24)
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@ciac.org

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
   Anonymous FTP:       ftp.ciac.org

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

N-117: Microsoft RPC Interface Buffer Overrun Vulnerability
N-118: Cisco IOS Interface Blocked by IPv4 Packet
N-119: Microsoft Internet Security and Acceleration  (ISA) Server Error Pages Could Allow Cross-Site Scripting Attack
N-120: Unchecked Buffer in Microsoft Windows Shell Could Enable System Compromise
N-121: Red Hat Updated Mozilla Packages Fix Security Vulnerability
N-122: Red Hat Updated 2.4 Kernel Fixes Vulnerabilities
N-123: SGI Login Vulnerabilities
N-124: Sun Solaris 8 LDAP Clients May Log the Proxy Agent User's Password as Clear Text
N-125: Cumulative Patch for Microsoft SQL Server
N-126: Microsoft Unchecked Buffer in DirectX Could Enable System Compromise