__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Oracle9i Database Buffer Overflow Vulnerabilities [VU# 819126, VU#240174, VU#846582, VU#399806] March 8, 2004 19:00 GMT Number O-093 ______________________________________________________________________________ PROBLEM: Oracle9i Database contains vulnerabilities in the following areas: (1) TIME_ZONE session parameter - This session parameter specifies the local time zone displacement for the current SQL session. (2) NUMTOYMINTERVAL() function - This function is responsible for handling date conversions. (3) NUMTODSINTERVAL() function - This function is responsible for handling date/time conversions. (4) FROM_TZ() function - This function is responsible for handling time stamp conversions. SOFTWARE: Oracle 9i Database DAMAGE: Execution of arbitrary code or accessing data with privilege of the vulnerable process may occur if vulnerabilities are exploited. Note that Oracle typically runs as System on Windows and as the Oracle user on UNIX. By supplying a very long character string to the vulnerable functions noted above, an unauthorized user could overwrite a return address on the stack, resulting in the ability to execute arbitrary code or access data with the privileges of the vulnerable process. SOLUTION: Upgrade to Oracle 9i Database Release 2, version 9.2.0.3. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An unauthorized user may execute arbitrary ASSESSMENT: code or access data. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-093.shtml ORIGINAL BULLETIN: US-CERT Vulnerability Note VU#819126 http://www.kb.cert.org/vuls/id/819126 US-CERT Vulnerability Note VU#240174 http://www.kb.cert.org/vuls/id/240174 US-CERT Vulnerability Note VU#846582 http://www.kb.cert.org/vuls/id/846582 US-CERT Vulnerability Note VU#399806 http://www.kb.cert.org/vuls/id/399806 ADDITIONAL LINK: Oracle Metalink (account required) http://metalink.oracle.com ______________________________________________________________________________ [***** Start VU# 819126 *****] Vulnerability Note VU#819126 Oracle9i Database contains buffer overflow in NUMTOYMINTERVAL() function Overview Oracle9i Database contains a buffer overflow in the NUMTOYMINTERVAL() function which could allow anyone who can query the server to execute arbitrary code or access data with the privileges of the vulnerable process. I. Description A buffer overflow exists in the NUMTOYMINTERVAL() function. This function is responsible for handling date conversions. By supplying an overly long character string to the function, an attacker could overwrite a return address on the stack, resulting in the ability to execute arbitrary code or access data with the privileges of the vulnerable process. Oracle typically runs as SYSTEM on Windows and as the ORACLE user on UNIX. II. Impact Exploitation may result in the ability to execute arbitrary code or access data with the privileges of the vulnerable process. III. Solution Apply Patch According to NGSSoftware, this problem is fixed in Oracle 9i Database Release 2, version 9.2.0.3. For further information regarding Oracle security patches, please visit the Oracle Metalilnk site: http://metalink.oracle.com (login required) Systems Affected Vendor Status Date Updated Oracle Corporation Vulnerable 26-Feb-2004 References http://www.nextgenss.com/advisories/ora_numtoyminterval.txt http://www.secunia.com/advisories/10805/ http://metalink.oracle.com Credit This vulnerability was reported by NGSSoftware. This document was written by Damon Morda. Other Information Date Public 02/06/2004 Date First Published 02/27/2004 10:16:41 AM Date Last Updated 02/27/2004 CERT Advisory CVE Name Metric 13.47 Document Revision 14 If you have feedback, comments, or additional information about this vulnerability, please send us email. [***** End VU# 819126 *****] [***** Start VU#240174 *****] Vulnerability Note VU#240174 Oracle9i Database contains buffer overflow in TIME_ZONE session parameter Overview Oracle9i Database contains a buffer overflow in the TIME_ZONE session parameter which could allow anyone who can query the server to execute arbitrary code or access data with the privileges of the vulnerable process. I. Description The TIME_ZONE parameter is a session parameter that specifies the local time zone displacement for the current SQL session. A buffer overflow exists in the TIME_ZONE parameter. By supplying an overly long character string to the function, an attacker could overwrite a return address on the stack, resulting in the ability to execute arbitrary code or access data with the privileges of the vulnerable process. Oracle typically runs as SYSTEM on Windows and as the ORACLE user on UNIX. II. Impact Exploitation may result in the ability to execute arbitrary code or access data with the privileges of the vulnerable process. III. Solution Apply Patch According to NGSSoftware, this problem is fixed in Oracle 9i Database Release 2, version 9.2.0.3. For further information regarding Oracle security patches, please visit the Oracle Metalilnk site: http://metalink.oracle.com (login required) Systems Affected Vendor Status Date Updated Oracle Corporation Vulnerable 26-Feb-2004 References http://www.nextgenss.com/advisories/ora_time_zone.txt http://www.secunia.com/advisories/10805/ http://metalink.oracle.com Credit This vulnerability was reported by NGSSoftware. This document was written by Damon Morda. Other Information Date Public 02/06/2004 Date First Published 02/27/2004 10:14:44 AM Date Last Updated 02/27/2004 CERT Advisory CVE Name Metric 13.47 Document Revision 8 If you have feedback, comments, or additional information about this vulnerability, please send us email. [***** End VU#240174 *****] [***** Start VU#846582 *****] Vulnerability Note VU#846582 Oracle9i Database contains buffer overflow in NUMTODSINTERVAL() function Overview Oracle9i Database contains a buffer overflow in the NUMTODSINTERVAL() function which could allow anyone who can query the server to execute arbitrary code or access data with the privileges of the vulnerable process. I. Description A buffer overflow exists in the NUMTODSINTERVAL() function. This function is responsible for handling date/time conversions. By supplying an overly long character string to the function, an attacker could overwrite a return address on the stack, resulting in the ability to execute arbitrary code or access data with the privileges of the vulnerable process. Oracle typically runs as SYSTEM on Windows and as the ORACLE user on UNIX. II. Impact Exploitation may result in the ability to execute arbitrary code or access data with the privileges of the vulnerable process. III. Solution Apply Patch According to NGSSoftware, this problem is fixed in Oracle 9i Database Release 2, version 9.2.0.3. For further information regarding Oracle security patches, please visit the Oracle Metalilnk site: http://metalink.oracle.com (login required) Systems Affected Vendor Status Date Updated Oracle Corporation Vulnerable 26-Feb-2004 References http://www.nextgenss.com/advisories/ora_numtodsinterval.txt http://www.secunia.com/advisories/10805/ http://metalink.oracle.com Credit This vulnerability was reported by NGSSoftware. This document was written by Damon Morda. Other Information Date Public 02/06/2004 Date First Published 02/27/2004 10:16:01 AM Date Last Updated 02/27/2004 CERT Advisory CVE Name Metric 13.47 Document Revision 7 If you have feedback, comments, or additional information about this vulnerability, please send us email. [***** End VU#846582 *****] [***** Start VU#399806 *****] Vulnerability Note VU#399806 Oracle9i Database contains buffer overflow in FROM_TZ() function Overview Oracle9i Database contains a buffer overflow in the FROM_TZ() function which could allow anyone who can query the server to execute arbitrary code or access data with the privileges of the vulnerable process. I. Description A buffer overflow exists in the FROM_TZ() function. This function is responsible for handling time stamp conversions. By supplying an overly long character string to the Time Zone Difference (TZD) parameter of the FROM_TZ() function, an attacker could overwrite a return address on the stack, resulting in the ability to execute arbitrary code or access data with the privileges of the vulnerable process. Oracle typically runs as SYSTEM on Windows and as the ORACLE user on UNIX. II. Impact Exploitation may result in the ability to execute arbitrary code or access data with the privileges of the vulnerable process. III. Solution Apply Patch According to NGSSoftware, this problem is fixed in Oracle 9i Database Release 2, version 9.2.0.3. For further information regarding Oracle security patches, please visit the Oracle Metalilnk site: http://metalink.oracle.com (login required) Systems Affected Vendor Status Date Updated Oracle Corporation Vulnerable 27-Feb-2004 References http://www.nextgenss.com/advisories/ora_from_tz.txt http://www.secunia.com/advisories/10805/ http://metalink.oracle.com Credit This vulnerability was reported by NGSSoftware. This document was written by Damon Morda. Other Information Date Public 02/06/2004 Date First Published 02/27/2004 10:13:59 AM Date Last Updated 02/27/2004 CERT Advisory CVE Name Metric 13.47 Document Revision 9 If you have feedback, comments, or additional information about this vulnerability, please send us email. [***** End VU#399806 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of US-CERT for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-083: Red Hat Updated Metamail Packages Fix Vulnerabilities O-084: Zone Labs SMTP Processing Vulnerability O-085: Vulnerability in SMB Parsing in ISS Products O-086: Red Hat Updated libxml2 Packages Fix Security Vulnerability O-087: Red Hat Updated util-linux Packages Fix Information Leak O-088: Sun passwd(1) Command Vulnerability O-089: Sun Security Vulnerability in "/usr/lib/print/conv_fix" O-090: Vulnerability in Novell Client Firewall Tray Icon O-091: Adobe Reader 5.1 XFDF Buffer Overflow Vulnerability O-092: WinZip Vulnerable to Buffer Overflow in Handling of MIME Archive Parameters