软件开发培训班 >> 编程开发 >> Oracle


Oracle Net Services Link查询请求缓冲区溢出漏洞

发布时间:2003-05-25

更新时间:2003-05-25

严重程度:高

威胁程度:普通用户访问权限

错误类型:边界检查错误

利用方式:服务器模式

BUGTRAQ ID:7453

受影响系统 

Oracle Oracle7 7.3.3                   
Oracle Oracle7 7.3.4                   
   -RedHat Linux 5.0                   
   -RedHat Linux 5.1                   
   -RedHat Linux 5.2 i386              
   -RedHat Linux 6.0                   
   -RedHat Linux 6.1 i386              
   -Sun Solaris 2.4                    
   -Sun Solaris 2.4 _x86               
   -Sun Solaris 2.5                    
   -Sun Solaris 2.5 _x86               
   -Sun Solaris 2.5.1                  
   -Sun Solaris 2.5.1 _x86             
   -Sun Solaris 2.6                    
   +Sun Solaris 2.6 _x86               
Oracle Oracle8 8.0.1                   
Oracle Oracle8 8.0.2                   
Oracle Oracle8 8.0.3                   
Oracle Oracle8 8.0.4                   
Oracle Oracle8 8.0.4                   
Oracle Oracle8 8.0.5 .1                
Oracle Oracle8 8.0.5                   
Oracle Oracle8 8.0.5                   
   -SGI IRIX 6.5.4                     
Oracle Oracle8 8.0.6                   
Oracle Oracle8 8.0.6                   
Oracle Oracle8 8.1.5                   
   +HP HP-UX 11.0                      
   +HP HP-UX 11.11                     
   +RedHat Linux 6.1 i386              
   +RedHat Linux 6.2 i386              
   +Sun Solaris 7.0                    
   +Sun Solaris 8.0                    
Oracle Oracle8 8.1.6                   
Oracle Oracle8 8.1.7                   
   -Microsoft Windows 2000 Workstation 
Oracle Oracle8i 8.0 x                  
Oracle Oracle8i 8.0.6 .3               
Oracle Oracle8i 8.0.6                  
Oracle Oracle8i 8.1 x                  
Oracle Oracle8i 8.1.5                  
Oracle Oracle8i 8.1.6                  
Oracle Oracle8i 8.1.7 .4               
Oracle Oracle8i 8.1.7 .1               
Oracle Oracle8i 8.1.7                  
Oracle Oracle9i 9.0                    
Oracle Oracle9i 9.0.1 .4               
Oracle Oracle9i 9.0.1 .3               
Oracle Oracle9i 9.0.1 .2               
Oracle Oracle9i 9.0.1                  
Oracle Oracle9i 9.0.2                  
Oracle Oracle9i 9.2 .0.2               
Oracle Oracle9i 9.2 .0.1               
Oracle Oracle9i Release 2 9.2 .2       
Oracle Oracle9i Release 2 9.2 .2       
Oracle Oracle9i Release 2 9.2 .1       
Oracle Oracle9i Release 2 9.2 .1

详细描述

Oracle Database Server实现上存在缓冲区溢出漏洞,问题在于服务器程序对CREATE DATABASE LINK查询请求没有进行充分的边界检查,攻击者通过提交超长的请求会导致破坏堆栈中的数据转而执行攻击者指定的任意指令。

解决方案

厂商已经提供了补丁:

Oracle Oracle8i 8.0.6 .3:

Oracle Patch 2760879

http://metalink.oracle.com/

Oracle Patch 2845564

http://metalink.oracle.com/

Microsoft Windows NT/2000/XP.

Oracle Oracle8i 8.1.7 .4:

Oracle Patch 2784635

http://metalink.oracle.com/

Oracle Patch 2899111

http://metalink.oracle.com/

Microsoft Windows NT/2000/XP.

Oracle Oracle9i 9.0.1 .4:

Oracle Patch 2760944

http://metalink.oracle.com/

Oracle Oracle9i 9.2 .0.2:

Oracle Patch 2749511

http://metalink.oracle.com/

相关信息

"NGSSoftware Insight Security Research"

Oracle Database Server Buffer Overflow Vulnerability

http://online.securityfocus.com/archive/1/319914

(责任编辑:郁单曰)