|
|
|
|
| |
Credit:
The information has been provided by iDefense Labs Security Advisories.
The original article can be found at: http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=727
|
| |
Vulnerable Systems:
* Oracle 11g R1 version 11.1.0.6.0 on 32-bit Linux platform
Immune Systems:
*
This vulnerability specifically exists in a set-uid root program distributed with Oracle Database for Linux and Unix platforms. By replacing a module owned by the oracle user, which is loaded by this program, an attacker can execute arbitrary code as root.
Analysis:
Exploitation allows the attacker to gain root privilege. In order to exploit the vulnerability, the attacker must have access to database owner account, typically "oracle", or be a member of oracle installation group, typically "oinstall".
Workaround:
In order to prevent exploitation, administrators can remove the set-uid bit from the vulnerable program. However, doing so could impair the functionality of the DBMS_SCHEDULER package.
Vendor response:
Oracle Corp. has addressed this vulnerability with the release of their July 2008 Critical Patch Update. For more information, visit the following URL.
http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujul2008.html
CVE Information:
CVE-2008-2613
Disclosure timeline:
01/25/2008 - Initial vendor notification
02/05/2008 - Initial vendor response
07/15/2008 - Coordinated public disclosure
|
|
|
|
|
