|
|
|
|
| |
| The Oracle TNS Listener is susceptible to a denial of service attack when issued the SERVICE_CURLOAD command. |
| |
Credit:
The original advisory can be downloaded from:
http://www.rapid7.com/advisories/R7-0006.txt
The information has been provided by Rapid 7 Security Advisories.
|
| |
Vulnerable systems:
* Oracle 9i Release 2 (9.2.x)
* Oracle 9i Release 1 (9.0.x)
* Oracle 8i (8.1.x)
Immune systems:
* Oracle 8.0.x (but see below)
Detailed analysis:
Connecting to the Oracle TNS listener (usually on port 1521) and issuing the command "(CONNECT_DATA=(COMMAND=SERVICE_CURLOAD))" causes the Oracle server to respond with a message indicating successful execution. However, once the caller closes the connection, the listener service stops responding. The effects of this DoS vary depending on how long the attacker keeps the original connection open. If the caller keeps the listener connection open while new connections are serviced, the listener service will be disabled and may crash with an access violation. If the caller closes the listener connection before other requests are serviced, the listener service will refuse to accept new connections.
Rapid7 were unable to reproduce this issue on Oracle 8.0.6. Version 8.0.6 of Oracle logs a result of 0 (success) in listener.log. However, the response to the caller contains error code 12629260, which appears to be a non-standard error code. This may also be the result of an exceptional condition, but we were unable to crash or disable the listener in our testing.
Vendor status and information:
Oracle was notified of this vulnerability and has made patches available. This issue is being tracked as bug #2540219 in the Oracle bug database.
Solution:
Download and apply the vendor-supplied patches. Please see Oracle Security Alert #42 for more information: http://otn.oracle.com/deploy/security/pdf/2002alert42rev1.pdf
Please note that patches for some versions and platforms are not yet available.
|
|
|
|
|
|
|
|
|
|
