|
|
|
|
| |
A potential security vulnerability has been discovered in Oracle's handling of the environment variable, ORACLE_HOME. A buffer overflow is caused when the Oracle binary, otrcrep, translates the environment variable, ORACLE_HOME, into a string of 240 or more bytes. The Oracle binary otrcrep runs with the SETUID oracle privileges in the operating system DBA group. The buffer overflow may be exploited by a local user to force overwriting of stack variables in shared memory including the return memory addresses and thereby execute arbitrary (or specific, malicious) code with the privileges of the oracle user and/or the DBA group privileges.
A patch and workaround are now available for this problem. For more information about the security hole, see our previous post:
Local Security Vulnerability in 'dbsnmp' Binary (ORACLE_HOME) |
| |
Credit:
The information has been provided by Oracle Security Alerts.
|
| |
Vulnerable systems:
All Oracle database server releases (8.0.x, 8.1.x and 9.0.1)
Workaround:
If the ORACLE_HOME environment variable is being translated into a string of 240 or more bytes, disable Oracle Trace by setting its control parameter in init<SID>.ora as follows:
oracle_trace_enable=FALSE
Change the file permissions on all of the Oracle Trace executables as follows:
% chmod -s otrccol otrccref otrcfmt otrcrep
% chmod 751 otrccol otrccref otrcfmt otrcrep
Patches:
The potential security vulnerability will be code-fixed in the next release of the Oracle database server that is Oracle9i, Release 2, only. All other releases of the Oracle database (8.0.x, 8.1.x, and 9.0.1) must use follow the workarounds specified above to circumvent the potential security vulnerability.
|
|
|
|
|
