Oracle9iAS Web Cache Overflow Vulnerability

From: Oracle Security Alerts (secalert_us@oracle.com)
Date: 10/24/01


Message-ID: <3BD71F4C.4360AEA7@oracle.com>
Date: Wed, 24 Oct 2001 13:06:36 -0700
From: Oracle Security Alerts <secalert_us@oracle.com>
To: bugtraq@securityfocus.com
Subject: Oracle9iAS Web Cache Overflow Vulnerability


Reference Date: October 18, 2001
Security Alert #18

Oracle9iAS Web Cache Overflow Vulnerability

Overview
A potential security vulnerability has been discovered in Oracle9iAS Web
Cache 2.0.0.1. This vulnerability enables an attacker to mount a
denial-of-service attack using an oversized HTTP GET request. On some
platforms there is an additional vulnerability that may allow remote
execution of arbitrary code.

Products
Oracle9iAS Web Cache 2.0.0.1

Platforms
All

Patch Solution
Oracle has comprehensively fixed this security vulnerability in the
2.0.0.2 release of Oracle9iAS Web Cache.
Supported customers may download the release for your platform from
Oracle's Worldwide Support web site, Metalink,
http://metalink.oracle.com. Press the "Patches" button to get to the
patches web page. Enter the platform and corresponding patch number from
the table below, and press "Submit."

Platform Patch Number

MS Windows NT/2000 Server - 2044682
Sun SPARC Solaris - 2042106
HP-UX - 2043908
Linux - 2043924
Compaq Tru64 UNIX - 2043921
AIX - 2043917

Alternatively, this release may be downloaded for evaluation on Windows
NT, Solaris, HP, and Linux from the Oracle Technology Network,
http://otn.oracle.com/software/content.html.

Credits
Oracle would like to thank George Hedfors and Andreas Junestam of Defcom
Security for promptly bringing this potential security vulnerability to
Oracle’s attention.