[Argeniss] Oracle 9R2 Unpatched vulnerability on CWM2_OLAP_AW_AWUTIL package
From: Cesar (cesarc56_at_yahoo.com)
Date: Fri, 22 Jul 2005 15:15:03 -0700 (PDT) To: email@example.com, firstname.lastname@example.org, email@example.com, firstname.lastname@example.org
Oracle 9R2 Unpatched vulnerability on
Esteban Martinez Fayo (member of Argeniss security
research team) reported a security
vulnerability to Oracle some months ago, the
vulnerability is on OLAPSYS.CWM2_OLAP_AW_AWUTIL
package affecting Oracle Database Server 9iR2 and 10g.
A couple of days before July CPU was
released Oracle told us that July CPU will fix the
reported vulnerability. After July CPU was
relesed we tested it in our systems and we found that
the patch doesn't fix the vulnerability
on Oracle 9iR2, that's because Oracle didn't include a
fix for the vulnerability on 9iR2, the
Oracle Database Server Risk Matrix indicates that the
Earliest Supported Release Affected is 10g
which is complete wrong since 9iR2 is affected by the
We contacted Oracle about this issue and Oracle
confirmed it, when we asked why there is no fix
for 9iR2, Oracle said:
"Our development teams neglected to do the backports.
We are working on creating those backports now."
Also Oracle said that the fix will be released on
Because we feel Oracle doesn't care to protect
customers we decided to provide a workaround
until a patch is available on October or who knows
when, maybe the development teams neglect again!
This is a high risk vulnerability, any database user
can cause a DOS.
Here you can find a workaround:
BTW: Don't miss these talks at Black Hat if you want
to know more about Oracle (IN)security:
Any questions to: cesar>at<argeniss>dot<com
Start your day with Yahoo! - make it your home page