[Argeniss] Oracle 9R2 Unpatched vulnerability on CWM2_OLAP_AW_AWUTIL package

From: Cesar (cesarc56_at_yahoo.com)
Date: 07/23/05

  • Next message: Martin Pitt: "[USN-151-2] zlib vulnerabilities"
    Date: Fri, 22 Jul 2005 15:15:03 -0700 (PDT)
    To: full-disclosure@lists.grok.org.uk, bugtraq@securityfocus.com, ntbugtraq@listserv.ntbugtraq.com, vulnwatch@vulnwatch.org
    
    

    Oracle 9R2 Unpatched vulnerability on
    CWM2_OLAP_AW_AWUTIL package

    Date: 07/22/2005

    Esteban Martinez Fayo (member of Argeniss security
    research team) reported a security
    vulnerability to Oracle some months ago, the
    vulnerability is on OLAPSYS.CWM2_OLAP_AW_AWUTIL
    package affecting Oracle Database Server 9iR2 and 10g.
    A couple of days before July CPU was
    released Oracle told us that July CPU will fix the
    reported vulnerability. After July CPU was
    relesed we tested it in our systems and we found that
    the patch doesn't fix the vulnerability
    on Oracle 9iR2, that's because Oracle didn't include a
    fix for the vulnerability on 9iR2, the
    Oracle Database Server Risk Matrix indicates that the
    Earliest Supported Release Affected is 10g
    which is complete wrong since 9iR2 is affected by the
    vulnerability.

    We contacted Oracle about this issue and Oracle
    confirmed it, when we asked why there is no fix
    for 9iR2, Oracle said:

    "Our development teams neglected to do the backports.
    We are working on creating those backports now."

    Also Oracle said that the fix will be released on
    October CPU.
    Because we feel Oracle doesn't care to protect
    customers we decided to provide a workaround
    until a patch is available on October or who knows
    when, maybe the development teams neglect again!

    This is a high risk vulnerability, any database user
    can cause a DOS.

    Here you can find a workaround:
    http://www.argeniss.com/research/CWM2_OLAP_AW_AWUTILWorkaround.sql

    BTW: Don't miss these talks at Black Hat if you want
    to know more about Oracle (IN)security:

    http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Cerrudo
    http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Fayo
    http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Kornbrust

    Any questions to: cesar>at<argeniss>dot<com

    Cesar Cerrudo
    CEO, Founder
    Argeniss (http://www.argeniss.com)

                    
    ____________________________________________________
    Start your day with Yahoo! - make it your home page
    http://www.yahoo.com/r/hs
     


  • Next message: Martin Pitt: "[USN-151-2] zlib vulnerabilities"