Bugtraq mailing list archives

Re: Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.OLAPIMPL_T.ODCITABLESTART

From: security curmudgeon <jericho () attrition org>
Date: Fri, 20 Feb 2009 03:21:14 +0000 (UTC)



: Oracle Database Buffer Overflow in SYS.OLAPIMPL_T.ODCITABLESTART
: Risk Level: High

: Oracle Database Server provides the SYS.OLAPIMPL_T package. This package: contains the procedure ODCITABLESTART which is vulnerable to buffer: overflow attacks. Impact: By default SYS.OLAPIMPL_T has EXECUTE: permission to PUBLIC so any Oracle database user can exploit this: vulnerability. Exploitation of this vulnerability allows an attacker to: execute arbitrary code. It can also be exploited to cause DoS (Denial of: service) killing the Oracle server process.:: CVE: CVE-2008-3974


: http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpujan2009.html

Oracle:

Confidentiality: None
Integrity: None
Availability: Partial
CVSS: 4.0

That doesn't seem to go with a remote overflow / code executionvulnerability.

Current thread:

Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.OLAPIMPL_T.ODCITABLESTART Shatter (Feb 03)
- Re: Team SHATTER Security Advisory: Oracle Database Buffer Overflow in SYS.OLAPIMPL_T.ODCITABLESTART security curmudgeon (Feb 20)