__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Buffer Overflows in EXTPROC of Oracle Database Server [Oracle Security Alert 57] July 25, 2003 19:00 GMT Number N-127 [Revised 07 August 2003] ______________________________________________________________________________ PROBLEM: EXTPROC is vulnerable to a stack based buffer overflow. SOFTWARE: Oracle8i (8.1.x - all releases) Oracle9i Releases 1 and 2 DAMAGE: A knowledgeable and malicious user can potentially execute arbitrary code against the Oracle database. SOLUTION: Apply patch as stated in Oracle's security alert. ______________________________________________________________________________ VULNERABILITY The risk is MEDIUM. An attacker must be an authenticated user ASSESSMENT: of the database with the CREATE LIBRARY or the CREATE ANY LIBRARY privilege. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/n-127.shtml ORIGINAL BULLETIN: http://otn.oracle.com/deploy/security/pdf/2003alert57.pdf ______________________________________________________________________________ Revision History: 8/7/2003 - Oracle removed unclear references to Alert 29, Version 2 [***** Start Oracle Security Alert 57 *****] Oracle Security Alert 57 Dated: 23 July 2003 Updated: 07 Aug 2003 Severity: 3 Buffer Overflows in EXTPROC of Oracle Database Server Description Potential security vulnerabilities have been discovered in the EXTPROC executable of the Oracle Database. A knowledgeable and malicious user can potentially execute arbitrary code against the Oracle database by exploiting buffer overflows in this executable. Products Affected ·Oracle9i Release 2 ·Oracle9i Release 1 ·Oracle8i (8.1.x – all releases) Platforms Affected See Patch Availability Matrix. Required conditions for exploit Database authenticated user (i.e., valid login required) with the CREATE LIBRARY or the CREATE ANY LIBRARY privilege. Risk to exposure Risk to exposure is low, as the CREATE LIBRARY or the CREATE ANY LIBRARY privilege is needed to exploit these vulnerabilities. Unless you connect to the database directly from the Internet (e.g., no intervening application server or firewall), a remote buffer overflow attack via the Internet is, in Oracle’s opinion, unlikely. These vulnerabilities are susceptible to an insider attack originated on the corporate Intranet, but Oracle believes that the likelihood of exploit is minimal if best practices for database are followed. Note that Oracle strongly recommends that you do not connect your database directly to the Internet. How to minimize risk There are no workarounds that can directly address these potential security vulnerabilities, but a patch is available (see below). However, to mitigate the risk of exposure, Oracle strongly recommends that you limit granting the CREATE LIBRARY and/or the CREATE ANY LIBRARY privilege to only those users who require it or if you are not using the CREATE LIBRARY or the CREATE ANY LIBRARY privilege, revoke them from all users. To check whether you have the CREATE LIBRARY and/or the CREATE ANY LIBRARY privilege, run the following statement (requires DBA privilege): select grantee, privilege from dba_sys_privs where privilege like 'CREATE%LIBRARY'; Follow Oracle’s best practices for database, http://otn.oracle.com/deploy/security/oracle9i/pdf/9ir2_checklist.pdf & http://otn.oracle.com/deploy/security/oracle9i/pdf/9i_checklist.pdf, and for IT deployments of firewalls, etc. Ramification for customer Oracle strongly recommends that customers review their database implementations and the severity rating for this Alert and patch accordingly. See http://otn.oracle.com/deploy/security/pdf/oracle_severity_ratings.pdf for a definition of severity ratings. Patch Information The patches listed in the Patch Availability Matrix fix the potential security vulnerabilities identified above, enhance the robustness of EXTPROC. The patch is included in the Oracle9i Database Release 2, Version 9.2.0.4 patchset. The patch READMEs contain the patch application instructions/configuration guide. Fixed by An interim (one-off) patch for these issues is available for these affected database versions: ·Oracle 9i Release 2, version 9.2.0.3 ·Oracle 9i Release 2, version 9.2.0.2 Currently, due to architectural constraints, there are no plans to release a patch for versions 9.0.1.4, 8.1.7.4, 8.1.6.x, 8.1.5.x, 8.0.6.3, 8.0.5.x, 7.3.x, or other patchsets of the supported releases. Download this one-off patch from the Oracle Support Services web site, Metalink (http://metalink.oracle.com). ·Click on the Patches button. ·Click on the "New Metalink Patch Search ". If you are not on the "Simple Search" screen, click on the "Simple” button to get to the “Simple Search” screen. ·Refer to the Patch Availability Matrix below to determine the patch number required. ·In the "Search By" option select “Patch Numbers” from the drop-down menu, and enter the required patch number in the box. ·Click on the “Go” button. ·Select the required platform and language. ·Click on the “Download” button. ·Recommended: you should also click on the “View README” button for additional information and instructions. Please review Metalink, or check with Oracle Support Services periodically for patch availability if the patch for your platform is unavailable. Oracle strongly recommends that you backup and comprehensively test the stability of your system upon application of any patch prior to deleting any of the original file(s) that are replaced by the patch. Patch Availability Matrix Special Notes ·Customers running supported database releases up to and including Oracle9i Release 9.0.1.4 must continue to use the workaround identified in Alert 29, http://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf. Customers running Oracle9i Release 2 (9.2.0.2 and above) can apply the patch identified in the matrix below. ·For this Alert, customers running supported database releases upto and including Oracle9i Release 9.0.1.4 must migrate to the releases identified in the matrix below to obtain patches. ·Oracle recommends that E-Business Suite 11i customers apply the patches listed below. Platforms 9.2.0.3 9.2.0.2 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Sun Solaris (32-bit) 2988114 2988086 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Sun Solaris (64-bit) 2988114 2988086 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ IBM AIX 4.3.3 and 5L (32-bit) --- --- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ IBM AIX 4.3.3 (64-bit) 2988114 2988086 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ IBM AIX Based 5L(64-bit) 2988114 2988086 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ MS Windows NT/2000/XP 2973634 3056404 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ HP-UX 11.0 (32-bit) --- --- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ HP-UX (64-bit) 2988114 2988086 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ HP Tru64 2988114 2988086 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ LINUX 2988114 2988086 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ LINUX 390 2988114 2988086 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ LINUX IA64 --- 2988086 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ INTEL SOLARIS --- --- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ DATA GENERAL --- --- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ UNIXWARE --- --- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ IBM NUMA-Q --- --- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ SGI-IRIX-64 --- --- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Siemens-64 --- --- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Novell --- --- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Alpha OpenVMS 2988114 2988086 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ IBM OS/390 (MVS) 2990322 2990370 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ NEC --- --- +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ HP IA64 2988114 2988086 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ---: The patch for the Oracle Database Release/Version is not available for this platform. ECD: Expected Completion Date. Credits Oracle Corporation thanks Chris Anley, of Next Generation Security Software Ltd., for discovering and promptly bringing these potential security vulnerabilities to Oracle’s attention. The Next Generation Security Software Advisory is available at http://www.nextgenss.com/research/advisories.html. Modification History 23-JUL-03: Initial release, Version 1 07-AUG-03: Removed unclear references to Alert 29, Version 2 [***** End Oracle Security Alert 57 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Oracle Corporation and Next Generation Security Software Limited (NGSSoftware) for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) N-117: Microsoft RPC Interface Buffer Overrun Vulnerability N-118: Cisco IOS Interface Blocked by IPv4 Packet N-119: Microsoft Internet Security and Acceleration (ISA) Server Error Pages Could Allow Cross-Site Scripting Attack N-120: Unchecked Buffer in Microsoft Windows Shell Could Enable System Compromise N-121: Red Hat Updated Mozilla Packages Fix Security Vulnerability N-122: Red Hat Updated 2.4 Kernel Fixes Vulnerabilities N-123: SGI Login Vulnerabilities N-124: Sun Solaris 8 LDAP Clients May Log the Proxy Agent User's Password as Clear Text N-125: Cumulative Patch for Microsoft SQL Server N-126: Microsoft Unchecked Buffer in DirectX Could Enable System Compromise