Oracle 9R2 Unpatched vulnerability on CWM2_OLAP_AW_AWUTIL package Date: 07/22/2005 Esteban Martinez Fayo (member of Argeniss security research team) reported a security vulnerability to Oracle some months ago, the vulnerability is on OLAPSYS.CWM2_OLAP_AW_AWUTIL package affecting Oracle Database Server 9iR2 and 10g. A couple of days before July CPU was released Oracle told us that July CPU will fix the reported vulnerability. After July CPU was relesed we tested it in our systems and we found that the patch doesn't fix the vulnerability on Oracle 9iR2, that's because Oracle didn't include a fix for the vulnerability on 9iR2, the Oracle Database Server Risk Matrix indicates that the Earliest Supported Release Affected is 10g which is complete wrong since 9iR2 is affected by the vulnerability. We contacted Oracle about this issue and Oracle confirmed it, when we asked why there is no fix for 9iR2, Oracle said: "Our development teams neglected to do the backports. We are working on creating those backports now." Also Oracle said that the fix will be released on October CPU. Because we feel Oracle doesn't care to protect customers we decided to provide a workaround until a patch is available on October or who knows when, maybe the development teams neglect again! This is a high risk vulnerability, any database user can cause a DOS. Here you can find a workaround: http://www.argeniss.com/research/CWM2_OLAP_AW_AWUTILWorkaround.sql BTW: Don't miss these talks at Black Hat if you want to know more about Oracle (IN)security: http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Cerrudo http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Fayo http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Kornbrust Any questions to: cesar>at<argeniss>dot<com Cesar Cerrudo CEO, Founder Argeniss (http://www.argeniss.com) ____________________________________________________ Start your day with Yahoo! - make it your home page http://www.yahoo.com/r/hs _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
This archive was generated by hypermail 2.1.3 : Wed Jul 27 2005 - 07:31:00 PDT