home/images/titles/SecureAlert.gif
home
products
firewalls
consulting
securealert
about
news
library
partners
links
search
contact
Search:

When our team of security experts completes the research on a specific vulnerability, you receive a Level-1 alert via e-mail.

The Level-1 alert will allow you to determine whether or not your systems are vulnerable, as well as show you step by step instructions on how to alleviate the vulnerability. The link in the Level-1 alert will also lead you to the detailed Level-2 report that has been written by our security experts. Give the link in the example above a try and see the extra information that our detailed reports provide.



                         Oracle dbsnmp Vulnerability
                                  1999-00233
                               December 19, 1999

* H I G H  R I S K * H I G H  R I S K * H I G H  R I S K * H I G H  R I S K *

Application Type:                  Database
Application Name:                  Oracle Database Server
Application Version:               8.1.5 on Solaris 2.6 SPARC
                                   8.0.5 on Solaris 2.6 SPARC
                                   8.0.4 on Solaris 2.6 SPARC
                                   8.0.3 on Solaris 2.6 SPARC
                                   7.3.4 on Solaris 2.6 SPARC
                                   8.0.5 on Linux x86
                                   8.0.4 on Linux x86
                                   8.0.3 on Linux x86
Platforms Affected:                SPARC 
                                   x86
Operating System Affected:         Solaris
                                   Linux

Problem
------------

The affected versions of Oracle Database Server are vulnerable to a setuid
problem which will allow any user to compromise root on the server.  The
exploit, which has been well published for both Solaris and Linux versions,
causes a setuid program to create a /.rhosts file when a specific environmental
variable is not set.  More information can be found in the detailed Level-2
report listed below.


Issues
----------

Remote Attack:                     No
Physical Access Required:          No
Administrative Privilege Gained:   Yes
Attack Scripts Available:          Yes


Affected systems
-----------------------

All Solaris 2.6 SPARC systems running Oracle Database Server 8.1.5, 8.0.3-5,
or 7.3.4.  Also, all Linux x86 systems running Oracle Database Server 8.0.3-5.
It is very possible that other unix versions are also vulnerable.


Corrective Action
-----------------------

A patch has been released by the vendor and it can be found here:

http://technet.oracle.com/misc/setuid_patch.sh


The detailed Level-2 report for this vulnerability can be found at:
http://www.isag.com/securealert/1999-233detail.html


           Copyright Internet Security Advisors Group, 1999
        Please direct comments or questions to: alert@isag.com
                   Internet Security Advisors Group
                         http://www.isag.com/


If you like what you see and you'd like to become one of the hundreds of companies that rely on SecureAlert to keep their systems secure, just visit our signup page.

 

Customer Login | Sample Alert | Sign up


Home | Products and Services | About ISAG | News
Publications | Partners | Links | Search | Contact Us


Email: info@isag.com

Content copyright © 2000 Internet Security Advisors Group. All rights reserved.