exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Oracle9R2-unpatched.txt

Oracle9R2-unpatched.txt
Posted Jul 23, 2005
Authored by Cesar Cerrudo | Site argeniss.com

Oracle 9R2 has an unpatched, known vulnerability in the CWM2_OLAP_AW_AWUTIL package. A flaw that was reported months ago and was claimed to be fixed in this last release.

tags | advisory
SHA-256 | 4baacbeb7d755cb771ca19159c31c5adc4d70a971c8a33ae6de73c73c76e6667

Oracle9R2-unpatched.txt

Change Mirror Download
Oracle 9R2 Unpatched vulnerability on
CWM2_OLAP_AW_AWUTIL package


Date: 07/22/2005


Esteban Martinez Fayo (member of Argeniss security
research team) reported a security
vulnerability to Oracle some months ago, the
vulnerability is on OLAPSYS.CWM2_OLAP_AW_AWUTIL
package affecting Oracle Database Server 9iR2 and 10g.
A couple of days before July CPU was
released Oracle told us that July CPU will fix the
reported vulnerability. After July CPU was
relesed we tested it in our systems and we found that
the patch doesn't fix the vulnerability
on Oracle 9iR2, that's because Oracle didn't include a
fix for the vulnerability on 9iR2, the
Oracle Database Server Risk Matrix indicates that the
Earliest Supported Release Affected is 10g
which is complete wrong since 9iR2 is affected by the
vulnerability.

We contacted Oracle about this issue and Oracle
confirmed it, when we asked why there is no fix
for 9iR2, Oracle said:

"Our development teams neglected to do the backports.
We are working on creating those backports now."

Also Oracle said that the fix will be released on
October CPU.
Because we feel Oracle doesn't care to protect
customers we decided to provide a workaround
until a patch is available on October or who knows
when, maybe the development teams neglect again!


This is a high risk vulnerability, any database user
can cause a DOS.

Here you can find a workaround:
http://www.argeniss.com/research/CWM2_OLAP_AW_AWUTILWorkaround.sql



BTW: Don't miss these talks at Black Hat if you want
to know more about Oracle (IN)security:

http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Cerrudo
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Fayo
http://www.blackhat.com/html/bh-usa-05/bh-usa-05-speakers.html#Kornbrust


Any questions to: cesar>at<argeniss>dot<com


Cesar Cerrudo
CEO, Founder
Argeniss (http://www.argeniss.com)




____________________________________________________
Start your day with Yahoo! - make it your home page
http://www.yahoo.com/r/hs

Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    11 Files
  • 8
    Dec 8th
    36 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close