I have not seen the latest Oracle bugs on the list yet. #2 and #3 were credited to Juan Manuel Pascual EscribĂ by Oracle. -----Original Message----- From: support@appsecinc.com [mailto:support@appsecinc.com] Sent: 23 October 2001 11:00 To: support@appsecinc.com Subject: ASI Oracle Security Alert: 3 new security alerts Three new security holes have been discovered in the latest versions of the Oracle database server. Below are the details of each discovery. ------------------------------------------------------------------------- 1 - Oracle Label Security Mandatory Security Patch If you are not using Oracle Label security, you do not need to worry about this issue. The Oracle Label Security mechanism contains a flaw which would allow a user to gain a higher level of access to data. A patch has been released for Oracle 8.1.7. Patchset 2 for Oracle 9.0.1 will address this problem for Oracle9i. For additional details from Oracle, download the file http://otn.oracle.com/deploy/security/pdf/OLS817alert.pdf ------------------------------------------------------------------------- 2 - Oracle File Overwrite Security Vulnerability This vulnerability affects all versions of Oracle running on UNIX. The SETUID bit on the executable file "oracle" can be exploited. Removing the SETUID bit can cause several problems with how Oracle functions. There are several work arounds for this issue. The best recommendation is to limit any access to the ORACLE_HOME directory to database adminstrators only. This can be done by changing the permissions on the ORACLE_HOME directory to 770. If ordinary users must run SQL*Plus, they should not be allowed to do so on the server Oracle runs on, but instead should run any commands using the client-server model. For additional details from Oracle, download the file http://otn.oracle.com/deploy/security/pdf/oracle_race.pdf ------------------------------------------------------------------------- 3 - Oracle Trace Collection Security Vulnerability This vulnerability affects all versions of Oracle running on UNIX. The SETUID bit on the executable file "otrcrep" can be exploited. The SETUID bit should be removed on all Oracle trace files including: otrccol, otrccref, otrcfmt, otrccrep. The best recommendation for any installation of Oracle on UNIX is to limit access to the ORACLE_HOME directory to database adminstrators only. This can be done by changing the permissions on the ORACLE_HOME directory to 770. For additional details from Oracle, download the file http://otn.oracle.com/deploy/security/pdf/otrcrep.pdf Thank you, support@appsecinc.com Application Security, Inc. phone: 212-490-6022 -Protection Where It Counts- ------------------------------------------------------------------------ Application Security, Inc. www.appsecinc.com As pioneers in application security, we are an organization dedicated to the security, defense, and protection of one of the most commonly overlooked areas of security — the application layer. Application Security, Inc. provides solutions to proactively secure (penetration testing/vulnerability assessment), actively defend/monitor (intrusion detection), and protect (encryption) your most critical applications. ------------------------------------------------------------------------ To unsubscribe from this list, send an email to unsubscribe@appsecinc.com with the word "unsubscribe oracle" in the subject list. ------------------------------------------------------------------------
