Hi Team SHATTER, Apologies for the very late reply, but I had a question regarding your advisory. I am CC'ing Oracle's security contact in hopes they can also reply with clarification. : Oracle Database Buffer Overflow in SYS.KUPF$FILE_INT.GET_FULL_FILENAME (DB11) : Details: : Oracle Database Server provides the SYS.KUPF$FILE_INT package. This : package contains the procedure GET_FULL_FILENAME which is vulnerable to : buffer overflow attacks. : : Impact: : Any Oracle database user with EXECUTE privilege on the package : SYS.KUPF$FILE_INT can exploit this vulnerability. By default, users : granted EXECUTE_CATALOG_ROLE have the required privilege. Exploitation : of this vulnerability allows an attacker to execute arbitrary code. It : can also be exploited to cause DoS (Denial of service) killing the : Oracle server process. Cliff notes: SYS.KUPF$FILE_INT.GET_FULL_FILENAME remote overflow, "execute arbitrary code .. also .. cause DoS". CVE-2008-1820 http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuapr2008.html >From the Oracle advisory: DB11 Data Pump Oracle Net Execute on KUPF$FILE_INT No 4.0 Network Low Single None None Partial Cliff notes: Confidentiality = None. Integrity = None. Availability = Partial. Summary: Team SHATTER says this is a remote overflow that allows for the execution of arbitrary code (CVSS2 9.0). Oracle says this is a limited DoS condition (CVSS2 4.0). That is a big discrepancy. Based on disclosure history, Team SHATTER has a higher confidence rating and is generally considered more trustworthy than Oracle. As a responsible security professional, I have to assume their research is accurate and their advisory should be taken more seriously than Oracle's. Any input from either side to help clarify? - security curmudgeon p.s. Same exact question and CVSS2 scores for SYS.DBMS_AQJMS_INTERNAL (DB15), CVE-2008-1821, same Oracle CPU.
