Oracle Information for VU#308891

OpenSSL contains multiple buffer overflows in buffers that are used to hold ASCII representations of integers

Status

Affected

Vendor Statement

Please see http://otn.oracle.com/deploy/security/htdocs/opensslAlert.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

                                              Oracle Security Alert #37
                                                  Dated: 1 August, 2002
                                                Updated: 5 August, 2002

OpenSSL Security Vulnerability

Products affected:

   Oracle HTTP Server (OHS) shipped with the database up to and
       including version 9.2.0.
       Oracle9iAS versions earlier than 9.0.2, including all versions
       1.0.2.x.
       CorporateTime Outlook Connector (CTOC), versions 3.1, 3.1.1,
       3.1.2, and 3.3 on Windows 98, NT, 2K, XP.

Description:

   There are remotely exploitable buffer overflow vulnerabilities in
   OpenSSL versions prior to 0.9.6e.
   These vulnerabilities may allow a remote attacker to execute
   arbitrary code or perform a denial-of-service (DoS) attack.

   These problems are described in the OpenSSL Security Advisory [30
   July 2002]:

     [25]http://www.openssl.org/news/secadv_20020730.txt

   These problems are also described in CERT Advisory CA-2002-23:

     [26]http://www.cert.org/advisories/CA-2002-23.html

Workarounds:

   There are no workarounds against the potential denial-of-service
   attack.  Disabling SSL should prevent remote execution of code.

   Users of Corporate Time Outlook Connector can disable TLS by adding
   the following section to the CTOC.INI file:
   [CTOC]
   allow-tls=FALSE

NOTE:

   Disabling SSL or TLS will result in data being transmitted in the
   clear (i.e. unencrypted), including passwords when using Basic
   Authentication.

Patch Information:

   Patches will be made available on MetaLink for Patch 2492925 as
   scheduled in the following table:
   Product Download Release Solaris NT HPUX Linux AIX TRU64
   iAS 1022 OHS .3.19 08/09/02 08/09/02 08/15/02 08/15/02 08/15/02
   08/15/02
   iAS 1021 OHS 1.3.12 08/08/02 08/08/02 08/09/02 08/09/02 08/09/02
   08/09/02
   iAS 1021s OHS 1.0.2.1s 08/08/02 08/08/02 08/12/02 08/12/02 08/12/02
   08/12/02
   iAS 102 iAS 1.0.2 08/09/02 08/09/02 08/14/02 08/14/02 08/14/02
   08/14/02
   RDBMS 9.2 Oracle 9.2.0.0 08/08/02 08/08/02 08/08/02 08/08/02
   08/08/02 08/08/02
   RDBMS   901  Oracle  9.0.1.0  08/09/02  08/09/02  08/13/02  08/13/02
   08/13/02 08/13/02
   RDBMS   817  Oracle  8.1.7.0  08/09/02  08/09/02  08/16/02  08/16/02
   08/16/02 08/16/02

Upgrade Information:

   New  releases  of  the Corporate Time Outlook Connector will address
   this vulnerability.
   The  following  releases  are  scheduled  to  be  released around 16
   August, 2002:
    1. CorporateTime Outlook Connector 3.3.1
    2. Oracle Outlook Connector 3.4


   Copyright 2002, Oracle Corporation. All rights reserved.
   [27]Contact Us | [28]Legal Notices and Terms of Use | [29]Privacy
   Statement

References

  25. http://www.openssl.org/news/secadv_20020730.txt
  26. http://www.cert.org/advisories/CA-2002-23.html
  27. http://otn.oracle.com/contact
  28. http://www.oracle.com/html/index.html?copyright.html
  29. http://www.oracle.com/html/index.html?privacy.html

If you have feedback, comments, or additional information about this vulnerability, please send us email.