The CERT/CC is aware of a report about a "remotely exploitable format string vulnerability in Oracle Application Server" that could allow an unauthenticated, remote attacker to execute arbitrary code on a vulnerable system.
Oracle Application Server uses the Apache HTTP Server to provide web services, including access to stored procedures via the Oracle PL/SQL module (modpplsql or mod_plsql). The PL/SQL module provides a web-based administration interface to configure Database Access Descriptors (DAD) and cache settings. The CERT/CC is aware of a report of a format string vulnerability in Oracle Application Server. The report implies that the vulnerability exists in the web-based administration interface for the PL/SQL gateway. An attacker may be able to exploit this vulnerability by sending a specially crafted HTTP request to a vulnerable system. Further details about this vulnerability are not presently available, as the reporter (NGSSoftware) has intentionally released limited information in accordance with their disclosure policy. NGSSoftware reports that Oracle9iAS v18.104.22.168 for Windows NT/2000 was tested.
An unauthenticated remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. The HTTP server used by Oracle Application Server may run as SYSTEM on Windows NT and Windows 2000 systems.
Apply a Patch
Oracle Corporation Affected
Notified: May 31, 2002 Updated: June 18, 2002
We have not received a statement from the vendor.
The vendor has not provided us with any further information regarding this vulnerability.
NGSSoftware reports that Oracle9iAS v22.214.171.124 for Windows NT/2000 was tested.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The CERT/CC thanks David Litchfield of NGSSoftware for information used in this document.
This document was written by Art Manion.
|Date First Published:||2002-06-04|
|Date Last Updated:||2003-06-02 19:05 UTC|