The Oracle JInitiator ActiveX control contains multiple stack buffer overflows, which could allow a remote, unauthenticated attacker to execute arbitrary code on a vulnerable system.
Oracle JInitiator allows users to run Oracle Developer Server applications within a web browser. Oracle JInitiator includes an ActiveX control called beans.ocx. The Oracle JInitiator ActiveX control is vulnerable to multiple stack buffer overflows in initialization parameters.
This vulnerability appears to be present in versions 1.1.8.x through 22.214.171.124 of the Oracle JInitiator software. In our testing, the 1.3.1.x versions of JInitiator do not contain these buffer overflows. However, installing a later version of the software will not remove the vulnerable version of the control.
A remote, unauthenticated attacker may be able to execute arbitrary code on a vulnerable system with privileges of the user.
This vulnerability was reported by Will Dormann of the CERT/CC.
This document was written by Will Dormann. Additional information was provided by Stephen Kost of Integrigy.
|Date First Published:||2007-08-28|
|Date Last Updated:||2009-04-13 17:16 UTC|