Oracle Information for VU#561275
OpenSSL servers contain a remotely exploitable buffer overflow vulnerability during the SSL3 handshake process
- Vendor Information Help Date Notified: 29 Jul 2002
- Statement Date:
- Date Updated: 09 Aug 2002
Status
Affected
Vendor Statement
Please see http://otn.oracle.com/deploy/security/htdocs/opensslAlert.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Vendor References
None
Addendum
Oracle Security Alert #37
Dated: 1 August, 2002
Updated: 5 August, 2002
OpenSSL Security Vulnerability
Products affected:
Oracle HTTP Server (OHS) shipped with the database up to and
including version 9.2.0.
Oracle9iAS versions earlier than 9.0.2, including all versions
1.0.2.x.
CorporateTime Outlook Connector (CTOC), versions 3.1, 3.1.1,
3.1.2, and 3.3 on Windows 98, NT, 2K, XP.
Description:
There are remotely exploitable buffer overflow vulnerabilities in
OpenSSL versions prior to 0.9.6e.
These vulnerabilities may allow a remote attacker to execute
arbitrary code or perform a denial-of-service (DoS) attack.
These problems are described in the OpenSSL Security Advisory [30
July 2002]:
[25]http://www.openssl.org/news/secadv_20020730.txt
These problems are also described in CERT Advisory CA-2002-23:
[26]http://www.cert.org/advisories/CA-2002-23.html
Workarounds:
There are no workarounds against the potential denial-of-service
attack. Disabling SSL should prevent remote execution of code.
Users of Corporate Time Outlook Connector can disable TLS by adding
the following section to the CTOC.INI file:
[CTOC]
allow-tls=FALSE
NOTE:
Disabling SSL or TLS will result in data being transmitted in the
clear (i.e. unencrypted), including passwords when using Basic
Authentication.
Patch Information:
Patches will be made available on MetaLink for Patch 2492925 as
scheduled in the following table:
Product Download Release Solaris NT HPUX Linux AIX TRU64
iAS 1022 OHS .3.19 08/09/02 08/09/02 08/15/02 08/15/02 08/15/02
08/15/02
iAS 1021 OHS 1.3.12 08/08/02 08/08/02 08/09/02 08/09/02 08/09/02
08/09/02
iAS 1021s OHS 1.0.2.1s 08/08/02 08/08/02 08/12/02 08/12/02 08/12/02
08/12/02
iAS 102 iAS 1.0.2 08/09/02 08/09/02 08/14/02 08/14/02 08/14/02
08/14/02
RDBMS 9.2 Oracle 9.2.0.0 08/08/02 08/08/02 08/08/02 08/08/02
08/08/02 08/08/02
RDBMS 901 Oracle 9.0.1.0 08/09/02 08/09/02 08/13/02 08/13/02
08/13/02 08/13/02
RDBMS 817 Oracle 8.1.7.0 08/09/02 08/09/02 08/16/02 08/16/02
08/16/02 08/16/02
Upgrade Information:
New releases of the Corporate Time Outlook Connector will address
this vulnerability.
The following releases are scheduled to be released around 16
August, 2002:
1. CorporateTime Outlook Connector 3.3.1
2. Oracle Outlook Connector 3.4
Copyright © 2002, Oracle Corporation. All rights reserved.
[27]Contact Us | [28]Legal Notices and Terms of Use | [29]Privacy
Statement
References
25. http://www.openssl.org/news/secadv_20020730.txt
26. http://www.cert.org/advisories/CA-2002-23.html
27. http://otn.oracle.com/contact
28. http://www.oracle.com/html/index.html?copyright.html
29. http://www.oracle.com/html/index.html?privacy.html
If you have feedback, comments, or additional information about this vulnerability, please send us email.