Oracle9i Database Buffer Overflow Vulnerability in iSQL*Plus

November 5, 2002

A potential buffer overflow security vulnerability has been discovered in the iSQL*Plus component of Oracle9i Database. All versions of Oracle9i, including the recently released Oracle9i Database Release 2, are susceptible to the vulnerability. Oracle has issued a severity level of 2 for this vulnerability.

A malicious user could take advantage of the vulnerability to pass a USERID parameter that may result in a remote buffer overflow exploit against iSQL*Plus. SQL*Plus is not affected by the exploit.

Future releases of Oracle Database will contain the fix by default, and patches are available from the Oracle Worldwide Support Services web site for current releases (accessible using Bug Number 2581911).

Credit goes to David Litchfield of Next Generation Security Software Limited for discovering the potential security vulnerability and bringing it to Oracle's attention.

Additional information on the vulnerability and download links for the patch are available at http://otn.oracle.com/deploy/security/pdf/2002alert46rev1.pdf.


Back to Database Journal Home








The Network for Technology Professionals

Search:

About Internet.com

Legal Notices, Licensing, Permissions, Privacy Policy.
Advertise | Newsletters | E-mail Offers