Oracle: SSL Update for CERT CA200326 and older SSL issues

December 5, 2003

[From Oracle Technology Network]

This alert addresses SSL vulnerabilities detailed in CERT Advisory CA200326, and SSL vulnerabilities detailed in several older Common Vulnerabilities and Exposures (CVE) candidates , as follows:

  • CERT CA200326 documents SSL vulnerabilities that can be exploited when carefully crafted X.509 certificates are presented by clients, even when X.509 client certificates are not enabled. The CVE numbers for these issues are CAN20030544 and CAN20030545.
  • CERT CA200326 also documents a vulnerability that is only present when processing of X.509 client certificates is enabled. The CVE number for this issue is CAN20030543. This vulnerability affects all products that use SSL and accept client certificates in the Oracle9i Application Server, the Oracle9i Database Server, and the Oracle8i Database Server.
  • The patches provided in this alert also fix the following older CVE issues: CVE20020082, CAN20030078, CAN20030147, and CAN20030131.

Multiple database, application and HTTP servers are affected.

The article continues at http://otn.oracle.com/deploy/security/pdf/2003alert62.pdf