Oracle Security Alert #45
Dated: 04 October 2002 (Updated: 10 October 2002)
Severity: 1

Security Release of Apache 1.3.27

Apache has released version 1.3.27 of its HTTP Server that contains fixes for the security vulnerabilities noted below and described at http://cve.mitre.org. The vulnerabilities that affect all of the supported versions of the Oracle HTTP Server (OHS) are:

CAN-2002-0839: This is a security vulnerability involving System V shared memory based scoreboards. It can only occur on Oracle Linux and HP ports. Exploitation of this vulnerability requires that a malicious and knowledgeable user be able to run his programs on the server web site. As a few commercial web sites allow this, the vulnerability applies to few sites. If a malicious and knowledgeable user is able to run his own programs, the web site has more serious, unrelated security issues than the exploit of this vulnerability.
CAN-2002-0840: This is a cross-site scripting vulnerability involving the default error 404 pages. It can occur on all Oracle database platforms. Exploitation of this vulnerability requires the use of wildcard DNS and the setting of UseCanonicalNames = OFF.
CAN-2002-0843: There were potential buffer overflows in Apache Bench (ab) that could be exploited by a malicious server. Note that 'ab' is not in Apache itself but is an HTTP client utility used for generating load for performance testing. This vulnerability only occurs when the 'ab' load generating HTTP client, used for performance testing, is used against a malicious HTTP server.

These security vulnerabilities are described in more detail at http://cve.mitre.org/

Product afftected
OHS in Oracle Database Releases 8.1.7.x, 9.0.1.x and 9.2.x
OHS in Oracle9i Application Server Releases 1.0.2.x and 9.0.2.x

Platforms affected
All except as noted in item #1 in the Description above.

Ray Stell stellr_at_vt.edu (540) 231-4109 KE4TJC 28^D
Please see the official ORACLE-L FAQ: http://www.orafaq.com
Author: Ray Stell
INET: stellr_at_cns.vt.edu

Fat City Network Services -- 858-538-5051 http://www.fatcity.com
San Diego, California -- Mailing list and web hosting services

To REMOVE yourself from this mailing list, send an E-Mail message
to: ListGuru_at_fatcity.com (note EXACT spelling of 'ListGuru') and in
the message BODY, include a line containing: UNSUB ORACLE-L
(or the name of mailing list you want to be removed from). You may
also send the HELP command for other information (like subscribing).

Search Discussions

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouporacle-l @
postedOct 14, '02 at 7:28p
activeOct 14, '02 at 7:28p

1 user in discussion

Ray Stell: 1 post



site design / logo © 2022 Grokbase