-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
TeamSHATTER Security Advisory
Oracle Database GeoRaster API overflow
February 20, 2013
Risk Level:
High
Affected versions:
Oracle Database 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Martin Rakhmanov of
Application Security Inc.
Details:
GeoRaster is a feature of Oracle Spatial that lets you store, index, query,
analyze, and deliver GeoRaster data. One of the GeoRaster APIs is prone to
stack-based overflow.
Impact:
An attacker that can connect to database with spatial support can execute
arbitrary code in the server's process context.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
Do not install spatial support in the database.
Fix:
Apply January 2013 CPU.
CVE:
CVE-2012-3220
Links:
http://www.oracle.com/
https://www.teamshatter.com/?
Timeline:
Vendor Notification - 5/3/2012
Vendor Response - 5/4/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013
- --
______________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
iEYEARECAAYFAlEmbNsACgkQRx91im
R60Anjf9fKfxgr6y4E28pn3Z+
=9NkT
-----END PGP SIGNATURE-----
Courtesy: securityfocus.com
Hash: SHA1
TeamSHATTER Security Advisory
Oracle Database GeoRaster API overflow
February 20, 2013
Risk Level:
High
Affected versions:
Oracle Database 10.2.0.3, 10.2.0.4, 10.2.0.5, 11.1.0.7, 11.2.0.2, 11.2.0.3
Remote exploitable:
Yes
Credits:
This vulnerability was discovered and researched by Martin Rakhmanov of
Application Security Inc.
Details:
GeoRaster is a feature of Oracle Spatial that lets you store, index, query,
analyze, and deliver GeoRaster data. One of the GeoRaster APIs is prone to
stack-based overflow.
Impact:
An attacker that can connect to database with spatial support can execute
arbitrary code in the server's process context.
Vendor Status:
Vendor was contacted and a patch was released.
Workaround:
Do not install spatial support in the database.
Fix:
Apply January 2013 CPU.
CVE:
CVE-2012-3220
Links:
http://www.oracle.com/
https://www.teamshatter.com/?
Timeline:
Vendor Notification - 5/3/2012
Vendor Response - 5/4/2012
Fix - 1/15/2013
Public Disclosure - 2/20/2013
- --
______________________________
Copyright (c) 2013 Application Security, Inc.
http://www.appsecinc.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (MingW32)
iEYEARECAAYFAlEmbNsACgkQRx91im
R60Anjf9fKfxgr6y4E28pn3Z+
=9NkT
-----END PGP SIGNATURE-----
Courtesy: securityfocus.com
No comments:
Post a Comment