|
Oracle File Overwrite Security Vulnerability
October 23, 2001
This vulnerability affects all versions of Oracle running on UNIX.
The SETUID bit on the executable file "oracle" can be exploited. Removing
the SETUID bit can cause several problems with how Oracle functions.
There are several work arounds for this issue. The best recommendation is to
limit any access to the ORACLE_HOME directory to database administrators
only. This can be done by changing the permissions on the ORACLE_HOME
directory to 770. If ordinary users must run SQL*Plus, they should not be
allowed to do so on the server Oracle runs on, but instead should run any
commands using the client-server model.
For additional details from Oracle, download the file
http://otn.oracle.com/deploy/security/pdf/oracle_race.pdf
|
