|
Denial of Service Attack on SNMP master agent
March 5, 2002
For additional details, the official advisories from Oracle Corporation
can be downloaded from:
http://otn.oracle.com/deploy/security/pdf/snmp_2002_alert.pdf
To determine if you are vulnerable to this attack, download AppDetective
from http://www.appsecinc.com/products/appdetective/oracle
Risk level: Low
Summary:
Oracle Enterprise Manager allows a database to be monitored through the
SNMP protocol. A Denial of Service vulnerability has been discovered in
the Master_peer agent which would allow an anonymous user to crash the
agent. This occurs when a malformed packet is received by the
master_peer agent.
Versions/Products Affected:
EM Releases 1.6.5, 2.0, 2.1, 2.2, 9.0.1 running on (or "included with"):
- Oracle7 Database, Release 7.3.x
- Oracle8 Database, Releases 8.0.x
- Oracle8i Database, Releases 8.1.x
- Oracle9i Database, Release 9.0.1.x
Fix:
A patch is available for download from Metalink. This patch can be
downloaded from metalink by searching on the patch number 2224724. The
patch repairs the master agent's parsing of malformed packets so that
they are dropped.
|
