|
Denial of Service in Oracle interMedia
April 18, 2005
To determine if you are vulnerable to this attack, download AppDetective
from http://www.appsecinc.com/products/appdetective/oracle
Risk level: Medium
Credits: This vulnerability was discovered and researched by Esteban Martínez Fayó of Argeniss for AppSec, Inc.
Affected Versions:
Oracle Database Server versions 9i and 10g
Details:
Within the Oracle interMedia system, two types (ORDImage and ORDDoc) have a vulnerability that can cause a Denial of Service condition. When trying to load a specially constructed file, or when setting specially constructed data to object's property, a Denial of service can be triggered making Oracle server process consume 100% CPU usage. The service needs to be restarted to resume normal operation.
This vulnerability can be exploited remotely by supplying a specially constructed file to an application that uses the vulnerable objects to process the file in the database server.
Impact:
By default PUBLIC has execute permission on these objects so any Oracle database user can exploit this vulnerability. Exploitation of this vulnerability will allow an attacker to cause a DOS (Denial of service).
Vendor Status:
Vendor was contacted and a patch was released.
Fix:
Apply Oracle Critical Patch Update April 2005 available at http://metalink.oracle.com
Links:
Oracle Security Alert: http://www.oracle.com/technology/deploy/security/pdf/cpuapr2005.pdf
|
