A potential buffer overflow security vulnerability has been discovered in the iSQL*Plus component of Oracle9i Database. All versions of Oracle9i, including the recently released Oracle9i Database Release 2, are susceptible to the vulnerability. Oracle has issued a severity level of 2 for this vulnerability.
A malicious user could take advantage of the vulnerability to pass a USERID parameter that may result in a remote buffer overflow exploit against iSQL*Plus. SQL*Plus is not affected by the exploit.
Future releases of Oracle Database will contain the fix by default, and patches are available from the Oracle Worldwide Support Services web site for current releases (accessible using Bug Number 2581911).
Credit goes to David Litchfield of Next Generation Security Software Limited for discovering the potential security vulnerability and bringing it to Oracle’s attention.
Additional information on the vulnerability and download links for the patch are available at
http://otn.oracle.com/deploy/security/pdf/2002alert46rev1.pdf.
Back to Database Journal Home