###############################################################
RDS_20040903_2 -
Red-Database-Security GmbH Research Advisory
Name Buffer Overflow in SYS_CONTEXT() in Oracle 9i Rel.2
Systems Affected Oracle9i Rel. 2 (Windows platform only)
Severity Medium Risk
Category Buffer Overflow
Vendor URL http://www.oracle.com
Author Alexander Kornbrust (ak at red-database-security.com)
Date 3 Sep 2004 (V 1.0)
Advisory number RDS_200400903_2
Description
###########
Buffer Overflow in SYS_CONTEXT() in Oracle 9i Rel.2.
###########
Buffer Overflow in SYS_CONTEXT() in Oracle 9i Rel.2.
Details
#######
Any valid database user with the possibility to run SQL commands (e.g. via SQL*Plus),
can create a buffer overflow by abusing the SYS_CONTEXT()-function.
This vulnerability affects only the windows versions of Oracle 9i Rel. 2 (9.2.0.0 - 9.2.0.4).
#######
Any valid database user with the possibility to run SQL commands (e.g. via SQL*Plus),
can create a buffer overflow by abusing the SYS_CONTEXT()-function.
This vulnerability affects only the windows versions of Oracle 9i Rel. 2 (9.2.0.0 - 9.2.0.4).
Oracle 9i Rel. 1 or Oracle 10g are NOT affected.
Workarounds
###########
No workarounds available.
###########
No workarounds available.
Patch Information
#################
Please see MetaLink Document ID 281189.1 for the patch download procedures and for
the Patch Availability Matrix for this Oracle Security Alert.
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=281189.1
History:
########
2 September 2003 Oracle was informed
2 September 2003 Bug confirmed
31 August 2004 Oracle published alert 68
########
2 September 2003 Oracle was informed
2 September 2003 Bug confirmed
31 August 2004 Oracle published alert 68
About Red-Database-Security
GmbH
#################################
Red-Database-Security GmbH is a specialist in Oracle Security.
#################################
Red-Database-Security GmbH is a specialist in Oracle Security.
