Reported February 17, 2003, by NGSSoftware.

 

 

VERSIONS AFFECTED

 

  • Oracle9i Database Releases 1 and 2

  • Oracle 8i Database 8i, 8.1.7, 8.0.6

 

DESCRIPTION

 

A vulnerability in Oracle’s Database Server can result in remote compromise of the vulnerable server. This vulnerability stems from a remotely exploitable buffer-overflow vulnerability in the TZ_OFFSET function. By supplying a long character string for the time-zone name, an attacker can overwrite a saved return address on the stack of Oracle process. For more details about this vulnerability, see the discoverer’s web site.

 

 

VENDOR RESPONSE

 

Oracle has released an alert regarding this vulnerability.

 

CREDIT          

Discovered by NGSSoftware.