Reported February 17, 2003, by NGSSoftware.

 

 

VERSIONS AFFECTED

 

  • Oracle9i Database Releases 1 and 2

  • Oracle 8i Database 8i, 8.1.7, 8.0.6

 

DESCRIPTION

 

A vulnerability in Oracle’s Database Server can result in remote compromise of the vulnerable server. This vulnerability stems from a remotely exploitable buffer-overflow flaw in the TO_TIMESTAMP_TZ function. By supplying a long character string, an attacker can overwrite a saved return address on the stack of Oracle processes. For more details about this vulnerability, see the discoverer’s web site.

 

VENDOR RESPONSE

 

Oracle has released an alert regarding this vulnerability.

 

CREDIT          

Discovered by NGSSoftware.