COMMAND

    Oracle

SYSTEMS AFFECTED

    Oracle listener program 7.3.4, 8.0.6, and 8.1.6 on all platforms

PROBLEM

    Following  is  based  on  a  Internet  Security  Systems  Security
    Advisory.  Internet Security Systems (ISS) X-Force has  discovered
    a  vulnerability  in  the  listener  program  in Oracle Enterprise
    Server.  It is  possible for a remote  attacker to gain access  to
    the  Oracle  owner  operating   system  account  and  the   Oracle
    database, and to execute code in various operating systems.

    The Oracle  listener program  accepts remote  commands from remote
    listener  controllers.   If  configured  properly,  a  password is
    required to authenticate a user before issuing a listener command.
    The default Oracle installation does not allow a password for  the
    listener program to be indicated.  If a password has not been set,
    the  Oracle  listener  program  can  be  configured  to append log
    information to a file.  Due to a problem with the SET TRC_FILE and
    SET LOG_FILE  commands, these  values can  be changed  to any file
    name.  This allows an attacker to create a new file or corrupt  an
    existing file.

    The information logged  by the listener  program can be  specified
    by an attacker by sending a specially formed connect packet to the
    listener.   This  logged  information  can  be  changed to include
    commands  and  escape  characters,  allowing  an  attacker to gain
    access to an operating system account.

    This vulnerability was discovered and researched by Ben Layer  and
    Aaron Newman of Internet Security Systems.

SOLUTION

    Oracle recommends  that customers  download the  patches for  this
    vulnerability  from  Oracle's  Worldwide  Support Services website
    http://metalink.oracle.com.  Customers  can reference generic  bug
    number 1361722 filed against the listener program.

    ISS  SAFEsuite  security  assessment  software,  Database Scanner,
    currently determines if a  password is indicated for  the listener
    and how strong  the password is.  An upcoming release  of Database
    Scanner will be updated to determine if the Oracle patch has  been
    applied.