COMMAND

    Oracle

SYSTEMS AFFECTED

    Oracle 8 (8.03, 8.04, 8.05 and 8.15.) - UNIX only

PROBLEM

    Followin is  based on  ISS Security  Advisory.   Internet Security
    Systems (ISS) X-Force has discovered vulnerabilities in  superuser
    owned executables that may allow local root compromise.  Attackers
    may uses these vulnerabilities  to create, destroy, or  modify any
    file on the system, including files owned by the superuser.   This
    attack may be particularly useful to gain complete control of  the
    database system, to manipulate  Oracle database files, or  to deny
    service.

    Oracle has made  a recent effort  to secure setuid  administrative
    tools shipped with Oracle 8.  Certain utilities are still  shipped
    with  the  setuid  bit  enabled.   The  superuser  also owns these
    utilities.  ISS X-Force has determined that these  vulnerabilities
    are still exploitable in the  most current revisions of Oracle  8.
    The  vulnerabilities  described  in  this  advisory are similar to
    those  described  in  the  May  6th  ISS  X-Force Advisory titled,
    "Multiple  File  system  Vulnerabilities  in  Oracle  8."    These
    vulnerabilities  are  also  a  result  of implicit trust of Oracle
    system environment  variables, as  well as  insecure file creation
    and manipulation.   The combined  effect of  these vulnerabilities
    may allow local attackers to  create, append to, or overwrite  any
    file on the file-system as well as privileged oracle files.

    Temporary files that follow symbolic links are a common source  of
    vulnerabilities  in  setuid  executables.   Administrators  should
    remove  or  restrict  access  to  setuid  executables if possible.
    Developers of setuid programs need to take special precautions  to
    prevent the introduction of  vulnerabilities of this nature.   The
    ISS X-Force  recommends that  all Unix  developers become familiar
    with Matt Bishop's secure programming guide, available at

        http://olympus.cs.ucdavis.edu/~bishop/secprog.html

    Following   describes   additional   Oracle   Intelligent    Agent
    vulnerabilities.   The  Intelligent  Agent  binary,  'dbsnmp' is a
    setuid root  executable.   The Intelligent  Agent is  a host-based
    agent that can be used to monitor, configure, and maintain  remote
    database  instances  with  the  Oracle  Enterprise  manager.   The
    Intelligent Agent is part of the Oracle distribution.

SOLUTION

    ISS X-Force  has worked  with Oracle  to provide  a patch  for the
    vulnerabilities  described  in  this  advisory.   This  patch   is
    available to the public on technet.oracle.com.  The direct URL is

        http://technet.oracle.com/misc/agent/section.htm

    Take a look at this FAQ regarding vulnerability:

        http://technet.oracle.com/misc/agent/faq.htm