Buffer Overflow in SYS_CONTEXT() in Oracle 9i Rel.2
Name Buffer Overflow in SYS_CONTEXT() in Oracle9i Rel.2
Systems Affected Oracle9i Rel. 2 (Windows platform only)
Severity Medium Risk
Category Buffer Overflow
Vendor URL http://www.oracle.com
Author Alexander Kornbrust (ak at red-database-security.com)
Date 15 Apr 2005 (V 1.01)
Advisory RDS_20040903_2
Details
Any valid database user with the possibility to run SQL commands (e.g. via SQL*Plus), can create a buffer overflow
by abusing the SYS_CONTEXT()-function. This vulnerability affects only the windows versions of Oracle 9i Rel. 2 (9.2.0.0 - 9.2.0.4).
Oracle 9i Rel. 1 or Oracle 10g are NOT affected.
Workarounds
No workarounds available.
Patch Information
Please see MetaLink Document ID 281189.1 for the patch download procedures and for the Patch Availability Matrix for this Oracle Security Alert.
http://metalink.oracle.com/metalink/plsql/ml2_documents.showDocument?p_database_id=NOT&p_id=281189.1
History:
2 September 2003 Oracle was informed
2 September 2003 Bug confirmed
31 August 2004 Oracle published alert 68
About Red-Database-Security GmbH
Red-Database-Security GmbH is a specialist in Oracle Security.
http://www.red-database-security.com/
info at red-database-security.com
(c) 2004 by Red-Database-Security GmbH