Description
Oracle 8i and 9i with PL/SQL package for External Procedures (EXTPROC) allows remote attackers to bypass authentication and execute arbitrary functions by using the TNS Listener to directly connect to the EXTPROC process.
Affected products
- oracle / database_server8.0.1 – 8.0.1
- oracle / database_server8.0.2 – 8.0.2
- oracle / database_server8.0.3 – 8.0.3
- oracle / database_server8.0.4 – 8.0.4
- oracle / database_server8.0.5 – 8.0.5
- oracle / database_server8.0.5.1 – 8.0.5.1
- oracle / database_server8.0.6 – 8.0.6
- oracle / database_server8.1.5 – 8.1.5
- oracle / database_server8.1.6 – 8.1.6
- oracle / database_server8.1.7 – 8.1.7
- oracle / database_server8.1.7.0.0 – 8.1.7.0.0
- oracle / oracle8i8.1.5 – 8.1.5
- oracle / oracle8i8.1.6 – 8.1.6
- oracle / oracle8i8.1.7 – 8.1.7
- oracle / oracle8i8.1.7.1 – 8.1.7.1
- oracle / oracle8ienterprise_8.0.5.0.0 – enterprise_8.0.5.0.0
- oracle / oracle8ienterprise_8.0.6.0.0 – enterprise_8.0.6.0.0
- oracle / oracle8ienterprise_8.0.6.0.1 – enterprise_8.0.6.0.1
- oracle / oracle8ienterprise_8.1.5.0.0 – enterprise_8.1.5.0.0
- oracle / oracle8ienterprise_8.1.5.0.2 – enterprise_8.1.5.0.2
- oracle / oracle8ienterprise_8.1.5.1.0 – enterprise_8.1.5.1.0
- oracle / oracle8ienterprise_8.1.6.0.0 – enterprise_8.1.6.0.0
- oracle / oracle8ienterprise_8.1.6.1.0 – enterprise_8.1.6.1.0
- oracle / oracle8ienterprise_8.1.7.0.0 – enterprise_8.1.7.0.0
- oracle / oracle8ienterprise_8.1.7.1.0 – enterprise_8.1.7.1.0
- oracle / oracle9i9.0 – 9.0
- oracle / oracle9i9.0.1 – 9.0.1
References
- VENDOR_ADVISORYhttp://www.cert.org/advisories/CA-2002-08.html
- MAILING_LISThttp://marc.info/?l=bugtraq&m=101301332402079&w=2
- VENDOR_ADVISORYhttp://otn.oracle.com/deploy/security/pdf/plsextproc_alert.pdf
- MISChttp://www.securityfocus.com/bid/4033
- MISChttps://exchange.xforce.ibmcloud.com/vulnerabilities/8089
- MISChttp://www.kb.cert.org/vuls/id/180147