Oracle 10gR2 Vuln, Old AIX Vuln Exploited

Oracle Database 10g Release 2 is vulnerable to a buffer overflow. This vulnerability is due to an error in the processing of the NAME and OWNER arguments sent to the XDB.XDB_PITRIG_PKG.PITRIG_DROPMETADATA procedure. If the combined length of the two arguments is of a certain length, a buffer overflow will occur and allow the execution of arbitrary code. This vulnerability can only be exploited by authenticated users. Oracle has a fix slated for release in the next Critical Patch Update.

An exploit has been released for an AIX format string vulnerability. The exploit is coded to address CVE-2006-4254. A patch has been available for quite some time. If you’re an admin of an AIX system and haven’t applied any APAR’s lately, now would be the time to consider doing it.

Leave a Reply