HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

CERT-In Vulnerability Note CIVN-2008-111
Oracle Internet Directory Pre-Authentication LDAP Denial of Service Vulnerability

Original Issue Date: July 29, 2008

Severity Rating: Medium

System Affected

  • Oracle, Database 9i, 9.0.4.3
  • Oracle, Database 10g, 10.1.2.3
  • Oracle, Database 10g, 10.1.4.2

Overview

A vulnerability has been reported in the Oracle Internet Directory component in Oracle Application Server 9.0.4.3, 10.1.2.3, and 10.1.4.2 ,which could be exploited by the attacker to deny service to legitimate users of the directory server.

Description

A pre-authentication input validation LDAP Denial of Service vulnerability has been reported in the Oracle Internet Directory component in Oracle Application Server 9.0.4.3, 10.1.2.3, and 10.1.4.2, caused due to the handler dereferencing a NULL pointer when processing a malformed LDAP request.

Internet Directory consists of two processes. One process acts as a listener. It handles incoming connections and passes them off to the second process. The second process, which handles requests, contains the vulnerability.

When processing a malformed LDAP request, it is possible to cause the handler to dereference a NULL pointer. This results in the process crashing. Future connection requests will be accepted by the listener process, and then immediately closed when it finds that there is no handler process running. Thus, the exploitation of this vulnerability allows an attacker to conduct a denial of service attack on a vulnerable host.

Solution

Apply patches as mentioned in Oracle Advisory
http://www.oracle.com/technology/deploy/security/
critical-patch-updates/cpujul2008.html

Vendor Information

 Oracle Corporation
http://www.oracle.com/technology/deploy/security/
critical-patch-updates/cpujul2008.html

References

iDefense Labs
http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=725

SecuriTeam http://www.securiteam.com/securitynews/5RP0D20OUK.html

CVE Name
CVE-2008-2595

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003