CERT-In Vulnerability Note CIVN-2008-112
Oracle Database DBMS_AQELM Package Buffer Overflow Vulnerability

Original Issue Date: July 29, 2008

Severity Rating: Medium

System Affected

• Oracle, Advanced_queuing_component
• Oracle, Database 9i, 9.2.0.8
• Oracle, Database 9i, 9.2.0.8, DV
• Oracle, Database 10g, 10.1.0.5
• Oracle, Database 10g, 10.2.0.4
• Oracle, Database 11g, 11. 1.0.6

Overview

A vulnerability has been reported in the DBMS_AQELM package in Oracle Database, which could be exploited by the remote attackers to cause execution of arbitrary code with the privileges of the database user.

Description

A Buffer overflow vulnerability has been reported in the DBMS_AQELM package in Oracle Database, caused due to improper input validation when handling a parameter passed to a procedure within this package. Providing a long invalid string as argument can cause a buffer overflow to occur which results in the denial of service (database corruption) and possibly arbitrary code execution with the privileges of the database user.

Solution

Apply patches as mentioned in Oracle Advisory
http://www.oracle.com/technology/deploy/security/
critical-patch-updates/cpujul2008.html

Vendor Information

Oracle Corporation
http://www.oracle.com/technology/deploy/security/
critical-patch-updates/cpujul2008.html

References

iDefense Labs http://labs.idefense.com/intelligence/vulnerabilities/display.php?
id=726

SecuriTeam http://www.securiteam.com/securitynews/5QP0C20OUU.html

CVE Name
CVE-2008-2607

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003