print Printer View e-mail E-mail this page Bookmark Bookmark
Oracle Security Alert #37
Dated: 1 August, 2002
Updated: 5 August, 2002

OpenSSL Security Vulnerability

Products affected:

    Oracle HTTP Server (OHS) shipped with the database up to and including version 9.2.0.

    Oracle9iAS versions earlier than 9.0.2, including all versions 1.0.2.x.

    CorporateTime Outlook Connector (CTOC), versions 3.1, 3.1.1, 3.1.2, and 3.3 on Windows 98, NT, 2K, XP.

Description:

There are remotely exploitable buffer overflow vulnerabilities in OpenSSL versions prior to 0.9.6e.
These vulnerabilities may allow a remote attacker to execute arbitrary code or perform a denial-of-service (DoS) attack.

These problems are described in the OpenSSL Security Advisory [30 July 2002]:

http://www.openssl.org/news/secadv_20020730.txt


These problems are also described in CERT Advisory CA-2002-23:

http://www.cert.org/advisories/CA-2002-23.html

Workarounds:

There are no workarounds against the potential denial-of-service attack.  Disabling SSL should prevent remote execution of code.

Users of Corporate Time Outlook Connector can disable TLS by adding the following section to the CTOC.INI file:
[CTOC]
allow-tls=FALSE

NOTE:

Disabling SSL or TLS will result in data being transmitted in the clear (i.e. unencrypted), including passwords when using Basic Authentication.

Patch Information:

Patches will be made available on MetaLink for Patch 2492925 as scheduled in the following table:
Product Download Release Solaris NT HPUX Linux AIX TRU64
iAS 1022 OHS .3.19 08/09/02 08/09/02 08/15/02 08/15/02 08/15/02 08/15/02
iAS 1021 OHS 1.3.12 08/08/02 08/08/02 08/09/02 08/09/02 08/09/02 08/09/02
iAS 1021s OHS 1.0.2.1s 08/08/02 08/08/02 08/12/02 08/12/02 08/12/02 08/12/02
iAS 102 iAS 1.0.2 08/09/02 08/09/02 08/14/02 08/14/02 08/14/02 08/14/02
RDBMS 9.2 Oracle 9.2.0.0 08/08/02 08/08/02 08/08/02 08/08/02 08/08/02 08/08/02
RDBMS 901 Oracle 9.0.1.0 08/09/02 08/09/02 08/13/02 08/13/02 08/13/02 08/13/02
RDBMS 817 Oracle 8.1.7.0 08/09/02 08/09/02 08/16/02 08/16/02 08/16/02 08/16/02

Upgrade Information:

New releases of the Corporate Time Outlook Connector will address this vulnerability.
The following releases are scheduled to be released around 16 August, 2002:
  1. CorporateTime Outlook Connector 3.3.1
  2. Oracle Outlook Connector 3.4
E-mail this page
Printer View Printer View
Oracle Is The Information Company About Oracle | Oracle RSS Feeds | Careers | Contact Us | Site Maps | Legal Notices | Terms of Use | Privacy