OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
[SA16577] Oracle OraClient Component Insecure Installation Issue

From: Secunia Security Advisories (sec-advsecunia.com)
Date: Tue Sep 06 2005 - 05:08:52 CDT


----------------------------------------------------------------------

Bist Du interessiert an einem neuen Job in IT-Sicherheit?

Secunia hat zwei freie Stellen als Junior und Senior Spezialist in IT-
Sicherheit:
http://secunia.com/secunia_vacancies/

----------------------------------------------------------------------

TITLE:
Oracle OraClient Component Insecure Installation Issue

SECUNIA ADVISORY ID:
SA16577

VERIFY ADVISORY:
http://secunia.com/advisories/16577/

CRITICAL:
Less critical

IMPACT:
System access

WHERE:
From remote

SOFTWARE:
Oracle Database Server 10g
http://secunia.com/product/3387/

DESCRIPTION:
Harry Johnston has reported a security issue in Oracle Database
Server 10g, which potentially can be exploited by malicious people to
compromise a user's system.

The problem is that the binary and Java Runtime directories are
improperly added to the front of the system path when installing the
OraClient 10g component, which contains old vulnerable versions of
Info-ZIP's zip (version 2.1) and unzip (version 5.32), and Sun Java
JRE (version 1.4.2_03).

For more information:
SA8781
SA9784
SA10051
SA11570
SA12206
SA13094
SA13142
SA13271
SA14640
SA15671

The security issue has been reported in version 10.1.0.2.0. Other
versions may also be affected.

SOLUTION:
Don't use the included zip, unzip, and Java utilities.

If newer versions of these tools also are installed on systems, then
execute these with their absolute paths.

PROVIDED AND/OR DISCOVERED BY:
Harry Johnston

OTHER REFERENCES:
SA8781:
http://secunia.com/advisories/8781/

SA9784:
http://secunia.com/advisories/9784/

SA10051:
http://secunia.com/advisories/10051/

SA11570:
http://secunia.com/advisories/11570/

SA12206:
http://secunia.com/advisories/12206/

SA13094:
http://secunia.com/advisories/13094/

SA13142:
http://secunia.com/advisories/13142/

SA13271:
http://secunia.com/advisories/13271/

SA14640:
http://secunia.com/advisories/14640/

SA15671:
http://secunia.com/advisories/15671/

----------------------------------------------------------------------

About:
This Advisory was delivered by Secunia as a free service to help
everybody keeping their systems up to date against the latest
vulnerabilities.

Subscribe:
http://secunia.com/secunia_security_advisories/

Definitions: (Criticality, Where etc.)
http://secunia.com/about_secunia_advisories/

Please Note:
Secunia recommends that you verify all advisories you receive by
clicking the link.
Secunia NEVER sends attached files with advisories.
Secunia does not advise people to install third party patches, only
use those supplied by the vendor.

----------------------------------------------------------------------

Unsubscribe: Secunia Security Advisories

----------------------------------------------------------------------