g database Software "Oracle8i" There are security vulnerabilities

oracle| Security | security Vulnerabilities | data | database
A few days ago, U.S. network Associates, US CERT/CC and Oracle issued a warning that the database software "Oracle8i" there are security vulnerabilities. If this security vulnerability is used maliciously, it may face the risk of executing arbitrary code on the database server by remote operation and seizing control of the server. Oracle Inc. has released a patch that the server administrator must use as soon as possible.
　　
A security vulnerability occurs because the Oracle8i TNS (Transparent network substrate) Listener note) uses an unchecked buffer. Therefore, once a request is sent there is a risk of causing the buffer overflow or executing arbitrary code. At this point, this code may be executed with the privileges of TNS listener. Because the buffer overflow occurs before the user authenticates, the attacker does not need to enter a user ID and password.
　　
The implementation permissions of TNS listener vary by platform, so the impact of security vulnerabilities varies. Under UNIX systems, the attacker's code can be executed under the authority of the Oracle user. Under the Windows system, it can be executed under the "Local System" security environment (context). It is possible for an attacker to seize control of a database in any system, but the situation may be more severe under Windows systems. Because the attacker may also be able to capture the privileges of the OS administrator.
　　
Patches released by the US Oracle can be downloaded via the company's support Services Web site "Metalink" (http://metalink.oracle.com). The serial number of the patch is "1489683".
　　
Note: The so-called TNS Listener refers to the configuration program that responds to customer requests and establishes connections. The default state waits for the request through TCP port 1521th.