SAINT CorporationSAINT:41CE2C75DEA3DACC6F41031BCE37A722Oracle Spatial component SDO_CS.TRANSFORM_LAYER buffer overflow
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.598 Medium
EPSS
Percentile
97.7%
Added: 10/26/2006
CVE: CVE-2006-5344
BID: 20588
OSVDB: 31462
Background
The Oracle Spatial (formerly SDO) component of Oracle Database provides a set of functions which process multi-dimensional data.
Problem
A buffer overflow in the Oracle Spatial component allows an attacker with EXECUTE privileges on the SDO_CS.TRANSFORM_LAYER function to execute arbitrary commands.
Resolution
Apply the patch referenced in the October 2006 Oracle Critical Patch Update.
References
<http://www.us-cert.gov/cas/techalerts/TA06-291A.html>
<http://www.oracle.com/technology/deploy/security/critical-patch-updates/cpuoct2006.html>
Limitations
Exploit works on Oracle Database 10.1.0.2 and 9.2.0.1.
Exploit requires a the login and password of a database user with privileges to create functions. The default “scott” user has sufficient privileges, but is disabled by default in Oracle Database 10g.
Platforms
Windows
Related
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.598 Medium
EPSS
Percentile
97.7%