search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Oracle Reports Server Reports Web Cartridge (RWCGI60) vulnerable to buffer overflow via database name parameter

Vulnerability Note VU#997403

Original Release Date: 2002-06-04 | Last Revised: 2002-11-15

Overview

A buffer overflow vulnerability in Oracle Reports Server 6i could allow an unauthenticated, remote attacker to execute arbitrary code with the privileges of the Reports Server process.

Description

Oracle Reports Server is a component of Oracle Application Server that handles client requests for reports from multiple data sources. Oracle Reports Server is capable of accepting requests and delivering reports over the web using a Reports Web Cartridge (RWCGI60). RWCGI60 is a CGI program that translates and delivers information between the Oracle HTTP Server and the Oracle Reports Server. According to a report by NGSSoftware, RWCGI60 is vulnerable to a buffer overflow via an HTTP request containing a specially crafted database name parameter.

According to Oracle Security Alert #35, Oracle Reports Server 6.0.8.18.0 and earlier are vulnerable, and Oracle9i Application Server 1.0.x includes a vulnerable version of Oracle Reports Server.

Impact

An unauthenticated, remote attacker could execute arbitrary code or cause a denial of service on a vulnerable system. By default, the Oracle Reports stand-alone server runs as SYSTEM on Windows NT and Windows 2000 systems.

Solution


Apply a Patch

Oracle Security Alert #35 provides information on patches that address this vulnerability.


Restrict Access

Where possible, limit access to trusted users, hosts, and networks.

Disable Oracle Reports Services

If your site does not use the Oracle Reports Services, disable it.

Disable RWCGI60

If you are able to use other components of Oracle Reports Services to process reports via HTTP, do not use RWCGI60.

Vendor Information

997403
 
Expand all

Oracle Affected

Notified:  May 31, 2002 Updated: June 06, 2002

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Oracle has released Oracle Security Alert #35.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

The CERT/CC thanks David Litchfield of NGSSoftware for information used in this document.

This document was written by Art Manion.

Other Information

CVE IDs: CVE-2002-0947
Severity Metric: 11.66
Date Public: 2002-05-27
Date First Published: 2002-06-04
Date Last Updated: 2002-11-15 21:57 UTC
Document Revision: 47

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis