Oracle Outside In Technology Paradox Database Stream Filter

by Carol~ Moderator - 1/16/13 11:50 AM

In Reply to: VULNERABILITIES / FIXES - January 16, 2013 by Carol~ Moderator

Oracle Outside In Technology Paradox Database Stream Filter Vulnerabilities

Release Date : 2013-01-16

Criticality level : Highly critical
Impact: DoS
System access
Where: From remote
Solution Status : Vendor Patch

Software: Oracle Outside In Technology 8.x

Description:
Secunia Research has discovered two vulnerabilities in Oracle Outside In Technology, which can be exploited by malicious people to cause a DoS (Denial of Service) and compromise a vulnerable system.

1) An error in the Paradox database stream filter (vspdx.dll) when processing the field type within a field description array can be exploited to reference unallocated memory via an unsupported type value (e.g. 14).

2) An error in the Paradox database stream filter (vspdx.dll) when processing the field names can be exploited to cause a heap-based buffer overflow via a specially crafted "number of fields" value in the table header.

Successful exploitation of this vulnerability may allow execution of arbitrary code.

The vulnerabilities are confirmed in version 8.3.7 (w/ patch 14153713). Other versions may also be affected.

Solution:
Apply updates (please see the vendor's advisory for details).

Provided and/or discovered by:
Dmitriy Pletnev, Secunia Research.

Original Advisory:
Secunia Research:
http://secunia.com/secunia_research/2013-1/
http://secunia.com/secunia_research/2013-2/

Oracle:
http://www.oracle.com/technetwork/topics/security/cpujan2013-1515902.html#AppendixFMW

http://secunia.com/advisories/50121/