Oracle Database 10.2.0.3, 10.2.0.4, 10.2.0.5, 18.104.22.168, 22.214.171.124, 126.96.36.199
This vulnerability was discovered and researched by Martin Rakhmanov of Application Security Inc.
GeoRaster is a feature of Oracle Spatial that lets you store, index, query, analyze, and deliver GeoRaster data. One of the GeoRaster APIs is prone to stack-based overflow.
An attacker that can connect to database with spatial support can execute arbitrary code in the server’s process context.
Vendor was contacted and a patch was released.
Do not install spatial support in the database.
Apply January 2013 CPU.
Vendor Notification – 5/3/2012
Vendor Response – 5/4/2012
Fix – 1/15/2013
Public Disclosure – 20/2/2013