[ISN] Database flaws more risky than thought
isn at c4i.org
Fri Dec 24 03:16:44 EST 2004
By Robert Lemos
Staff Writer, CNET News.com
December 23, 2004
Details of multiple security flaws in Oracle and IBM databases have
been released by the security company that found them.
The flaws, which were described in general terms in August and
September by Next-Generation Security Software, could allow an
attacker to remotely compromise servers running the database programs.
Security company Symantec raised its Internet threat rating of the
flaws to 2 from 1, based on the details released on Thursday.
NGSSoftware gave users of the databases more than three months to fix
their systems when it announced its discovery of the flaws. Oracle has
already released patches for the 10 vulnerabilities affecting its 9i
database, and IBM has issued fixes for two flaws in DB2 versions 7 and
"Some of these are more serious than others," said David Litchfield, a
security researcher and co-founder of U.K.-based NGSSoftware. "Most of
these vulnerabilities can be exploited remotely."
The advisories can be found on NGSSoftware's Web site.
More information about the ISN