[ISN] Database flaws more risky than thought

InfoSec News isn at c4i.org
Fri Dec 24 03:16:44 EST 2004


By Robert Lemos 
Staff Writer, CNET News.com
December 23, 2004

Details of multiple security flaws in Oracle and IBM databases have
been released by the security company that found them.

The flaws, which were described in general terms in August and
September by Next-Generation Security Software, could allow an
attacker to remotely compromise servers running the database programs.  
Security company Symantec raised its Internet threat rating of the
flaws to 2 from 1, based on the details released on Thursday.

NGSSoftware gave users of the databases more than three months to fix
their systems when it announced its discovery of the flaws. Oracle has
already released patches for the 10 vulnerabilities affecting its 9i
database, and IBM has issued fixes for two flaws in DB2 versions 7 and

"Some of these are more serious than others," said David Litchfield, a
security researcher and co-founder of U.K.-based NGSSoftware. "Most of
these vulnerabilities can be exploited remotely."

The advisories can be found on NGSSoftware's Web site.

More information about the ISN mailing list