[ISN] DHS Issues Oracle Warning
isn at c4i.org
Fri Jun 11 06:20:38 EDT 2004
By Florence Olsen
June 10, 2004
Homeland Security Department officials used the National Cyber Alert
System this week to warn users of critical security vulnerabilities
discovered in Oracle Corp.'s E-Business Suite 11i and Oracle 11
The DHS alert warned that unauthorized but knowledgeable persons with
Web browser access to unpatched versions of the Oracle software can
exploit the vulnerabilities to execute destructive structured query
language procedures inside the applications.
Oracle has provided a patch that users can download to close the
security holes for the software versions named in the alert. Earlier
versions have not been tested for the vulnerability because Oracle is
no longer providing patches for the older versions.
Applications making the vulnerability list include Oracle E-Business
Suite 11i and 11.5.1 through 11.5.8 and all releases of Oracle 11
applications. Oracle E-Business Suite Release 11.5.9 and later
versions are not vulnerable.
According to Integrigy Corp.'s Stephen Kost, a security expert who
discovered the vulnerabilities, the unpatched Oracle database
applications are open to malicious exploits known technically as SQL
The DHS alert warns that "exploitation may lead to compromise of the
database application, data integrity or underlying operating system."
No operating system is immune.
Oracle databases and applications are widely used throughout the
federal government. The Energy Department's Sandia National
Laboratories and NASA's Jet Propulsion Laboratory, among others, use
the Oracle E-Business Suite for managing their business operations.
More information about the ISN