[ISN] Oracle Warns of Critical Exploits

InfoSec News isn at c4i.org
Fri Oct 15 06:29:15 EDT 2004


By Lisa Vaas 
October 14, 2004 

Critical Oracle Corp. technology vulnerabilities have been publicly
exploited, the company advised in a recent security update that urged
users to apply the patches contained in its Security Alert 68. [1]

"Oracle is aware of public exploits (as indicated in the latest
version of the alert) for several of the vulnerabilities, and more
exploits may be created," the company said in the e-mail alert.  
"Security Alert 68 is a critical security update and should be applied
as soon as possible."

The vulnerabilities were addressed in the Redwood Shores, Calif.,
company's first monthly patch rollup, which was released on Aug. 31.  
At the time this story was posted, Oracle had not returned phone calls
seeking details of the exploits.

The vulnerabilities in question, however, included the potential for
buffer overflow attacks, SQL injection techniques for gaining access
to Oracle databases, and the ability for a remote attacker to take
advantage of a known, default user account and password.

Other flaws allow databases to be exploited by regular users, who can
crash the database or escalate privileges to administrator level.  
Multiple versions of Oracle's Database Server, Application Server and
Enterprise Manager software are at risk.

Security experts and Oracle watchers are pricking up their ears as
they spot message board posts such as this one that request further
information on the bugs.

"If this increases or the information becomes more readily available,
then some companies are going to have problems," said a Weblog [2]
entry posted by the Oracle security company PeteFinnigan.com Ltd.
"Exploits are not just used by Internet-based hackers; they can also
be used internally by employees."

[1] http://www.oracle.com/technology/deploy/security/pdf/2004alert68.pdf
[2] http://petefinnigan.com/weblog/entries/index.html

More information about the ISN mailing list