[ISN] US government and security firms warn of critical Oracle flaws

InfoSec News isn at c4i.org
Fri Sep 3 06:14:48 EDT 2004


By Paul Roberts
IDG news service
03 September 2004

The US government's Computer Emergency Response Team (US-CERT) and
software security companies have issued warnings about a number of
security vulnerabilities in versions of Oracle's software.

US-CERT has issued an alert citing several security flaws in Oracle
products that could be used to shut down or take control of vulnerable
systems running the software or to corrupt or steal data from the
Oracle Databases.

The security holes affect a number of Oracle products, including
versions of its 8i, 9i and 10g Database, Application Server and
Enterprise Manager software, according to a bulletin posted by Oracle,
which also released a patch for the vulnerabilities.

Few details of the vulnerabilities were available from Oracle or other
companies. Oracle said that the holes in its Database Server and
Application Server were rated "high" and that exploiting some required
network access, but not a valid database user account. Holes in the
Enterprise Manager were rated "medium," by Oracle and required both
network access to the vulnerable machine and a valid user account to
take advantage of, Oracle said.

According to an alert issued by Next Generation Security
Software(NGSS) [1], the vulnerabilities include SQL injection attacks,
in which attackers inject malicious code into Web-based forms and
other features that are used to generate Web content dynamically,
denial of service attacks and buffer overflows, in which malicious
code is placed on a vulnerable system by exceeding an area of a
vulnerable computer's memory that is allocated for use by a software

NGSS is withholding details about the vulnerabilities for three months
to give Oracle database administrators the time to test and patch
vulnerable systems.

Oracle "strongly" recommends that customers apply the patch, noting
that there is no work-around that addresses the new security

[1] http://www.nextgenss.com/advisories/oracle-01.txt

More information about the ISN mailing list