Security Flaws Found in Oracle DB, App Server

Oracle Corp. suffered a security embarrassment this week when a U.K.-based security firm documented several serious vulnerabilities in the midst of Oracle's long-running "Unbreakable" marketing and advertising campaign.

"Contrary to claims by Oracle Corp. CEO Larry Ellison, Oracle9i is breakable," wrote David Litchfield, a founder of Next Generation Security Software Ltd. who documented the vulnerabilities.

Next Generation Security published a series of security advisories on Wednesday covering holes in Oracle's database and application servers. The problems affect Oracle 8 and Oracle9i. An accompanying white paper, which begins with Litchfield's "breakable" charge, details how to lock down an Oracle environment and points out several insecure default settings in Oracle's products. Litchfield also tempers his harsh words for the "Unbreakable" campaign by noting that it may relate to Oracle's 14 independent security evaluations, which leave "all of Oracle's competitors far behind."

Oracle simultaneously published security alerts of its own outlining fixes and workarounds that credit Litchfield.

In an official statement, Oracle said, "How a company responds to a bug is extremely important. Oracle responds as quickly as possible with information, patches and work-arounds that customers can apply. No Oracle customers have reported issues stemming from these bugs."

In the most serious of the vulnerabilities, an unauthorized user could gain access to data stored in Oracle 9i or execute operating system functions remotely without a username or password.

Next Generation Security’s disclosure has been a long-time coming. The company’s co-founder, David Litchfield, allegedly first contacted Oracle about his findings in late 2001. Moreover, in early 2002, Litchfield provided details of potential Oracle 9i exploits to at least one publication, which prompted a flurry of discussion on Security’s Bugtraq mailing list.

“Considering Oracle's client by default allows connected users to run arbitrary shell commands, it doesn't surprise me that vulnerabilities such as this exist,” wrote one Bugtraq poster in January.

Next Generation Security has identified at least five Oracle 9i-specific vulnerabilities, including:

  • Multiple buffer overflow vulnerabilities in Oracle 9iAS’ PL/SQL Apache Module that could result in the execution of arbitrary code. Next Generation Security says that a non-overflow denial-of-service (DoS) attack also exists in the same module. On Windows NT 4.0 and Windows 2000 systems, the company advises, arbitrary code will run in the full SYSTEM context.
  • A security flaw that could allow an attacker to gain access to the source code of a translated JSP page. Next Generation Security says that code of this kind could contain usernames, passwords and even critical business logic.
  • A directory traversal issue, exploited by means of a buffer overflow attack, in Oracle 9iAS’ PL/SQL Apache Module that affects only Windows NT 4.0 and Windows 2000. An attacker who successfully exploits this vulnerability could execute code of her choice in the full SYSTEM context of the compromised server.

    ENT editor Scott Bekker contributed to this report.

  • About the Author

    Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


    • Windows 10 Mobile To Fall Out of Support in December

      Microsoft will end support for the Windows 10 Mobile operating system on Dec. 10, 2019, according to an announcement.

    • Get More Out of Your Outlook Inbox with TakeNote

      Brien comes across a handy, but imperfect, feature in Outlook that lets you annotate specific e-mails. Its provenance is something of a mystery, though.

    • Microsoft Resumes Rerelease of Windows 10 Version 1809

      Microsoft on Wednesday once more resumed its general rollout of the Windows 10 version 1809 upgrade, also known as the "October 2018 Update."

    • Microsoft Ups Its Windows 10 App Compatibility Assurances

      Microsoft gave assurances this week that organizations adopting Windows 10 likely won't face application compatibility issues.

    comments powered by Disqus
    Most   Popular

    Office 365 Watch

    Sign up for our newsletter.

    Terms and Privacy Policy consent

    I agree to this site's Privacy Policy.