Security Flaws Found in Oracle DB, App Server

Oracle Corp. suffered a security embarrassment this week when a U.K.-based security firm documented several serious vulnerabilities in the midst of Oracle's long-running "Unbreakable" marketing and advertising campaign.

"Contrary to claims by Oracle Corp. CEO Larry Ellison, Oracle9i is breakable," wrote David Litchfield, a founder of Next Generation Security Software Ltd. who documented the vulnerabilities.

Next Generation Security published a series of security advisories on Wednesday covering holes in Oracle's database and application servers. The problems affect Oracle 8 and Oracle9i. An accompanying white paper, which begins with Litchfield's "breakable" charge, details how to lock down an Oracle environment and points out several insecure default settings in Oracle's products. Litchfield also tempers his harsh words for the "Unbreakable" campaign by noting that it may relate to Oracle's 14 independent security evaluations, which leave "all of Oracle's competitors far behind."

Oracle simultaneously published security alerts of its own outlining fixes and workarounds that credit Litchfield.

In an official statement, Oracle said, "How a company responds to a bug is extremely important. Oracle responds as quickly as possible with information, patches and work-arounds that customers can apply. No Oracle customers have reported issues stemming from these bugs."

In the most serious of the vulnerabilities, an unauthorized user could gain access to data stored in Oracle 9i or execute operating system functions remotely without a username or password.

Next Generation Security’s disclosure has been a long-time coming. The company’s co-founder, David Litchfield, allegedly first contacted Oracle about his findings in late 2001. Moreover, in early 2002, Litchfield provided details of potential Oracle 9i exploits to at least one publication, which prompted a flurry of discussion on Security’s Bugtraq mailing list.

“Considering Oracle's client by default allows connected users to run arbitrary shell commands, it doesn't surprise me that vulnerabilities such as this exist,” wrote one Bugtraq poster in January.

Next Generation Security has identified at least five Oracle 9i-specific vulnerabilities, including:

  • Multiple buffer overflow vulnerabilities in Oracle 9iAS’ PL/SQL Apache Module that could result in the execution of arbitrary code. Next Generation Security says that a non-overflow denial-of-service (DoS) attack also exists in the same module. On Windows NT 4.0 and Windows 2000 systems, the company advises, arbitrary code will run in the full SYSTEM context.
  • A security flaw that could allow an attacker to gain access to the source code of a translated JSP page. Next Generation Security says that code of this kind could contain usernames, passwords and even critical business logic.
  • A directory traversal issue, exploited by means of a buffer overflow attack, in Oracle 9iAS’ PL/SQL Apache Module that affects only Windows NT 4.0 and Windows 2000. An attacker who successfully exploits this vulnerability could execute code of her choice in the full SYSTEM context of the compromised server.

    ENT editor Scott Bekker contributed to this report.

  • About the Author

    Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.


    • Microsoft Warns SameSite Cookie Changes Could Break Some Apps

      IT pros could face Web application issues as early as next month with the implementation of a coming SameSite Web change, which will affect how cookies are used across sites.

    • Populating a SharePoint Document Library by E-Mail, Part 1

      While Microsoft doesn't allow you to build a SharePoint Online document library using e-mail, there is a roundabout way of getting the job done using the tools that are included with Office 365. Brien shows you how.

    • Microsoft Previews New App Reporting and Consent Tools in Azure AD

      Microsoft last week described a few Azure Active Directory improvements for organizations wanting to connect their applications to Microsoft's identity and access service.

    • Free Software Foundation Asks Microsoft To Release Windows 7 Code

      The Free Software Foundation this week announced that it has established a petition demanding that Microsoft release its proprietary Windows 7 code as free software.

    comments powered by Disqus

    Office 365 Watch

    Sign up for our newsletter.

    Terms and Privacy Policy consent

    I agree to this site's Privacy Policy.