Security holes found in Oracle software

From...

By Matt Berger,
IDG News Service, San Francisco Bureau

(IDG) -- Despite the vendor's claims, the Oracle9i database is breakable, a United Kingdom security firm has reported.

Several security flaws were discovered in the company's software, including one that could allow a hacker to gain access to Oracle's database server without a user ID or password. The flaws were discovered by a security expert from Next Generation Security Software, based in Sutton, England.

Oracle said it was first informed about the flaws in December and has already made available patches and workarounds.

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Features PC World.com Product Finder Mastering e-commerce by degrees Fast-track training puts nontechies in IT jobs Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

"No Oracle customers have reported issues stemming from these bugs," the company said in a statement.

The co-founder of Next Generation Security Software, David Litchfield, gave details of the flaws this week, after announcing in December that he had discovered them. Litchfield is expected to present a paper on his work at an upcoming Black Hat security conference, according to an Oracle spokeswoman.

The vulnerability that allows attackers to access a database server without authorization also allows the attacker to execute a function in that software from a remote location. It affects Oracle9i and Oracle8i database servers running on all operating systems, according to the security advisory.

A second flaw could allow attackers to run arbitrary code or perform a denial-of-service attack on the Oracle9i application server running on Sun Microsystems' Solaris 2.6 operating system for SPARC processors, Microsoft's Windows NT and Windows 2000 Server operating systems, and Hewlett-Packard's HP-UX version 11.0 operating system for 32-bit operating systems, according to the advisory.

Another vulnerability enables an attacker to view the source code of JSP (Java Server Pages) when they are downloaded from Oracle9i application servers running on all operating systems. Those files often display information such as the database user ID and password.

Matt Berger is a correspondent for the IDG News Service.