Security holes found in Oracle software

Despite the vendor’s claims, Oracle Corp.’s Oracle9i database is breakable, a U.K. security firm reported Wednesday.

Several security flaws were discovered in the company’s software, including one that could allow a hacker to gain access to Oracle’s database server without a user ID or password. The flaws were discovered by a security expert from Next Generation Security Software Ltd., based in Sutton, U.K.

Oracle said Wednesday that it was first informed about the flaws in December and has already made available patches and workarounds.

“No Oracle customers have reported issues stemming from these bugs,” the company said in a statement.

The co-founder of Next Generation Security Software, David Litchfield, gave details of the flaws on Wednesday after announcing in December that he had discovered them. Litchfield is expected to present a paper on his work at an upcoming Black Hat Inc. security conference, according to an Oracle spokeswoman.

The vulnerability that allows attackers to access a database server without authorization also allows the attacker to execute a function in that software from a remote location. It affects Oracle9i and Oracle8i database servers running on all operating systems, according to the security advisory.

A second flaw could allow attackers to run arbitrary code or perform a denial of service attack on the Oracle9i application server running on Sun Microsystems Inc.’s Solaris 2.6 operating system for SPARC processors, Microsoft Corp.’s Windows NT and Windows 2000 Server operating systems, and Hewlett-Packard Co.’s HP-UX version 11.0 operating system for 32-bit operating systems, according to the advisory.

Another vulnerability enables an attacker to view the source code of JSP (Java Server Pages) when they are downloaded from Oracle9i application servers running on all operating systems. Those files often display information such as the database user ID and password.

The security advisories are available at Next Generation Securities Web site at http://www.nextgenss.com/advisories. Oracle has made patches and workarounds available online at http://otn.oracle.com/deploy/security/alerts.htm/.

Oracle Canada in Mississauga, Ont., is at http://www.oracle.ca/ca-en

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

Featured Articles

Cybersecurity in 2024: Priorities and challenges for Canadian organizations 

By Derek Manky As predictions for 2024 point to the continued expansion...

Survey shows generative AI is a top priority for Canadian corporate leaders.

Leaders are devoting significant budget to generative AI for 2024 Canadian corporate...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now