'Unbreakable' Oracle9i springs a leak

About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store

NEWS

'Unbreakable' Oracle9i springs a leak

By Matt Berger
February 6, 2002 6:53 pm PT

SAN FRANCISCO - Despite the vendor's claims, Oracle's Oracle9i database is breakable, a U.K. security firm reported Wednesday.

ADVERTISEMENT

<a href="http://ad.doubleclick.net/jump/idg.us.info.news/article;abr=!ie;pos=imu;pkey=platforms;skey=;paud=;saud=;sz=336x280;tile=2;ord=470711121008?"> <img src="http://ad.doubleclick.net/ad/idg.us.info.news/article;abr=!ie;pos=imu;pkey=platforms;skey=;paud=;saud=;sz=336x280;tile=2;ord=470711121008?" border="0"> </a>

Free IT resource

Open Source Business Conference (OSBC) May 22-23, 2007

TOP NEWS

IT SOLUTION SEARCH

Several security flaws were discovered in the company's software, including one that could allow a hacker to gain access to Oracle's database server without a user ID or password. The flaws were discovered by a security expert from Next Generation Security Software Ltd., based in Sutton, U.K.

Oracle said Wednesday that it was first informed about the flaws in December and has already made available patches and workarounds.

"No Oracle customers have reported issues stemming from these bugs," the company said in a statement.

The co-founder of Next Generation Security Software, David Litchfield, gave details of the flaws on Wednesday after announcing in December that he had discovered them. Litchfield is expected to present a paper on his work at an upcoming Black Hat Inc. security conference, according to an Oracle spokeswoman.

The vulnerability that allows attackers to access a database server without authorization also allows the attacker to execute a function in that software from a remote location. It affects Oracle9i and Oracle8i database servers running on all operating systems, according to the security advisory.

A second flaw could allow attackers to run arbitrary code or perform a denial of service attack on the Oracle9i application server running on Sun Microsystems's Solaris 2.6 operating system for SPARC processors, Microsoft's Windows NT and Windows 2000 Server operating systems, and Hewlett-Packard's HP-UX version 11.0 operating system for 32-bit operating systems, according to the advisory.

Another vulnerability enables an attacker to view the source code of JSP (Java Server Pages) when they are downloaded from Oracle9i application servers running on all operating systems. Those files often display information such as the database user ID and password.

The security advisories are available at Next Generation Securities Web site at http://www.nextgenss.com/advisories. Oracle has made patches and workarounds available online at http://otn.oracle.com/deploy/security/alerts.htm/.

Matt Berger is a San Francisco-based correspondent for the IDG News Service, an InfoWorld affiliate.

SPONSORED WHITE PAPERS

EMC - Lower costs and improve reliability-Get the EMC CLARiiON white paper!
Ciphertrust - Are you ready for Sobig.G? Learn how to protect your email systems.
CDW - Personal attention. CDW. The Right Technology. Right Away.
EMC - Explore key performance features and capabilities of EMC ControlCenter 5.1.1.
Intel - Free Intel white paper shows you how to deploy a secure wireless LAN
Cisco - FREE WHITE PAPER: BLUEPRINT to design and implement secure VPNs
Verity, Inc. - "Mass Consolidation Hits the Web-Search Market"
McDATA - Download a FREE storage consolidation white paper from McDATA(R).
Lucent Technologies - Overcoming Common Firewall Limitations
Lucent Technologies - Leverage Your Mobile High Speed Data Access. Download Free White Paper!
Nokia - Get the scoop! Mobilizing business white papers & case studies.
BMC Software - Maximize the Potential of Enterprise Data: Free white paper!
Network Associates - Free white paper - Strategies for Optimizing Network Costs and Benefits
Entrust - Manage identities across applications. Improve productivity.
Stalker Software - CommuniGate Pro - Transform your Email and Calendaring
Remedy - A NEW Gartner Research Note:Producing Quality IT Services

Search the IDG White Paper Library:

SPONSORED LINKS

INFOWORLD MARKETPLACE

» Apply BPM and ITIL at your IT Help Desk
ServiceWise brings BPM to complete IT service while eliminating integration cost. Learn more here.
» Find Consulting Jobs
Access Pre-Qualified Projects from Top Businesses. Register Now!
» Virtualization Planning & Analysis White paper
How to analyze workload, business and technical constraints & plan for successful deployments
» SOA Whitepaper Series: Automating Process Exceptions
Register here for this valuable Webinar centering on the automation of process exceptions.

>> BUY A LINK NOW

	HOME NEWS TEST CENTER OPINIONS PRODUCT GUIDE TECHINDEX	About : Advertise : Subscribe : Contact Us : Awards : Events
Copyright © 2008, Reprints, Permissions, Licensing, IDG Network, Privacy Policy

All Rights reserved. InfoWorld is a leading publisher of technology information and product reviews on topics including viruses, phishing, worms, firewalls, security, servers, storage, networking, wireless, databases, and web services.

Computerworld :: Network World :: CIO :: PC World :: Darwin :: CMO :: CSO
IT Careers :: JavaWorld :: Macworld :: Mac Central :: Playlist :: GamePro :: GameStar :: Gamerhelp
ITWorld Canada :: Computerwoche :: Techworld UK :: tecChannel :: IDG.se :: IDG.no