Oracle Training Oracle Support
Oracle Training
SQL Tuning Consulting
Oracle Tuning Consulting
Data Warehouse Consulting
Oracle Project Management
Oracle Security Assessment
Unix Consulting
Burleson Books
Burleson Articles
Burleson Web Courses
Burleson Qualifications
Oracle Internals Magazine
Oracle Links
Oracle Monitoring
Remote Support Benefits
Remote Plans & Prices
Our Automation Strategy
What We Monitor
Oracle Apps Support
Print Our Brochure
Contact Us (e-mail)
Oracle Job Opportunities
Oracle Consulting Prices
 
  
 

34 Oracle Security Flaws Just Discovered

Aug 04,  2004
John Garmany
 
     

Yesterday Don Burleson reported that 34 Oracle security flaw have been found.  Although details are few, the flaws appear to be in the PL/SQL code used to connect applications to the Oracle Database. 

It also appears that the user must have direct access to the database to exploit the flaws.  Application users that can not directly access the database should not be a security risk.

From Don: 

According to a Wall Street Journal report by ZDNet, a British firm has identified more than 30 flaws in Oracle that will allow unauthorized entry into the database:

http://news.zdnet.co.uk/internet/security/0,39020375,39162536,00.htm

Evidently, the problems relate to a PL/SQL security issue:

"According to the WSJ, Litchfield found problems in the PL/SQL code, which is used by custom applications to communicate with the database. If this code is flawed, administrators may be required to modify all their applications in order to properly secure them."

David Litchfield , discoverer of the problem said in the Wall Street Journal: 'If they can get access they can own it and the data on it,' .

Oracle is keeping quiet about allegations that its ubiquitous database has at least 30 security vulnerabilities that could allow hackers to compromise the confidentiality of virtually all financial transactions.

“James Governor, principal analyst at RedMonk, said the flaw could cause a lot of problems for database administrators as Oracle will not be able to simply issue a patch because of the nature of the problem.”

"If this is going to affect PL/SQL code, there is an awful lot of home-grown PL/SQL code out there -- it's not a packaged application that Oracle can patch," said Governor.

A similar article just appeared in Computerworld:

http://www.computerworld.com/securitytopics/security/holes/story/0,10801,95013,00.html 
 

Oracle is aware of the exposures and will be issuing an alert “soon”:

"They include buffer overflows, SQL injection issues and a whole range of other minor issues," said Litchfield, who discovered the flaws. He said that he reported them to Oracle in January and February.

"Some of them can be exploited without a user ID and password, while others require them," Litchfield said. Nearly 90% of the flaws allow attackers to potentially gain complete administrative control of vulnerable database servers, he said.

Oracle confirmed the existence of the flaws, which were discussed publicly at last week's Black Hat security conference in Las Vegas, but did not offer any further comment. In an e-mailed statement, a company spokeswoman said that Oracle had fixed the flaws and would issue a security alert "soon."
 

 

  If you are a DBA that inherited the administration of AS10g, this is the book for you.  Written by a DBA for DBAs

Oracle Application Server 10g Administration Handbook

by Oracle Press. In Book Stores Now!

 

Regards,

John Garmany

John Garmany
Burleson Oracle Consulting

Kittrell, NC, USA, 27544
www.dba-oracle.com
www.remote-dba.net 

 

  
 

 

  

Burleson Consulting
Kittrell, NC, 27544

Email: info@remote-dba.net • Phone (800) 766-1884

Copyright © 1996 - 2015 by Burleson , Inc. All rights reserved.