Burleson reported that 34 Oracle security flaw have been found.
Although details are few, the flaws appear to be in the PL/SQL code used
to connect applications to the Oracle Database.
It also appears
that the user must have direct access to the database to exploit the
flaws. Application users that can not directly access the database
should not be a security risk.
According to a Wall Street Journal
report by ZDNet, a British firm has identified more than 30 flaws in
Oracle that will allow unauthorized entry into the database:
Evidently, the problems relate to a PL/SQL security issue:
"According to the WSJ,
Litchfield found problems in the PL/SQL code, which is used by
custom applications to communicate with the database. If this code
is flawed, administrators may be required to modify all their
applications in order to properly secure them."
David Litchfield , discoverer of the
problem said in the Wall Street Journal: 'If they can get access they
can own it and the data on it,' .
Oracle is keeping quiet about
allegations that its ubiquitous database has at least 30 security
vulnerabilities that could allow hackers to compromise the
confidentiality of virtually all financial transactions.
“James Governor, principal analyst at RedMonk, said the flaw could
cause a lot of problems for database administrators as Oracle will
not be able to simply issue a patch because of the nature of the
"If this is going to affect PL/SQL code, there is an awful lot of
home-grown PL/SQL code out there -- it's not a packaged application
that Oracle can patch," said Governor.
A similar article just appeared in
Oracle is aware of the
exposures and will be issuing an alert “soon”:
"They include buffer overflows, SQL injection issues and a whole
range of other minor issues," said Litchfield, who discovered the
flaws. He said that he reported them to Oracle in January and
"Some of them can be exploited without a user ID and password, while
others require them," Litchfield said. Nearly 90% of the flaws allow
attackers to potentially gain complete administrative control of
vulnerable database servers, he said.
Oracle confirmed the existence of the flaws, which were discussed
publicly at last week's Black Hat security conference in Las Vegas,
but did not offer any further comment. In an e-mailed statement, a
company spokeswoman said that Oracle had fixed the flaws and would
issue a security alert "soon."
Burleson Oracle Consulting
Kittrell, NC, USA, 27544