34 Oracle security flaws just discovered

"According to the WSJ, Litchfield found problems in the PL/SQL code, which is used by custom applications to communicate with the database. If this code is flawed, administrators may be required to modify all their applications in order to properly secure them."

David Litchfield , discoverer of the problem said in the Wall Street Journal: 'If they can get access they can own it and the data on it,' .

Oracle is keeping quiet about allegations that its ubiquitous database has at least 30 security vulnerabilities that could allow hackers to compromise the confidentiality of virtually all financial transactions.

“James Governor, principal analyst at RedMonk, said the flaw could cause a lot of problems for database administrators as Oracle will not be able to simply issue a patch because of the nature of the problem.”

"If this is going to affect PL/SQL code, there is an awful lot of home-grown PL/SQL code out there -- it's not a packaged application that Oracle can patch," said Governor.

A similar article just appeared in Computerworld:

http://www.computerworld.com/securitytopics/security/holes/story/0,10801,95013,00.html 
 

Oracle is aware of the exposures and will be issuing an alert “soon”:

"They include buffer overflows, SQL injection issues and a whole range of other minor issues," said Litchfield, who discovered the flaws. He said that he reported them to Oracle in January and February.

"Some of them can be exploited without a user ID and password, while others require them," Litchfield said. Nearly 90% of the flaws allow attackers to potentially gain complete administrative control of vulnerable database servers, he said.

Oracle confirmed the existence of the flaws, which were discussed publicly at last week's Black Hat security conference in Las Vegas, but did not offer any further comment. In an e-mailed statement, a company spokeswoman said that Oracle had fixed the flaws and would issue a security alert "soon."