Oracle is strongly recommending that its customers apply the software patches it released in August, following...
the discovery that some exploits had been published.
In a security alert released late last week, the company said malicious code is available to hackers allowing them to exploit Oracle products that have not yet been updated.
The alert did not provide specific information about the exploits.
Security flaws have been found in versions 8i, 9i and 10g database, Oracle application server and enterprise manager software. The vulnerabilities were identified in February by David Litchfield, a well-known vulnerability-finder and co-founder of Next Generation Security Software, which is based in Sutton, England.
In all, Litchfield's firm discovered more than 30 Oracle product vulnerabilities during a security evaluation of a customer.
Litchfield waited several months before releasing general information about the flaws at a security conference in Las Vegas in order to prompt Oracle to release fixes for the holes. In August, Oracle responded with a patch and an updated monthly release schedule for customers to address future vulnerabilities.
"With some of the issues, it's not very difficult to exploit at all," Litchfield said. "There's no limit to the amount of damage or theft you can do."
Litchfield said Oracle's database server and application server were at high risk because attackers with network access could exploit the DBMS without a valid user account and password.
"Customers of Oracle are advised to keep up to date with what is going on, and should regularly be doing assessments to ensure that they are up to date with the latest patches," Litchfield said.
Oracle said it knew about the vulnerabilities in February but waited to release a full fix rather than a partial fix to customers.
The nature of the August release has frustrated DBAs because at the time Oracle offered few details about the patch, said Arup Nanda, a security expert and Norwalk, Conn.-based DBA who is president of Proligence, an Oracle consultancy. The lack of information has forced DBAs to take entire systems out of production, Nanda said.
"We know that the patches eliminate vulnerabilities in the database server and the listener, in the application server and in the enterprise manager," Nanda said. "DBAs like to be absolutely certain that they need the patch and how much downtime is needed, and in this case, it is impossible to be certain because so little information is available."