Article

Oracle exploit code spurs new patch warning

Robert Westervelt, News Director

Oracle is strongly recommending that its customers apply the software patches it released in August, following the discovery that some exploits had been published.

In a security alert released late last week, the company said malicious code is available to hackers allowing them to exploit Oracle products that have

    Requires Free Membership to View

not yet been updated.

The alert did not provide specific information about the exploits.

Security flaws have been found in versions 8i, 9i and 10g database, Oracle application server and enterprise manager software. The vulnerabilities were identified in February by David Litchfield, a well-known vulnerability-finder and co-founder of Next Generation Security Software, which is based in Sutton, England.

In all, Litchfield's firm discovered more than 30 Oracle product vulnerabilities during a security evaluation of a customer.

Litchfield waited several months before releasing general information about the flaws at a security conference in Las Vegas in order to prompt Oracle to release fixes for the holes. In August, Oracle responded with a patch and an updated monthly release schedule for customers to address future vulnerabilities.

"With some of the issues, it's not very difficult to exploit at all," Litchfield said. "There's no limit to the amount of damage or theft you can do."

Litchfield said Oracle's database server and application server were at high risk because attackers with network access could exploit the DBMS without a valid user account and password.

For more information:

Expert offers security tips

Oracle security patches causing headaches

"Customers of Oracle are advised to keep up to date with what is going on, and should regularly be doing assessments to ensure that they are up to date with the latest patches," Litchfield said.

Oracle said it knew about the vulnerabilities in February but waited to release a full fix rather than a partial fix to customers.

The nature of the August release has frustrated DBAs because at the time Oracle offered few details about the patch, said Arup Nanda, a security expert and Norwalk, Conn.-based DBA who is president of Proligence, an Oracle consultancy. The lack of information has forced DBAs to take entire systems out of production, Nanda said.

"We know that the patches eliminate vulnerabilities in the database server and the listener, in the application server and in the enterprise manager," Nanda said. "DBAs like to be absolutely certain that they need the patch and how much downtime is needed, and in this case, it is impossible to be certain because so little information is available."


There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: