Oracle Corp.'s director of security product management is urging customers to install patches that will eliminate three security flaws in Oracle's application server software and its E-Business suite.
Calling the flaws "something to worry about," Oracle's John Heimann said that the two most serious vulnerabilities exist in Oracle's E-Business suite. Both vulnerabilities were given the highest of three threat ratings used by Oracle to assess its products' vulnerabilities.
The third vulnerability is a database flaw that was assigned a lower threat level because it can only be exploited by someone who already has access to the database, such as a database administrator.
David Litchfield, co-founder of Next Generation Security Software Ltd., which is based in Sutton, England, warned that the database buffer overflow should be repaired immediately. This can be done by installing the patch issued by Oracle or by disabling the EXTPROC functionality, he said.
"For those running Oracle, this is a critical vulnerability, and steps should be taken as soon as possible to mitigate the risk," Litchfield said.
The three vulnerabilities were discovered more than a month ago by Chris Anley of Integrigy Corp., a Chicago-based security consulting company specializing in customer relationship management (CRM) applications. Oracle has a policy not to release information about flaws until patches are developed.
Companies running Oracle 8i or 9i, releases 1 and 2, will be vulnerable, Heimann said.
"We're not aware of any customers having been exploited," Heimann said. "These are not the most significant vulnerabilities that I've seen, but they are worth worrying about and something that should be fixed."
The flaws in the E-Business suite are caused by a set of unsecured Java server pages (JSPs) and could allow any user to view the product's configuration and host-system information, Heimann said.
A patch for the flaw removes the security hole and requires users to sign on before viewing configuration information stored in the JSPs, he said.
Also, attackers could exploit a buffer overflow flaw that could lead a component of the suite to crash and potentially allow an attacker to run code, Heimann said.
The buffer overflow flaw is in FNDWRR, a common gateway interface program that lets customers view Oracle reports and log files through a Web browser. Attackers could use a Web browser and specially crafted URLs to create a buffer overflow, crippling FNDWRR.
It would require the exploit writer to have at least a minimal understanding of the protocol used by Oracle across the network and the ability to code the exploit to run arbitrary code.
"Although this makes exploiting the vulnerability sound fairly complex, all that it takes is for one person to write it and then distribute it, then everyone can exploit it," Litchfield said.
FOR MORE INFORMATIONOracle Security Information SearchOracle.com: Targeted resources for Oracle professionals