Oracle 9i XML component vulnerable

By Ellen O'Brien, SearchOracle.com News Editor 25 Aug 2003 | SearchOracle.com

Digg This!     StumbleUpon     Del.icio.us

A set of buffer overflows in the XML component of Oracle Corp.'s 9i database makes it highly vulnerable to attack through a company intranet portal. Oracle is urging customers to immediately patch the vulnerabilities and to avoid connecting the database to the Internet until they have done so.

The vulnerability has the potential to allow an attacker complete control over data stored in the database. That means attackers could cause a denial-of-service attack or even capture a live 9i user session, according to the information Oracle has provided its customers.

Security expert Aaron Newman, chief technology officer at New York-based Application Security Inc., said that 9i users should not assume they are safe just because they have not connected their database to the Internet. Potential attackers are not limited to authenticated users, Newman said.

"Things often get by firewalls," Newman said. "I'm telling clients to first do the workarounds and then install the patches. I always like to do the workarounds first."

This week's 9i vulnerability is not as serious as the one Oracle users were introduced to three weeks ago, Newman said. The XML vulnerability only affects customers using Oracle 9i version 2.

"Last month's vulnerability affects nearly all the versions of Oracle," Newman said "Honestly, not that many people are even using Oracle 9i version 2 yet. People don't have it in production yet."

Newman said that many Oracle 9i customers are still coping with last month's database vulnerability. "One of the problems is that you get a patch from Oracle, and it's very difficult to install, and a lot of [the] time it could break a lot of the features," he said.

"The vast majority of clients I see, they are really almost security naÏve. Chances are that 80% of them have not applied the basic security patches."

FOR MORE INFORMATION

Check out a Featured Topic on .

For more information on Oracle patches, chekc out .

To provide your feedback on this article, contact Ellen O'Brien.

Tags: Industry,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Industry Oracle App Server ready for J2EE Intel, HP chiefs praise offshore outsourcing Oracle and Microsoft: A tale of two security philosophies HP offers protection from SCO suit Oracle bags a $5 million DOE Intel's Barrett: IT's still alive Can Oracle survive Larry Ellison? OracleWorld: Dell says blades are coming, but slowly Banking on CRM and financial services Grid software project goes international

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary