Home > Oracle News > Oracle 9i XML component vulnerable
Oracle News:
EMAIL THIS LICENSING & REPRINTS

Oracle 9i XML component vulnerable

By Ellen O'Brien, SearchOracle.com News Editor
25 Aug 2003 | SearchOracle.com

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   

A set of buffer overflows in the XML component of Oracle Corp.'s 9i database makes it highly vulnerable to attack through a company intranet portal. Oracle is urging customers to immediately patch the vulnerabilities and to avoid connecting the database to the Internet until they have done so.

The vulnerability has the potential to allow an attacker complete control over data stored in the database. That means attackers could cause a denial-of-service attack or even capture a live 9i user session, according to the information Oracle has provided its customers.

Security expert Aaron Newman, chief technology officer at New York-based Application Security Inc., said that 9i users should not assume they are safe just because they have not connected their database to the Internet. Potential attackers are not limited to authenticated users, Newman said.

"Things often get by firewalls," Newman said. "I'm telling clients to first do the workarounds and then install the patches. I always like to do the workarounds first."

This week's 9i vulnerability is not as serious as the one Oracle users were introduced to three weeks ago, Newman said. The XML vulnerability only affects customers using Oracle 9i version 2.

"Last month's vulnerability affects nearly all the versions of Oracle," Newman said "Honestly, not that many people are even using Oracle 9i version 2 yet. People don't have it in production yet."

Newman said that many Oracle 9i customers are still coping with last month's database vulnerability. "One of the problems is that you get a patch from Oracle, and it's very difficult to install, and a lot of [the] time it could break a lot of the features," he said.

"The vast majority of clients I see, they are really almost security naÏve. Chances are that 80% of them have not applied the basic security patches."

FOR MORE INFORMATION

Check out a Featured Topic on .

For more information on Oracle patches, chekc out .

To provide your feedback on this article, contact Ellen O'Brien.



Tags: IndustryVIEW ALL TAGS

Digg This!    StumbleUpon Toolbar StumbleUpon    Bookmark with Delicious Del.icio.us   


HomeNewsTopicsTipsAsk the ExpertsMultimediaWhite PapersProductsBlogs
About Us  |  Contact Us  |  For Advertisers  |  For Business Partners  |  Site Index  |  RSS
SEARCH 
TechTarget provides enterprise IT professionals with the information they need to perform their jobs - from developing strategy, to making cost-effective IT purchase decisions and managing their organizations' IT projects - with its network of technology-specific Web sites, events and magazines.

TechTarget Corporate Web Site  |  Media Kits  |  Reprints  |  Site Map




All Rights Reserved, Copyright 2003 - 2008, TechTarget | Read our Privacy Policy 		  TechTarget - The IT Media ROI Experts