Security Flaws Found in Oracle DB, App Server
- By Stephen Swoyer
- February 07, 2002
Oracle Corp. suffered a security embarrassment this week when a U.K.-based security firm documented several serious vulnerabilities in the midst of Oracle's long-running "Unbreakable" marketing and advertising campaign.
"Contrary to claims by Oracle Corp. CEO Larry Ellison, Oracle9i is breakable," wrote David Litchfield, a founder of Next Generation Security Software Ltd. who documented the vulnerabilities.
Next Generation Security published a series of security advisories on Wednesday covering holes in Oracle's database and application servers. The problems affect Oracle 8 and Oracle9i. An accompanying white paper, which begins with Litchfield's "breakable" charge, details how to lock down an Oracle environment and points out several insecure default settings in Oracle's products. Litchfield also tempers his harsh words for the "Unbreakable" campaign by noting that it may relate to Oracle's 14 independent security evaluations, which leave "all of Oracle's competitors far behind."
Oracle simultaneously published security alerts of its own outlining fixes and workarounds that credit Litchfield.
In an official statement, Oracle said, "How a company responds to a bug is extremely important. Oracle responds as quickly as possible with information, patches and work-arounds that customers can apply. No Oracle customers have reported issues stemming from these bugs."
In the most serious of the vulnerabilities, an unauthorized user could gain access to data stored in Oracle 9i or execute operating system functions remotely without a username or password.
Next Generation Security’s disclosure has been a long-time coming. The company’s co-founder, David Litchfield, allegedly first contacted Oracle about his findings in late 2001. Moreover, in early 2002, Litchfield provided details of potential Oracle 9i exploits to at least one publication, which prompted a flurry of discussion on Security Focus.com’s Bugtraq mailing list.
“Considering Oracle's client by default allows connected users to run arbitrary shell commands, it doesn't surprise me that vulnerabilities such as this exist,” wrote one Bugtraq poster in January.
Next Generation Security has identified at least five Oracle 9i-specific vulnerabilities, including:
Multiple buffer overflow vulnerabilities in Oracle 9iAS’ PL/SQL Apache Module that could result in the execution of arbitrary code. Next Generation Security says that a non-overflow denial-of-service (DoS) attack also exists in the same module. On Windows NT 4.0 and Windows 2000 systems, the company advises, arbitrary code will run in the full SYSTEM context.
A security flaw that could allow an attacker to gain access to the source code of a translated JSP page. Next Generation Security says that code of this kind could contain usernames, passwords and even critical business logic.
A directory traversal issue, exploited by means of a buffer overflow attack, in Oracle 9iAS’ PL/SQL Apache Module that affects only Windows NT 4.0 and Windows 2000. An attacker who successfully exploits this vulnerability could execute code of her choice in the full SYSTEM context of the compromised server.
ENT editor Scott Bekker contributed to this report.
Stephen Swoyer is a Nashville, TN-based freelance journalist who writes about technology.