RealTime IT News

Oracle Warns of 'High Risk' Product Flaws

Data management heavyweight Oracle has issued an alert for "high risk" security flaws in several server products, warning that the vulnerabilities could lead to system access.

The Redwood City, Calif.-based firm said a range of the server products was affected by vulnerabilities in the OpenSSL protocol and can be exploited to allow information leakage, denial-of-service attacks and server takeover by malicious attackers.

Affected products include the Oracle HTTP Server 8.x, Oracle HTTP Server 9.x, Oracle8i Database, Oracle9i Application Server, Oracle9i Database Enterprise Edition and the Oracle9i Database Standard Edition.

The company warned that there were no workaround available, urging customers to apply specific patches (PDF file) to vulnerable systems.

The Oracle products are vulnerable to flaws detected earlier this year in OpenSSL, the popular open-source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

The SSL and TLS protocols are used to provide a secure connection between a client and a server for higher level protocols, such as HTTP. According to the CERT Coordination Center, the OpenSSL flaws were mostly buffer overflows that occurred during the SSLv2 handshake process. They can be exploited by a client using a malformed key during the handshake process with an SSL server connection.

In October, the OpenSSL Project released new versions to fix the holes which carried a "highly critical" rating.

The security holes were first detected by the U.K.-based National Infrastructure Security Coordination Centre (NISCC) which prepared a test suite to check the operation of SSL/TLS (define) software when presented with a wide range of malformed client certificates.

The Center's tests found that if OpenSSL was used in debug mode, an invalid public key in a certificate may cause the verify code to crash. This could also lead to a DoS against systems running in debug mode.