Oracle Warns of 'High Risk' Product Flaws
Page 1 of 1
Data management heavyweight Oracle
has issued an
alert for "high risk" security flaws in several server products, warning
that the vulnerabilities could lead to system access.
The Redwood City, Calif.-based firm said a range of the server products
was affected by vulnerabilities in the OpenSSL protocol and can be
exploited to allow information leakage, denial-of-service attacks
Affected products include the Oracle HTTP Server 8.x, Oracle HTTP Server 9.x, Oracle8i Database, Oracle9i Application Server, Oracle9i Database Enterprise Edition and the Oracle9i Database Standard Edition.
The company warned that there were no workaround available, urging customers to apply specific patches (PDF file) to vulnerable systems.
The SSL and TLS protocols are used to provide a secure connection between a client and a server for higher level protocols, such as HTTP. According to the CERT Coordination Center, the OpenSSL flaws were mostly buffer overflows that occurred during the SSLv2 handshake process. They can be exploited by a client using a malformed key during the handshake process with an SSL server connection.
In October, the OpenSSL Project released new versions to fix the holes which carried a "highly critical" rating.
The security holes were first detected by the U.K.-based National Infrastructure Security Coordination Centre (NISCC) which prepared a test suite to check the operation of SSL/TLS (define) software when presented with a wide range of malformed client certificates.
The Center's tests found that if OpenSSL was used in debug mode, an invalid public key in a certificate may cause the verify code to crash. This could also lead to a DoS against systems running in debug mode.