RealTime IT News

Un-Patched Oracle Flaws Abound?

Oracle users may potentially be at risk from a half dozen vulnerabilities, even if they applied the company's latest patch released last week.

German security research Alexander Kornbrust of Red-Database-Security has issued six security advisories affecting Oracle Forms and Oracle Reports.

On the highly critical side, the vulnerabilities could allow a system to be compromised, provide for privilege escalation attacks or allow an attacker to overwrite arbitrary files. At the low end, the flaws could be used for cross site scripting attacks or information disclosure.

Kornbrust claims that he informed Oracle of the flaws as early as 2003. The security researcher alleges in his advisory timeline that Oracle was again notified in April and that if that flaws were not fixed in Oracle's July Critical Patch update, the flaws would go public.

On July 12, Oracle issued its quarterly Critical Patch Update, which included some 49 different matches for various flaws in various versions of its Enterprise Manager, Database server, Collaboration Suite, E-Business applications and Application Server products.

Oracle has not yet publicly addressed or confirmed Kornbrust's claims on its security Web site.

An Oracle spokesperson told internetnews.com that security is a matter Oracle takes seriously and Oracle's first priority is meeting customer needs and reducing their risk.

"When software flaws are discovered, Oracle responds as quickly as possible to help protect information secured by customers in Oracle-based information systems," the spokesperson said. "Oracle's policy is to fix security vulnerabilities in severity order –- higher severity vulnerabilities are fixed as a priority over lower severity vulnerabilities."

Oracle encourages customers and researchers to contact them as soon as they discover security vulnerabilities, the spokesperson explained.

"We believe the most effective way to protect customers is to avoid disclosing or publicizing vulnerabilities before a patch or workaround has been developed," the spokesperson said. "We are disappointed when any details of Oracle product security vulnerabilities are released to the public before patches can be made available."

Of the six advisories issued by Red-Database-Security, three are rated "High Risk." "Run any OS Command via unauthorized Oracle Forms" is one of the flaws reported by Red-Database-Security rated as being "high risk," a similar flaw exists in Oracle Reports.

"Oracle Reports starts reports executables (*.rep or *.rdf) from any directory and any user on the application server. These reports are executed as user Oracle or System (Windows)," the Red-Database Security advisory states. "An attacker which is able to upload a specially crafted reports executable to the application server is able to run any OS command or read and write text files on the application server.

"By using the report parameter with an absolute path it is possible to execute reports executables from ANY directory and ANY user," the advisory alleges.

"Overwrite any file via desname in Oracle Reports" is also rated as a highly critical vulnerability.

"By specifying a special value for the parameter desname, Oracle Reports can overwrite any file on the application server," the advisory states. According to the security researcher, the attack is so simple that it can be executed with a simple URL.

The desformat parameter in Oracle Reports also allegedly can lead to an information disclosure vulnerability.

"The Oracle Reports parameter desformat can read any file by using an absolute or relative file name," the advisory states. "Parts of the file content are displayed in the Reports error message. A different vulnerability in Oracle reports could allow an unauthorized user to read parts of any XML-file via a customized parameter."

The German security researcher also alleges that Oracle Reports is also at risk from various cross-site scripting vulnerabilities, which are rated "low risk."