Developer
SHARE
Facebook X Pinterest WhatsApp

Multiple Security Flaws Found in Oracle Servers

Written By
thumbnail
Thor Olavsrud
Thor Olavsrud
Mar 15, 2002

The Computer Emergency Response Team Coordination Center (CERT/CC) Friday warned of nearly 20 vulnerabilities discovered in Oracle servers.


Found by David Litchfield of NGSSoftware, the vulnerabilities include buffer overflows, insecure default settings, failures to
enforce access controls and failure to validate input. CERT said the vulnerabilities could allow the execution of arbitrary commands
or code, denial of service and unauthorized access to sensitive information.

Oracle has patched the vulnerabilities and recommended configuration changes. The patches may be found in Oracle Security Alert #28 and Oracle Security Alert #25, as well as on the MetaLink Web site (registration required). More security and patch information may be found
here.

CERT warned of several buffer-overflow vulnerabilities in the way the PL/SQL module handles HTTP requests and configuration
parameters. CERT said the default configuration settings in a range of components are insecure, and different components fail to
apply access restrictions uniformly, exposing systems running Oracle Application Server and the information held in the underlying
databases to risk. Two more buffer overflow vulnerabilities exist in code that processes configuration parameters that can be
specified via the PL/SQL gateway Web administration interface. CERT said that by default, access to the PL/SQL gateway Web
administration interface is not restricted.


There are also multiple insecure configuration settings — such as well-known default passwords and unrestricted access to
applications and sensitive information — in the default installation of Oracle Application Server. Additionally, Oracle Application
Server does not uniformly enforce access restrictions, as different components do not adequately check authorization before granting
access to protected resources. Litchfield also found one instance where the PL/SQL module doesn’t properly handle a malformed HTTP
request.


CERT said some of the vulnerabilities could allow execution with the privileges of the Apache process. On UNIX systems, Apache
process usually runs as the “oracle” user, and on Windows systems the Apache process typically runs as the SYSTEM user. In either
case, this would give an attack complete control of the system by exploiting these vulnerabilities.

thumbnail
Thor Olavsrud

Recommended for you...

thumbnail
Oracle’s NetBeans Headed to The Apache Software Foundation
Software
Oracle’s NetBeans Headed to The Apache Software Foundation
Sean Michael Kerner
Sep 13, 2016
thumbnail
Praise Be to the Dockercon 16 Demo Gods : Drink Espresso #dockercon
Software
Praise Be to the Dockercon 16 Demo Gods : Drink Espresso #dockercon
Sean Michael Kerner
Jun 20, 2016
Software
Facebook Gets Serious about Open-Source
Sean Michael Kerner
Feb 23, 2015
Security
Python 2 Gets New Security Features, Four Years After It was Supposed to Go Away
Sean Michael Kerner
Dec 16, 2014
Internet News Logo

InternetNews is a source of industry news and intelligence for IT professionals from all branches of the technology world. InternetNews focuses on helping professionals grow their knowledge base and authority in their field with the top news and trends in Software, IT Management, Networking & Communications, and Small Business.

facebook
x

Company

Contact us Advertise with us

Categories

News Enterprise Small Business Reviews Podcasts Blog Research

Property of TechnologyAdvice. © 2025 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information