Multiple Security Flaws Found in Oracle Servers

The Computer Emergency Response Team Coordination Center (CERT/CC) Friday warned of nearly 20 vulnerabilities discovered in Oracle servers.


Found by David Litchfield of NGSSoftware, the vulnerabilities include buffer overflows, insecure default settings, failures to
enforce access controls and failure to validate input. CERT said the vulnerabilities could allow the execution of arbitrary commands
or code, denial of service and unauthorized access to sensitive information.

Oracle has patched the vulnerabilities and recommended configuration changes. The patches may be found in Oracle Security Alert #28 and Oracle Security Alert #25, as well as on the MetaLink Web site (registration required). More security and patch information may be found
here.

CERT warned of several buffer-overflow vulnerabilities in the way the PL/SQL module handles HTTP requests and configuration
parameters. CERT said the default configuration settings in a range of components are insecure, and different components fail to
apply access restrictions uniformly, exposing systems running Oracle Application Server and the information held in the underlying
databases to risk. Two more buffer overflow vulnerabilities exist in code that processes configuration parameters that can be
specified via the PL/SQL gateway Web administration interface. CERT said that by default, access to the PL/SQL gateway Web
administration interface is not restricted.


There are also multiple insecure configuration settings — such as well-known default passwords and unrestricted access to
applications and sensitive information — in the default installation of Oracle Application Server. Additionally, Oracle Application
Server does not uniformly enforce access restrictions, as different components do not adequately check authorization before granting
access to protected resources. Litchfield also found one instance where the PL/SQL module doesn’t properly handle a malformed HTTP
request.


CERT said some of the vulnerabilities could allow execution with the privileges of the Apache process. On UNIX systems, Apache
process usually runs as the “oracle” user, and on Windows systems the Apache process typically runs as the SYSTEM user. In either
case, this would give an attack complete control of the system by exploiting these vulnerabilities.

Get the Free Newsletter!

Subscribe to our newsletter.

Subscribe to Daily Tech Insider for top news, trends & analysis

News Around the Web