Security Bugs in Oracle, Lotus Products

A British security research firm has released a slew of security warnings
for flaws in enterprise products from Oracle and IBM’s
Lotus.

Security advisories from NGSSoftware
warned of six serious flaws in components of Oracle’s database server
software, including four “critical” buffer overrun vulnerabilities.

Oracle has released patches for the flaws, which also affect its newest
Oracle 9i Application Server, which is specially designed to integrate with
an Oracle backend database server. One of the more serious vulnerabilities
is a format string bug that would let an attacker overwrite arbitrary
address with arbitrary values and gain complete control of the Web server.
(Download patch here).

Another “high risk” alert was issued for a bfilename function
buffer overflow vulnerability which affects Oracle9i Database Release 2, 9i
Release 1, 8i, 8.1.7 and 8.0.6. (Download patch here).

NGSSoftware also issued security alerts for flaws in Lotus 6, Lotus
iNotes Client, Lotus Domino Web Server iNotes and Lotus Domino Web Server
Host.

The vulnerabilities include a “critical risk” flaw in Lotus Domino that
could lead to a denial-of-service attack and a buffer overflow bug in iNotes
that can be exploited by an attacker to run code in the security context of
the account running the Domino Web Services.